azure ad PIM access-review

testuser7 271 Reputation points
2021-03-10T16:36:54.53+00:00

Hello,

I have quick point to confirm about Azure-AD Access-Review of PIM-admin-roles.
We know that we can configure reviewers who will periodically review the membership of AAD-admin roles.

If I have configured more than one reviewers to review access of any particular role, is it SUFFICIENT if only of one of the reviewers review it. ?
Once the reviewer reviews it and updates his decision (i.e., remove-access OR approve-access) , would that review-request disappears from other reviewers plate ?

Thanks.

Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,689 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. testuser7 271 Reputation points
    2021-03-10T16:56:20.69+00:00

    Actually I validated above point and the answer is YES, meaning one reviewer is enough to review any user's admin-role.

    However, one interesting thing I realized is, the access-review that I configured was with Auto apply results to resource = OFF
    Hence I did not expect the reviewers remove-access OR approve-access decision automatically applied.
    And indeed NO change happen in the end-users role.

    So my question is, how to apply the reviewer's decision.
    I was hoping that there would be "APPLY" button where the AUTHOR/CREATOR of this access-review will go and apply the reviewer's choice.
    However, I could not find such mechanism on AAD portal.

    Appreciate your help !!!!

    0 comments
  2. Marilee Turscak-MSFT 34,316 Reputation points Microsoft Employee
    2021-03-11T01:26:27.007+00:00

    Hi, I think the answer to both of these questions is covered in this article. The automatic application happens based on the user's last logon or use of resources rather than the reviewer's decision.

    I have multiple reviewers – how do I resolve conflicts?

    For access reviews that have multiple reviewers aligned, all reviewers’ choices have equal weight. Access reviews count the last reviewer’s choice for every user to be reviewed – until the review ends. That last reviewer’s decision on whether access should be preserved or not is counted, overwriting potential earlier reviewer’s choices – “last reviewer wins”. All reviewers see other reviewer’s choices. For users that have not been reviewed (i.e. no reviewer commented on a particular user), access reviews can be configured to automatically apply a pre-defined result (Approve or Remove access) based on the user’s last logon or use of the resources.

    0 comments
  3. testuser7 271 Reputation points
    2021-03-11T13:05:18.44+00:00

    Thanks @MarileeTurscak

    I think I am onboard with your input.
    One point worth mentioning... you stressed enough about the "last reviewer" and he will overwrite earlier reviewers etc..
    However, my practical observation is once any reviewer completes the review for any user for his PIM-admin-role, that row just disappears.

    Later on if any other reviewer opens his "review access" blade to review, he IS NOT FINDING the already reviewed user.
    So I am not sure how could he overwrite earlier reviewer's choices .

    Appreciate your help !!!

    Thanks.

    0 comments