question

testuser7-8288 avatar image
0 Votes"
testuser7-8288 asked ·

azure ad PIM access-review

Hello,

I have quick point to confirm about Azure-AD Access-Review of PIM-admin-roles.
We know that we can configure reviewers who will periodically review the membership of AAD-admin roles.

If I have configured more than one reviewers to review access of any particular role, is it SUFFICIENT if only of one of the reviewers review it. ?
Once the reviewer reviews it and updates his decision (i.e., remove-access OR approve-access) , would that review-request disappears from other reviewers plate ?

Thanks.





azure-active-directoryazure-ad-privileged-identity-management
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

testuser7-8288 avatar image
0 Votes"
testuser7-8288 answered ·

Actually I validated above point and the answer is YES, meaning one reviewer is enough to review any user's admin-role.

However, one interesting thing I realized is, the access-review that I configured was with Auto apply results to resource = OFF
Hence I did not expect the reviewers remove-access OR approve-access decision automatically applied.
And indeed NO change happen in the end-users role.

So my question is, how to apply the reviewer's decision.
I was hoping that there would be "APPLY" button where the AUTHOR/CREATOR of this access-review will go and apply the reviewer's choice.
However, I could not find such mechanism on AAD portal.

Appreciate your help !!!!

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MarileeTurscak avatar image
0 Votes"
MarileeTurscak answered ·

Hi, I think the answer to both of these questions is covered in this article. The automatic application happens based on the user's last logon or use of resources rather than the reviewer's decision.

I have multiple reviewers – how do I resolve conflicts?

For access reviews that have multiple reviewers aligned, all reviewers’ choices have equal weight. Access reviews count the last reviewer’s choice for every user to be reviewed – until the review ends. That last reviewer’s decision on whether access should be preserved or not is counted, overwriting potential earlier reviewer’s choices – “last reviewer wins”. All reviewers see other reviewer’s choices. For users that have not been reviewed (i.e. no reviewer commented on a particular user), access reviews can be configured to automatically apply a pre-defined result (Approve or Remove access) based on the user’s last logon or use of the resources.



·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

testuser7-8288 avatar image
0 Votes"
testuser7-8288 answered ·

Thanks @MarileeTurscak

I think I am onboard with your input.
One point worth mentioning... you stressed enough about the "last reviewer" and he will overwrite earlier reviewers etc..
However, my practical observation is once any reviewer completes the review for any user for his PIM-admin-role, that row just disappears.

Later on if any other reviewer opens his "review access" blade to review, he IS NOT FINDING the already reviewed user.
So I am not sure how could he overwrite earlier reviewer's choices .


Appreciate your help !!!

Thanks.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.