Complete an access review of Azure resource and Azure AD roles in PIM

Privileged role administrators can review privileged access once an access review has been started. Privileged Identity Management (PIM) in Azure Active Directory (Azure AD) will automatically send an email that prompts users to review their access. If a user doesn't receive an email, you can send them the instructions for how to perform an access review.

Once the review has been created, follow the steps in this article to complete the review and see the results.

Complete access reviews

  1. Login to the Azure portal. For Azure resources, navigate to Privileged Identity Management and select Azure resources under Manage from the dashboard. For Azure AD roles, select Azure AD roles from the same dashboard.

  2. For Azure resources, select your resource under Azure resources and then select Access reviews from the dashboard. For Azure AD roles, proceed directly to the Access reviews on the dashboard.

  3. Select the access review that you want to manage. Below is a sample screenshot of the Access Reviews overview for both Azure resources and Azure AD roles.

    Access reviews list showing role, owner, start date, end date, and status screenshot.

On the detail page, the following options are available for managing the review of Azure resources and Azure AD roles:

Options for managing a review in Azure resources - Stop, Reset, Apply, Delete screenshot.

Stop an access review

All access reviews have an end date, but you can use the Stop button to finish it early. The Stop button is only selectable when the review instance is active. You cannot restart a review after it's been stopped.

Reset an access review

When the review instance is active and at least one decision has been made by reviewers, you can reset the access review by selecting the Reset button to remove all decisions that were made on it. After you've reset an access review, all users are marked as not reviewed again.

Apply an access review

After an access review is completed, either because you've reached the end date or stopped it manually, the Apply button removes denied users' access to the role. If a user's access was denied during the review, this is the step that will remove their role assignment. If the Auto apply setting is configured on review creation, this button will always be disabled because the review will be applied automatically instead of manually.

Delete an access review

If you are not interested in the review any further, delete it. To remove the access review from the Privileged Identity Management service, select the Delete button.

Important

You will not be required to confirm this destructive change, so verify that you want to delete that review.

Results

On the Results page, you may view and download a list of your review results.

Results page listing users, outcome, reason, reviewed by, applied by, and apply result for Azure AD roles screenshot.

Note

Azure AD roles have a concept of role-assignable groups, where a group can be assigned to the role. When this happens, the group will show up in the review instead of expanding the members of the group, and a reviewer will either approve or deny the entire group.

Results page listing users, outcome, reason, reviewed by, applied by, and apply result for Azure resource roles screenshot.

Note

If a group is assigned to Azure resource roles, the reviewer of the Azure resource role will see the expanded list of the users in a nested group. Should a reviewer deny a member of a nested group, that deny result will not be applied successfully because the user will not be removed from the nested group.

Reviewers

On the Reviewers page, you may view and add reviewers to your existing access review. You may also remind reviewers to complete their reviews here.

Note

If the reviewer type selected is user or group, you can add more users or groups as the primary reviewers at any point. You can also remove primary reviewers at any point. If the reviewer type is manager, you can add users or groups as the fallback reviewers to complete reviews on users who do not have managers. Fallback reviewers cannot be removed.

Reviewers page listing name and user principal name for Azure resource roles screenshot.

Next steps