PIM: Audit Logs & Alerts

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email
Table of Contents

introduction

after we have seen how to configure PIM approaches like :

  • Just in Time  ( Eligible Role ) 
  • Time Bound Access 
  • Permanent  active Access 

it’s very important to be familiar with PIM audit logs and alerts  to keep monitoring administrative activities at your organization 

PIM Audit Logs

With Azure Active Directory (Azure AD) Privileged Identity Management (PIM), you can view:

  • activity,
  • activations,
  • and audit history 
  • subscriptions,
  • resource groups,
  • and even virtual machines.

Any resource within the Azure portal that leverages the Azure role-based access control functionality can take advantage of the security and lifecycle management capabilities in Privileged Identity Management.

Resources Audit Logs

Resource audit gives you a view of all role activity for a resource.

  • Open Azure AD Privileged Identity Management.

  • Select Azure resources.

  • Select the resource you want to view audit history for.

  • Select Resource audit.

  • Filter the history using a predefined date or custom range.

select export to CSV file
exported CSV file

My audit logs

My audit enables you to view your personal role activity.

  • Open Azure AD Privileged Identity Management.

  • Select Azure resources.

  • Select the resource you want to view audit history for.

  • Select My audit.

  • Filter the history using a predefined date or custom range.

export to CSV file
exported CSV file

View Roles members

  • Open Azure AD Privileged Identity Management.

  • Select Azure resources.

  • you can see briefly all resources members 

  • Select the resource you want to view activity and activations for.

  • Select Roles or Members.

  • Select a user.

For Better View > Open Image in different TAB
For Better View > Open Image in different TAB
For Better View > Open Image in different TAB

PIM Alerts

Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in your Azure Active Directory (Azure AD) organization.

When an alert is triggered, it shows up on the Alerts page

for example below you will see alert indicating that roles don’t require MFA : which could be considered as risk 

For Better View > Open Image in different TAB
For Better View > Open Image in different TAB

Alerts Severity

alert classified into three categories 

High:

  • Requires immediate action because of a policy violation.

Medium:

  • Does not require immediate action but signals a potential policy violation.

Low:

  • Does not require immediate action but suggests a preferred policy change.
Share this post
Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email

About Me

Maher Mustafa islaieh

Our Power in Numbers

 17 

Courses

321

Articles

3,882

Images
and All configurations images are proudly made in Pioneers Lab

Articles By Course

Recent Articles

Subscribe

Contact us

have a challenge ? don’t hesitate to contact us