introduction
after long time of working with microsoft 365 : you will notice that you have a lot of Privileged roles assigned to users
some of these Roles still needed and some is NOT required any more
this will lead to find anew technique to control the situation which called ( PIM Access review )
as extending to our approach here in Networks pioneers : the first article(s) focus on theoretical side of solution and then we see how to apply that solution with best practice
let us exploring the concepts of ( PIM Access review )
PIM Access review
as the name suggest PIM Access review is simply review who access which role and ask that user to justify his need to that role
- if user still need that role : >> then we can extend using that role for users
- if role is NOT required any more :>> we can remove it from user
- is role scope is more than what he is need :>> we can user role to another limited role
What does Access review do ?
- Ensure new employees have the right access to be productive?
- Ensure access is removed when people—especially guests—leave or change teams?
- Ensure access rights aren’t excessive, which can indicate a lack of control over access and lead to audit findings?
- Engage with resource owners to ensure they regularly review who has access to their resources?
how it works ?
access review is working as the following :
- PIM admin notice that we have so many of Privileged roles assigned to users
- fore example in our tenant pioneers101.onmicrosoft.com : we have exchange admin role assigned to 4 user currently >> but it could 40
- PIM admin create access review task for( exchange admin role members ) to check if role is still needed
- this questionnaire will be send email to users asking them to justify their using of this role with limited time for example ( users should respond within 2 months )
- after two month : we check result
- the users who justify their need to role , and approve access review : will be extended to use that role
- the users who deny access review and say they don’t need role any more : will be removed from role
- the users who don’t respond to access review questionnaire : also we will be removed from role
When we need access reviews?
we can use access review in the following situation :
- Too many users in privileged roles
- When automation is not feasible
- When a group is repurposed.
- For business critical data access
- To maintain a policy’s exception list.
- To confirm group owners still need guests in their groups.
Access review scope
Access review working on he following scope :
- Members of Office groups.
- Members of security groups
- Users who have been directly assigned to an application.
- Guest users
license requirements for access review
to apply access review : we need one of the following:
- Azure Active directory Premium 2 ( AAD P2)
- EMS E5
conclusion
this was briefly an overview for PIM access review
please join us to next article to see how to apply access review with best practice to control excessive using privileged role
thank you
