How to start an access review in Azure AD Privileged Identity Management
Role assignments become "stale" when users have privileged access that they don't need anymore. In order to reduce the risk associated with these stale role assignments, privileged role administrators should regularly review the roles that users have been given. This document covers the steps for starting an access review in Azure AD Privileged Identity Management (PIM).
Start an access review
If you haven't added the PIM application to your dashboard in the Azure portal, see the steps in Getting Started with Azure Privileged Identity Management
From the PIM application main page, there are three ways to start an access review:
- Access reviews > Add
- Roles > Review button
- Select the specific role to be reviewed from the roles list > Review button
When you click on the Review button, the Start an access review blade appears. On this blade, you're going to configure the review with a name and time limit, choose a role to review, and decide who will perform the review.
Configure the review
To create an access review, you need to name it and set a start and end date.
Make the length of the review long enough for users to complete it. If you finish before the end date, you can always stop the review early.
Choose a role to review
Each review focuses on only one role. Unless you started the access review from a specific role blade, you'll need to choose a role now.
Navigate to Review role membership
- Choose one role from the list.
Decide who will perform the review
There are three options for performing a review. You can assign the review to someone else to complete, you can do it yourself, or you can have each user review their own access.
Navigate to Select reviewers
Choose one of the options:
- Select reviewer: Use this option when you don't know who needs access. With this option, you can assign the review to a resource owner or group manager to complete.
- Me: Useful if you want to preview how access reviews work, or you want to review on behalf of people who can't.
- Members review themselves: Use this option to have the users review their own role assignments.
Start the review
Finally, you have the option to require that users provide a reason if they approve their access. Add a description of the review if you like, and select Start.
Make sure you let your users know that there's an access review waiting for them, and show them How to perform an access review.
Manage the access review
You can track the progress as the reviewers complete their reviews in the Azure AD PIM dashboard, in the access reviews section. No access rights will be changed in the directory until the review completes.
Until the review period is over, you can remind users to complete their review, or stop the review early from the access reviews section.
PIM Table of Contents
- Get started with Azure Privileged Identity Management
- Roles in Azure AD PIM
- The security wizard
- How to give other admins access to Privileged Identity Management
- How to add or remove a user role
- How to activate or deactivate a role
- How to change or view the default activation settings for a role
- How to configure security alerts
- How to start an access review
- How to perform an access review
- How to complete an access review
- How to require MFA
- How to use the audit log