Create an access review of Azure resource roles in PIM

Access to privileged Azure resource roles for employees changes over time. To reduce the risk associated with stale role assignments, you should regularly review access. You can use Azure Active Directory (Azure AD) Privileged Identity Management (PIM) to create access reviews for privileged Azure resource roles. You can also configure recurring access reviews that occur automatically.

This article describes how to create one or more access reviews for privileged Azure resource roles.

Prerequisites

Open access reviews

  1. Sign in to Azure portal with a user that is a member of the Privileged Role Administrator role.

  2. Open Azure AD Privileged Identity Management.

  3. In the left menu, click Azure resources.

  4. Click the resource you want to manage, such as a subscription or management group.

  5. Under Manage, click Access reviews.

    Azure resources - Access reviews list showing the status of all reviews

Create one or more access reviews

  1. Click New to create a new access review.

  2. Name the access review. Optionally, give the review a description. The name and description are shown to the reviewers.

    Create an access review - Review name and description

  3. Set the Start date. By default, an access review occurs once, starts the same time it's created, and it ends in one month. You can change the start and end dates to have an access review start in the future and last however many days you want.

    Start date, frequency, duration, end, number of times, and end date

  4. To make the access review recurring, change the Frequency setting from One time to Weekly, Monthly, Quarterly, Annually, or Semi-annually. Use the Duration slider or text box to define how many days each review of the recurring series will be open for input from reviewers. For example, the maximum duration that you can set for a monthly review is 27 days, to avoid overlapping reviews.

  5. Use the End setting to specify how to end the recurring access review series. The series can end in three ways: it runs continuously to start reviews indefinitely, until a specific date, or after a defined number of occurrences has been completed. You, another User administrator, or another Global administrator can stop the series after creation by changing the date in Settings, so that it ends on that date.

  6. In the Users section, select one or more roles that you want to review membership of.

    Users scope to review role membership of

    Note

    Selecting more than one role will create multiple access reviews. For example, selecting five roles will create five separate access reviews.

    If you are creating an access review of Azure AD roles, the following shows an example of the Review membership list.

    Review membership pane listing Azure AD roles you can select

    If you are creating an access review of Azure resource roles, the following shows an example of the Review membership list.

    Review membership pane listing Azure resource roles you can select

  7. In the Reviewers section, select one or more people to review all the users. Or you can select to have the members review their own access.

    Reviewers list of selected users or members (self)

    • Selected users - Use this option when you don't know who needs access. With this option, you can assign the review to a resource owner or group manager to complete.
    • Members (self) - Use this option to have the users review their own role assignments.

Upon completion settings

  1. To specify what happens after a review completes, expand the Upon completion settings section.

    Upon completion settings to auto apply and should review not respond

  2. If you want to automatically remove access for users that were denied, set Auto apply results to resource to Enable. If you want to manually apply the results when the review completes, set the switch to Disable.

  3. Use the Should reviewer not respond list to specify what happens for users that are not reviewed by the reviewer within the review period. This setting does not impact users who have been reviewed by the reviewers manually. If the final reviewer's decision is Deny, then the user's access will be removed.

    • No change - Leave user's access unchanged
    • Remove access - Remove user's access
    • Approve access - Approve user's access
    • Take recommendations - Take the system's recommendation on denying or approving the user's continued access

Advanced settings

  1. To specify additional settings, expand the Advanced settings section.

    Advanced settings for show recommendations, require reason on approval, mail notifications, and reminders

  2. Set Show recommendations to Enable to show the reviewers the system recommendations based the user's access information.

  3. Set Require reason on approval to Enable to require the reviewer to supply a reason for approval.

  4. Set Mail notifications to Enable to have Azure AD send email notifications to reviewers when an access review starts, and to administrators when a review completes.

  5. Set Reminders to Enable to have Azure AD send reminders of access reviews in progress to reviewers who have not completed their review.

Start the access review

Once you have specified the settings for an access review, click Start. The access review will appear in your list with an indicator of its status.

Access reviews list showing the status of started review

By default, Azure AD sends an email to reviewers shortly after the review starts. If you choose not to have Azure AD send the email, be sure to inform the reviewers that an access review is waiting for them to complete. You can show them the instructions for how to review access to Azure resource roles.

Manage the access review

You can track the progress as the reviewers complete their reviews on the Overview page of the access review. No access rights are changed in the directory until the review is completed.

Access reviews overview page showing the details of the review

If this is a one-time review, then after the access review period is over or the administrator stops the access review, follow the steps in Complete an access review of Azure resource roles to see and apply the results.

To manage a series of access reviews, navigate to the access review, and you will find upcoming occurrences in Scheduled reviews, and edit the end date or add/remove reviewers accordingly.

Based on your selections in Upon completion settings, auto-apply will be executed after the review's end date or when you manually stop the review. The status of the review will change from Completed through intermediate states such as Applying and finally to state Applied. You should expect to see denied users, if any, being removed from roles in a few minutes.

Next steps