How to configure security alerts in Azure AD Privileged Identity Management
Azure Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in your environment. When an alert is triggered, it shows up on the PIM dashboard. Select the alert to see a report that lists the users or roles that triggered the alert.
|Roles are being assigned outside of PIM||An administrator was permanently assigned to a role, outside of the PIM interface.||Review the new role assignment. Since other services can only assign permanent administrators, change it to an eligible assignment if necessary.|
|Roles are being activated too frequently||There were too many reactivations of the same role within the time allowed in the settings.||Contact the user to see why they have activated the role so many times. Maybe the time limit is too short for them to complete their tasks, or maybe they're using scripts to automatically activate a role.|
|Roles don't require multi-factor authentication for activation||There are roles without MFA enabled in the settings.||We require MFA for the most highly privileged roles, but strongly encourage that you enable MFA for activation of all roles.|
|Administrators aren't using their privileged roles||There are eligible administrators that haven’t activated their roles recently.||Start an access review to determine the users that don't need access anymore.|
|There are too many global administrators||There are more global administrators than recommended.||If you have a high number of global administrators, it's likely that users are getting more permissions than they need. Move users to less privileged roles, or make some of them eligible for the role instead of permanently assigned.|
Configure security alert settings
You can customize some of the security alerts in PIM to work with your environment and security goals. Follow these steps to reach the settings blade:
- Sign in to the Azure portal and select the Azure AD Privileged Identity Management tile from the dashboard.
Select Managed privileged roles > Settings > Alerts settings.
"Roles are being activated too frequently" alert
This alert triggers if a user activates the same privileged role multiple times within a specified period. You can configure both the time period and the number of activations.
- Activation renewal timeframe: Specify in days, hours, minutes, and second the time period you want to use to track suspicious renewals.
- Number of activation renewals: Specify the number of activations, from 2 to 100, that you consider worthy of alert, within the timeframe you chose. You can change this setting by moving the slider, or typing a number in the text box.
"There are too many global administrators" alert
PIM triggers this alert if two different criteria are met, and you can configure both of them. First, you need to reach a certain threshold of global administrators. Second, a certain percentage of your total role assignments must be global administrators. If you only meet one of these measurements, the alert does not appear.
- Minimum number of Global Administrators: Specify the number of global administrators, from 2 to 100, that you consider an unsafe amount.
- Percentage of global administrators: Specify the percentage of administrators who are global administrators, from 0% to 100%, that is unsafe in your environment.
"Administrators aren't using their privileged roles" alert
This alert triggers if a user goes a certain amount of time without activating a role.
- Number of days: Specify the number of days, from 0 to 100, that a user can go without activating a role.
- Get started with Azure Privileged Identity Management
- Roles in Azure AD PIM
- The security wizard
- How to give other admins access to Privileged Identity Management
- How to add or remove a user role
- How to activate or deactivate a role
- How to change or view the default activation settings for a role
- How to configure security alerts
- How to start an access review
- How to perform an access review
- How to complete an access review
- How to require MFA
- How to use the audit log