Step-by-Step Guide: Audit privileged access using Azure PIM

Azure AD has near 35 different Directory roles. Each of these roles have different level of privileges. Using Azure PIM access reviews, we can review access and activities of member’s in these privilege groups and adjust their memberships accordingly. let’s see why it is important to review access of privilege accounts periodically. 

• Too much administrators – How many of you aware of all the administrators (including local admins) of your local AD infrastructure? I got you isn’t it! in local AD environment it is handful of privilege user groups, but Azure AD have near 35 roles. So, yes it will be difficult to keep track of the administrator with out proper review. 

• Not doing what they supposed to do – Azure AD roles have predefined level of privileges. you may assign a higher privilege role to member as he/she can’t match privilege available under existing roles. How we know they are only doing what they supposed to do? using access reviews we can track down their activities and make sure they not misuse the privileges. 

• Audit takes time – We can review the group memberships & their activities manually. But it takes time. if its manual tasks and also if it takes time most probably administrators will not do it more regularly. PIM access review is fully automated so you can schedule it run according to your requirements.  

[su_note]You need to have supported subscription to use Azure PIM. It is available under Azure AD Premium P2, Enterprise Mobility + Security (EMS) E5, Microsoft 365 M5[/su_note]

Now it is time to look in to implementation. In my demo I am going to create an access review for Global administrator role. To do this, 

1. Log in to Azure portal as Global Administrator

2. Go to All Services and search for azure ad PIM then click on it.

 

 

3. If this is your first-time using PIM, you need to click on onboard and complete the process. 

 

 

 

4. Then click on Azure AD Roles under Manage

 

 

5. In new windows, click on Access reviews under Manage

 

 

6. To create new access review, click on New

 

 

7. It will open a new window, first define name for it and then assign start and end date for the review. In this demo I am going to run it for 24 hours. Also, I am only going to run it once. 

 

 

8. Then click on Review role membership and select Global Administrator from the list. 

 

 

 

9. As next step we need to select the reviewers. To do that, choose Selected users under Reviewers

 

 

10. Then click on Select Reviewers and select the reviewer account. The selected user account will have privileges to decide outcome of the review. 

 

 

11. Under the Upon completion settings you can define automated actions-based reviews. But in this demo, I am not going to apply automated actions. 

 

 

12. I am also going to stick in to default settings under Advanced settings

 

 

13. To start the review, click on Start

 

 

14. After it is started, as admin I get notification email about reviews. So I can go straight to the reviews or can do it anytime before review finishes. 

 

 

15. To review the outcome, go to Azure PIM | Review Access and click on the relevant review. 

 

 

16. As we can see it found 4 users with Global Administrator rights. 

 

 

It also contains the PIM recommendations. 

 

 

From the list I want to deny access to Adriana & Isaiah. To do the select the two users and click on Deny.  

 

 

Before I remove access megan’s permissions, I want to see what actually she doing with her login. To do that I just click on the user and it list down her actions. 

 

 

I am happy with her actions so I am going to leave her permissions as it is. 

 

17. The decisions we made based on reviews need to apply manually as we selected the manual method. If we choose the automatic method it will apply when the review finished. If you like to finish it forcefully, go to Azure PIM | Azure AD Roles | Access Reviews and then click on the relevant review. 

 

 

18. In overview window, click on Stop to end the review. 

 

 

19. Once it is finished, as admin I receive an email notification. 

 

 

20. Result page helping us to keep track on required actions. As per this demo I need to go and remove permissions from these two users manaully. 

 

 

If the review has automated actions, it will remove the memberships automatically and give you’re the result. 

 

 

This marks the end of this blog post. Hope now you have better understanding how helpful is this access reviews to keep control of privileged group memberships. If you have any further questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.