introduction
in previous article : we have discussed the concepts of ( access review )
and said it come to resolve many issues including but BOT limited to excessive access of privileged role
this article we will see how to use PIM access review with best practice
let us go
organization case study
organization pioneers101 has the following privileged role membership
Global Admin Role
- Global Admin Role :has 2 members : Bisan & Ahmad
Exchange Admin Role
- Exchange Admin Role has 4 members as the following
- abdulla & hisham as eligible privileged role (which called Just in time )
- haifa & aziz as active assigned privileged role ( which called time bound access )
these number of 6 admin ( 4+2 ) could be small number
But ,,,
what if we have 70 admin role assigned to users with various level of privileges ?
company requirements
organization pioneers101 has the following requirements :
global admin roles
- send access review to global admin roles to justify their need for this role
- users should respond to access review within 15 days : from 12/1/2020 – 12/15/2020
- send access review email to users every 1 week
- it’s NOT mandatory to remove users who did NOT respond to access review
Exchange admin roles
- send access review to exchange admin roles to justify their need for this role
- users should respond to access review within 30 days : from 12/1/2020 – 12/31/2020
- send access review email to users every 1 week
- it’s mandatory to remove users who did NOT respond to access review
- it’s mandatory to remove users who respond to access review with deny ( role is NOT required any more )
let us to see how to create access review and how users will respond these access review
configure exchange access review
we will create two access review
- exchange access review
- global admin access review
let us start with exchange access eview
- log in to azure portal as global admin ( bisan)
- search for PIM
- select role >> access review
- slick new
configure global admin access review
now we will create another access review for global admin role
- log in to azure portal as global admin ( bisan)
- search for PIM
- select role >> access review
- slick new
exchange admin response
now email sent to exchange admin role members :
- Haifa ,
- Aziz ,
- Hisham ,
- Abdulla ,
let us to how to is their response
now the exchange admin users has the following response
- aziz action to deny
- hisham action to approve
- abdulla action to approve
- bros did NOT respond to access review email
global admin response
now email sent to global admin admin role members :
- Bisan
- Ahmad
let us to how to is their response
bisan approved
bur ahmad did NOT respond to email access review
checking the result
let us to check result as per user action to respond
finish access review
we can wait until access review complete end date
or we can stop access review manually before end date
let us to see how to stop access review manually
take decision
after access review finished
global admin review
- global admin has two member 1 approve + 1 didn’t respond
- global admin review : will approve two members because it doesn’t require to remove user who didn’t respond
exchange admin review
- exchange admin has 4member : 2 approve + 1 didn’t respond + 1 deny
- global admin review : will approve two members who approve access review
- lobal admin review : will remove two members who wither (deny or didn’t respond )
- because it does require to remove user who didn’t respond
