| extend AADUserAdded = tostring(TargetResources.displayName) | extend AADRoleId = tostring(AdditionalDetails.value) | extend AADRoleDisplayName = tostring(TargetResources.displayName) | where OperationName startswith "Add member to role outside of PIM" For this example I added our test user to the Power Platform Administrator role outside of PIM. We can query the AuditLogs for these events, then retrieve the information about who was added to which role, and who did it in case we want to follow up with them. Thankfully we get an operation each time this happens, ready to to act on. This could be an admin trying to get around policy or something more sinister. One big gap of PIM is that users can still be assigned roles directly, so instead of having just in time access to a role, or require an MFA challenge to activate they are permanently assigned to roles – this may not be an issue for some roles like Message Center Reader, but you definitely want to avoid it for highly privileged roles like Global Administrator, Exchange Administrator, Security Administrator and whichever else you deem high risk.
Most of the items will just be business as usual activity and useful for auditing but nothing we need to alert on or respond to. If you have had PIM enabled for a while, you will see lot of different activities, I won’t list them all here, but you will see each time someone activates a role, when they are assigned to roles, when new roles are onboarded and so on. PIM actions are logged to the AuditLogs table, you can find any operations associated by searching for PIM AuditLogs There are plenty of guides on deploying PIM, so I won’t go back over those, but more focus on how we can leverage Azure Sentinel to make sure the rules are being followed in your environment. For those with Azure AD P2 licensing, you should roll it out ASAP. Azure AD Privileged Identity Management is a really fantastic tool that lets you provide governance around access to Azure AD roles and Azure resources, by providing just in time access, step up authentication, approvals and a lot of great reporting.
0 kommentar(er)
