Audit Privileged Identity Management
With Microsoft Entra Privileged Identity Management, organizations can view activities, activations, and audit history for their Azure resources. These resources include subscriptions, resource groups, and even virtual machines. Any resource within the Microsoft Entra admin center that uses Azure role-based access control functionality can take advantage of the security and lifecycle management capabilities in PIM.
Note
If an organization has outsourced management functions to a service provider who uses Azure delegated resource management, PIM doesn't show role assignments authorized by that service provider.
Additional reading. For more information, see Microsoft Entra Reports.
View activity and activations
Administrators can see what actions a specific user took in various resources. To do so, they can view the Azure resource activity associated with a given activation period.
In the Microsoft Entra admin center, in the left-hand navigation pane, select Identity governance, and then select Privileged Identity Management.
On the Privileged Identity Management | Quick start page, in the middle navigation pane under the Manage section, select Azure resources.
On the Privileged Identity Management | Azure resources page, select the resource you want to view activity and activations for.
Select Roles or Members.
Select a user to display a summary of the user's actions in Azure resources by date. It also shows the recent role activations over that same time period.
Select a specific role activation to see details and corresponding Azure resource activity that occurred while that user was active.
Navigate to audit history
From the Microsoft Entra dashboard, select the Microsoft Entra Privileged Identity Management app. From there, access the audit history by selecting Manage privileged roles > Audit history in the PIM dashboard.
Resource audit gives you a view of all role activity for a resource.
In the Microsoft Entra admin center, in the left-hand navigation pane, select Identity governance, and then select Privileged Identity Management.
On the Privileged Identity Management | Quick start page, in the middle navigation pane under the Manage section, select Azure resources.
On the Privileged Identity Management | Azure resources page, select the resource you want to view audit history for.
Select Resource audit.
Filter the history using a predefined date or custom range.
For Audit type, select Activate (Assigned + Activated).
Under Action, select (activity) for a user to see that user's activity detail in Azure resources.
You can use the audit history to view the total activations, max activations per day, and average activations per day in a line graph. You can also filter the data by role if there's more than one role in the audit history.
Export role assignments with child resources
An organization might have a compliance requirement where it must provide a complete list of role assignments to auditors. PIM enables the organization to query role assignments at a specific resource, which includes role assignments for all child resources. Previously, it was difficult for administrators to get a complete list of role assignments for a subscription. As such, they had to export role assignments for each specific resource. Organizations can now use Privileged Identity Management to query for all active and eligible role assignments in a subscription, including role assignments for all resource groups and resources.
In the Microsoft Entra admin center, in the left-hand navigation pane, select Identity governance, and then select Privileged Identity Management.
On the Privileged Identity Management | Quick start page, in the middle navigation pane under the Manage section, select Azure resources.
On the Privileged Identity Management | Azure resources page, select the resource you want to export role assignments for, such as a subscription.
Select Members.
Select Export to open the Export membership pane.
Select Export all members to export all role assignments in a CSV file.
