received an email saying directory readers role for (org name) was assigned outside of PIM

Griselda Sifuentes 0 Reputation points

Got an email saying a user called "MicrosoftAzureActiveAuthn" got assigned a role called directory readers. We have not assigned any roles to anyone yet we got an email. We looked for MicrosoftAzureActiveAuthn in azure and its under Azure Active Directory Service Principal (Enterprise Application). Clicked on it and checked the roles and administrators and there is no directory readers assigned.

Checked the audit logs and it says that on 12:52 service PIM Cateorgy Role Management Activity add member to role outside of PIM (permanent)

Just wondering why, it says that and there's nothing on the role and administrators tab. We have not mess with anything regarding that yet, we received an email.

Please advise.

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
16,518 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
521 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Vasil Michev 79,136 Reputation points MVP

    This is a well-known Microsoft app (service principal), so its expected to see it pop up every now and then in things like audit logs or PIM notifications in your case. Why Microsoft is not filtering those out is another question, but at the very least they are now documenting (some of) those:

    I'd suggest you double-check the AppID in your scenario and if it matches the one listed in the article above, you can safely ignore the alert.

    0 comments No comments