received an email saying directory readers role for (org name) was assigned outside of PIM

Griselda Sifuentes 0 Reputation points
2023-08-25T22:54:05.0466667+00:00

Got an email saying a user called "MicrosoftAzureActiveAuthn" got assigned a role called directory readers. We have not assigned any roles to anyone yet we got an email. We looked for MicrosoftAzureActiveAuthn in azure and its under Azure Active Directory Service Principal (Enterprise Application). Clicked on it and checked the roles and administrators and there is no directory readers assigned.

Checked the audit logs and it says that on 12:52 service PIM Cateorgy Role Management Activity add member to role outside of PIM (permanent)

Just wondering why, it says that and there's nothing on the role and administrators tab. We have not mess with anything regarding that yet, we received an email.

Please advise.

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
791 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,372 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Vasil Michev 103.9K Reputation points MVP
    2023-08-26T06:54:13.8233333+00:00

    This is a well-known Microsoft app (service principal), so its expected to see it pop up every now and then in things like audit logs or PIM notifications in your case. Why Microsoft is not filtering those out is another question, but at the very least they are now documenting (some of) those: https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in

    I'd suggest you double-check the AppID in your scenario and if it matches the one listed in the article above, you can safely ignore the alert.

    1 person found this answer helpful.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.