Active Directory & Office 365 Reporting Tool

Azure AD Privileged Roles: Manage & Monitor Privileged Access. Are you looking to effectively manage and monitor privileged roles and access in Azure AD? This article offers comprehensive information to help you successfully achieve this goal.

To meet this requirement, the article starts by explaining Azure AD privileged roles. We explain what this means and why it is critical to monitor these roles.

After that, we offer 3 ways to use Azure Active Directory tools to monitor and manage privileged or enhanced permissions.

What is Azure Active Directory Privileged Roles

When a role is directly assigned to a user or via a group, the user acquires the permissions associated with the role. However, this is where the easy part ends.

In addition to granting permissions through Azure AD role assignment, IT security admins must ensure their security strategy passes three tests.

First, they must ensure that IT admins are not allowed unnecessary permissions beyond their task requirements. Moreover, privileged access should only be granted for limited durations.

Finally, regularly monitoring roles, privileges, and permissions is crucial to identify and revoke excessive user permissions.

Fortunately, Azure Active Directory provides various tools and features to meet these role and permissions management requirements.

In the subsequent sections of this article, we explain various methods for monitoring and managing Azure AD privileged access.

How to Manage and Monitor Privileged Roles in Azure Active Directory

Option 1: Create an Access Review of Azure AD roles in PIM

Users’ privileged access requirements change periodically. As a result, regular monitoring is necessary to ensure that users are assigned the exact permissions they need.

The Azure AD Privileged Identity Management (PIM) offers the option to create access reviews for privileged access. Specifically, access reviews are created to monitor privileged access to Azure resources or Azure Active Directory roles.

However, ensure your account meets the licensing and role requirements before creating access reviews.

Azure AD Premium P2 is the license prerequisite. Moreover, to create access reviews, a user must be assigned the Global Administrator or the Privileged Role Administrator role.

If your account meets the licensing and role assignment requirements, follow these steps to create access reviews for Azure AD roles:

1. Sign in to portal.azure.com, search “Identity Governance,” and open the service.

2. Once the page opens, under “Privileged Identity Management,” click “Azure AD roles.”

3. Next, select “Azure AD roles ” on the Manage menu,” then, under Manage, click “Access reviews” and then “New” to create a new access review.

4. Finally, enter the required details on the “Create an access review” page and click Start. 

If you need help determining what options to use in creating your access review, get the explanations of the sections of the access review

Try our Active Directory & Office 365 Reporting & Auditing Tools

Try us out for Free.  100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.

Option 2: List Azure AD Assigned Roles for Users or Groups

Azure Active Directory allows checking the role assigned to users or groups. This is performed by reviewing individual role assignments.

Follow these steps to view role assignments for a user or group role. 

1. Sign in to portal.azure.com and open Azure Active Directory. Next, click the “Users” or “Groups” menu. 

I will click Groups to show how to list the role assignment for a group. 

2. If you’re reviewing the role assignment for a group, select it from the list. Alternatively, use the search field. 

3. Finally, click “Assigned roles” to display a list of all the Azure Identity assigned roles. 

Option 3: Review Azure AD Roles Resource Audit History

Azure Privileged Identity Management (PIM) keeps a 30-day audit history of all privileged role assignments or removals. IT administrators use this tool to determine who has been assigned a privileged role in the last 30 days.

Here are the steps to use the “Resource audit” log in Azure PIM:

1. Open “Privileged Identity Management” in the Azure Portal. Next, select “Azure AD roles” on the Manage menu. 

2. Once the Azure Privileged Identity Management page opens, select “Resource audit” in the Activity menu.  

The default “Time span” filter is “Last day.” So, if the log is empty, modify the filter to “Last month.”

Finally, export the Azure AD Roles Resource audit history to CSV to analyse it. 

Azure AD Privileged Roles: Manage & Monitor Privileged Access Conclusion

Azure AD offers organizations up to 60 privileged roles that can be assigned to perform specific functions. However, organizations must actively monitor role assignments for two reasons.

First, ensure that users do not have more permission than required to do their jobs. Secondly, monitoring role assignments ensures that users are not assigned privileged roles longer than required. 

To help you achieve the two objectives, this article explains what privileged roles are. Furthermore, it explored three methods to Manage and Monitor privileged access in Azure AD.


Try InfraSOS for FREE

Try InfraSOS Active Directory, Azure AD & Office 365 Reporting & Auditing Tool

Victor Ashiedu

Victor Ashiedu

Victor is an IT pro based in Manchester, UK. With over 22 years of experience managing Windows Server, Active Directory, and Powershell, and 7 years of expertise in Azure AD and Office 365, he's a seasoned expert in his field. When he's not working, he loves spending time with his family - a wife and a 5-year-old. Victor is passionate about helping businesses succeed in today's fast-changing tech landscape.

Leave a comment

Your email address will not be published. Required fields are marked *