In this blog post I will discuss Microsoft Entra Privileged Identity Management (PIM) Alerts and not the process of setting up Azure Privileged Identity Management. If you wish to learn about Microsoft Entra PIM, visit the following link What is Privileged Identity Management? Microsoft Learn
Note: Azure Active Directory is being rebranded to Microsoft Entra ID
Azure Entra ID Privileged Identity Management Alerts (PIM) alerts are security notifications that Privileged Identity Management (PIM) generates when there is suspicious or unsafe activity in your Microsoft Entra ID organisation, such as,
Entra ID Roles (Previously known as Azure AD Roles)
– Your organisation doesn’t have Entra ID (Azure AD) Premium P2 licenses which is a requirement for you to use PIM
– Roles don’t require multi-factor authentication for activation
– Eligible administrators aren’t activating their privileged role
– Roles are being assigned outside of Privileged Identity Management
– Roles are being activated too frequently
– There are too many global administrators
– Potential stale accounts in a privileged role
Azure Resources
– Too many owners assigned to a resource
– Too many permanent owners assigned to a resource
– Duplicate role created
– Roles are being assigned outside of Privileged Identity Management
The above are built into Privileged Identity Management and will generate an alert if the condition is met.
Let’s take a look where these built in alerts are located in Privileged Identity Management (PIM),
- Login to entra.microsoft.com or access Entra ID from the Azure portal.
- Expand Identity Governance
- Click Privileged Identity Management
- Under manage click Azure AD roles (Being rebranded to Entra ID Roles)
5. Click Alerts
6. Click Settings
7. Here are the built in rules which will trigger an alert if the condition is met
8. Go back to check if any alerts have been generated. Click the scan button if nothing is visible. I have two alerts generated as per the image below,
9. If I click on the alert Potential stale accounts in a privileged role I have one account which is assigned a privileged role, and the user has not signed into Entra ID (Azure AD) for over 30 days (Click the image below if you need to enlarge).
The image above shows that a user named Alex is assigned to a privileged administrator role, however, has not signed in for over 2 months. Therefore the alert Potential stale accounts in a privileged role has triggered.
I have two options, Dismiss and Fix.
Dismiss – This would dismiss/hide the alert, however if I was to run another scan, the alert would return. This is not dismissing Alex having a privileged stale role but as mentioned it will hide/suppress the alert from your view. You’ll find that the dismiss option is available to select even though you have not selected any users (via the checkbox). After clicking dismiss, if you were to return to the alerts pages, the alert would not be visible but running another scan would return the alert.
Fix – as you can see from the image above, the option to fix is greyed out. If I click the checkbox by the account of Alex as shown in the image below, the option to fix becomes available. What does this fix option do? It will automatically remove the privileged role from Alex. You could also remove the role manually if you wish. Once, fixed, the alert will disappear within a couple of seconds.
Note: Ensure that the role is not required before attempting to fix.
What does the below status symbol mean?
The blue symbol under the status column means that the alert is pending or requires resolving.
When you fix a issue, you’ll find that the blue symbol switches to a green check mark for a second before the alert is actioned and removed. In my case, the alert disappeared and the privileged role was unassigned from Alex.
Azure resource alerts
You will also find a number of alerts available for Azure resources,
1. Go back to the main page for PIM and click Azure Resources
2. Click your subscription
3. Click alerts under manage from the left pane and click settings. These are the alerts which will be triggered if the condition is met.
If an access denied error appears the first time you click settings, refresh the page and try again.
I hope this helps. As always, please feel free to drop a comment below if you have any feedback.