Hi, Can someone help me with a custom search log for an azure alert so that when a PIM role or an Azure Resource Assignment is about to expire it triggers an alert/notification? As an example: this will generate an alert when an additional person is added to global admin role. AuditLogs | where OperationName contains "Add member to role" and TargetResources contains "Company Administrator"

Hi @Manuel • You can use below query for this purpose. AuditLogs | where LoggedByService == "PIM" and OperationName == "Add eligible member to role in PIM completed (timebound)" or OperationName == "Add member to role completed (PIM activation)" | project User=TargetResources[2].userPrincipalName, ExpriationTime=AdditionalDetails[3].value

Azure: How do you set a Custom log search to view the results and also be used when creating an alert to notify when a PIM role or Azure Resource Role is about to expire?

Accepted answer

AmanpreetSingh-MSFT 56,506 Reputation points

2022-03-29T19:10:12.567+00:00
Hi @Manuel • You can use below query for this purpose.

AuditLogs | where LoggedByService == "PIM" and OperationName == "Add eligible member to role in PIM completed (timebound)" or OperationName == "Add member to role completed (PIM activation)" | project User=TargetResources[2].userPrincipalName, ExpriationTime=AdditionalDetails[3].value
Please sign in to rate this answer.
Manuel 21 Reputation points

2022-03-29T20:15:25.283+00:00

Hello

Thank you very much i will test this out tomorrow and confirm.

Many thanks

Manuel

Manuel 21 Reputation points

2022-03-29T21:37:37.307+00:00

@AmanpreetSingh-MSFT

Thank you for your response i have reviewed and made the necessary adjustments:

AuditLogs |where LoggedByService=="Privileged Identity Management" and OperationName == "Add eligible member to role in PIM completed (timebound)" or OperationName=="Add member to role completed (PIM activation)" |project User=TargetResources[2].userPrincipalName, ExpriationTime=AdditionalDetails[4].value, Reason=ResultReason, Role=TargetResources[0].displayName

is there a way to set it so I can view logs when the role eligibility is about to expire after the one year set ? (snapshot attached)

g

AmanpreetSingh-MSFT 56,506 Reputation points

2022-03-30T05:30:15.193+00:00

Hi @Manuel • Unfortunately, the audit log won't generate when the Role is "about to expire". A log is generated after the expiry of the role eligibility/activation. For example, a log will be generated with OperationName (Activity Type): "Remove member from role (PIM activation expired)" after the active role assignment is expired.

I would suggest you rather use PIM to create access reviews for privileged access to Azure resources and Azure AD roles. You can also configure recurring access reviews that occur automatically. Please refer to Create an access review of Azure resource and Azure AD roles in PIM for step-by-step instructions.

AmanpreetSingh-MSFT 56,506 Reputation points

2022-04-04T08:50:13.937+00:00

@Manuel • Just checking if you have any further questions.

Manuel 21 Reputation points

2022-04-04T09:01:54.277+00:00

Hi @AmanpreetSingh-MSFT no that was all and thank youf the help , I have been using the logs now with a few changes

AmanpreetSingh-MSFT 56,506 Reputation points

2022-04-04T09:04:26.417+00:00

@Manuel • Thank you for the update. Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Sign in to comment

Share via

Azure: How do you set a Custom log search to view the results and also be used when creating an alert to notify when a PIM role or Azure Resource Role is about to expire?

0 additional answers