How to identify unused roles on a privileged user profile in Azure

Damien Coultis 5 Reputation points
2023-03-02T02:43:54.1866667+00:00

Disclaimer: First time post, I apologies if the way in which I pose my question is difficult to understand or it doesn't follow forum etiquette. Happy for feedback on this too.

Purpose:
I am looking to create static role assignments for various levels of privilege in an Azure environment using least privileges.

Scenario:

John Smith has XYZ roles assigned to him in Azure.

  • John's job requires him to perform various sysadmin tasks all the time as per his position requirements.
  • He may be required to perform a new task from time to time and for that purpose he should be granted JIT access to the role which will allow him to complete it, or that task could be assigned to the next level of privileged access and the role defined in their baseline.
  • Presently XYZ allows John to perform his regular duties as well as anything that would be classified as JIT access that someone in Johns position has been known to do from time to time.

I need to review and reduce the roles John has to make sure those roles don't give him more privilege than his role requires.

I don't want to perform the laborious task of a manual continual access reviews (understanding this will need to happen but for the moment it is not possible).

Question:
Is there a method to auditing the day-to-day tasks John performs over a 30day period to easily identify his regular tasks, cross reference them with his role assignments and identify any roles he has been assigned he wouldn't need thus creating a base level role assignment for all the other users who have the same day-to-day duties and managing all other role assignments as JIT access.

Microsoft Identity Manager
Microsoft Identity Manager
A family of Microsoft products that manage a user's digital identity using identity synchronization, certificate management, and user provisioning.
610 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
662 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,437 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Manu Philip 16,966 Reputation points MVP
    2023-03-02T04:20:53.5366667+00:00

    I suggest using Access Review for AD Administrator for your requirement. Note that, the user should have assigned the Azure AD Premium P2 license can be only reviewed by this feature

    You can start an access review by clicking the below link : https://portal.azure.com/#blade/Microsoft_Azure_PIM/DirectoryRoleManagementMenuBlade/DirectoryRolesAccessReview/

    The review frequency will allow us to set the frequency of every review

    Once we set a review, an email notification will be delivered to the users who are lying under the role selected in the review settings. While processing the email, the reviewer can review the access privileges of the user under review based on the activities performed by the user registered under Azure AD Audit logs. Approve or Deny options can be selected based on the roles required for the user under review.


    --please don't forget to upvote and Accept as answer if the reply is helpful--