Hope you all are doing good !!!
In our last articles we have discussed on, how to configure Privileged Identity Management (PIM). Today In this article, we will continue discuss on Azure AD PIM related topic Access Review.
If you have missed our previous articles on Azure Identity And Access Management (IAM), please check it in following links.
Access Review :
As per the requirement, organization has to assign roles to different users for different purpose. Sometime it increased the risk of data security. To reduce the risk associated with stale role assignments, organization should regularly review access. We can use Azure AD Privileged Identity Management (PIM) to create access reviews for privileged roles ( Azure AD Roles , Azure Resource Roles). Following steps helps to create and configure a Access Review for a role assignment we did in our last article Privileged Identity Management (PIM)
Step 1 – Sign in to Azure portal with a user that is a member of the Privileged role administrator role > open Azure AD Privileged Identity Management > Select Azure Resources as today we will create the Review Access for Azure Resource Role. The procedure is same to create a Review Access for Azure AD Role.
Step 2 – Select required resource (here it is my subscription ) from list of Resource.
As shown in the following figure we can see role activation activity for last 7 days.
Step 3 – Under Manage, select Access reviews. As shown in the following figure, currently there is no access review configured yet.
Step 4 – Click New to create a new access review. Provide name and description of the Access Review. The name and description are shown to the reviewers.
Step 5 – Set the Start date. By default, an access review occurs once, starts the same time it’s created, and it ends in one month. we can change the start and end dates to have an access review start in the future and last however many days you want.
Step 6 – To make the access review recurring, change the Frequency setting from One time to Weekly, Monthly, Quarterly, Annually, or Semi-annually. Use the Duration slider or text box to define how many days each review of the recurring series will be open for input from reviewers. In our case, I have configured Weekly and 3 time in a day.
Step 7 – Use the End setting to specify how to end the recurring access review series. There are 3 options for this field as shown in the following figure. Never, End By and Occurrences. If we set Occurrences then we need to provide the number of times value. If we set End By then need to specify the end date. Here I have configured an end date. Then set users Scope.
Step 8 – As shown in the above figure, One more important field is the selection of Role for which we are creating this access review. Here I have configured for Contributor role because in our last practical, we have assigned user for Contributor role.
Step 9 – We need to configure the Reviewers field. In our case I have selected a user, who can review the access. option is there to configure Assign self as reviewer.
Step 10 – In Upon completion settings, we need to configure following two settings.
- Auto apply results to resource to Enable : If we want to manually apply the results when the review completes, set the switch to Disable other wise set it to Enable.
- Should reviewer not respond : It provides a list of options. The list to specify what happens for users that are not reviewed by the reviewer within the review period. options are No change, Remove access, Approve access, Take recommendations.
Step 11 – In Advanced settings we can configure as per our requirements. All of our setting shown in the following figure.
Step 12 – Now we can click Start button to finish the configuration of Access Review. As we can see in Review Access from Task section, our access review is configured successfully.
Step 13 – Let’s check the details of the review. As shown in the following figure, we can see that it reviewed for 2 user with this Contributor role assignment. As we have configured, to react manually to the role assignment Upon completion. To check in the access review report, let’s Approve one user and Deny one user as shown in the following figure.
Step 14 – Select Access Reviews under Manage section and click on the newly created access review to see the overview of the review report as shown in the following figure.
Step 15 – Now we have report, which shown one user has approved and the other one has denied as per our requirement as shown in the following figures.
Step 16 – The Setting section of the access review allows, to modify the configuration of Access Review as shown in the following figure.
Manage Access Reviews :
There are a number of options for managing that review. Find the following lists of action we can do with a Access Review.
I hope, this article gives you idea to configure Access Review for role in PIM. As I am exploring the Azure Identity and Access Management (IAM). Please let me know if I missed anything important or if my understanding is not up to mark.
Keep reading, share your thoughts, experiences. Feel free to contact us to discuss more.
Thanks for reading 🙂 .