Muokkaa

Jaa


Complete an access review of Azure resource and Microsoft Entra roles in PIM

Privileged Role Administrators can review privileged access once an access review has been started. Privileged Identity Management (PIM) in Microsoft Entra ID will automatically send an email that prompts users to review their access. If a user doesn't receive an email, you can send them the instructions for how to perform an access review.

Once the review has been created, follow the steps in this article to complete the review and see the results.

Complete access reviews

Tip

Steps in this article might vary slightly based on the portal you start from.

  1. Sign in to the Microsoft Entra admin center as a user that is assigned to one of the prerequisite role(s).

  2. Browse to Identity governance > Privileged Identity Management.

  3. For Microsoft Entra roles, select Microsoft Entra roles. For Azure resources, select Azure resources

  4. Select the access review that you want to manage. Below is a sample screenshot of the Access Reviews overview for both Azure resources and Microsoft Entra roles.

    Access reviews list showing role, owner, start date, end date, and status screenshot.

On the detail page, the following options are available for managing the review of Azure resources and Microsoft Entra roles:

Options for managing a review in Azure resources - Stop, Reset, Apply, Delete screenshot.

Stop an access review

All access reviews have an end date, but you can use the Stop button to finish it early. The Stop button is only selectable when the review instance is active. You can't restart a review after it's been stopped.

Reset an access review

When the review instance is active and at least one decision has been made by reviewers, you can reset the access review by selecting the Reset button to remove all decisions that were made on it. After you've reset an access review, all users are marked as not reviewed again.

Apply an access review

After an access review is completed, either because you've reached the end date or stopped it manually, the Apply button removes denied users' access to the role. If a user's access was denied during the review, this is the step that removes their role assignment. If the Auto apply setting is configured on review creation, this button will always be disabled because the review will be applied automatically instead of manually.

Delete an access review

If you aren't interested in the review any further, delete it. To remove the access review from the Privileged Identity Management service, select the Delete button.

Important

You will not be required to confirm this destructive change, so verify that you want to delete that review.

Results

On the Results page, you may view and download a list of your review results.

Results page listing users, outcome, reason, reviewed by, applied by, and apply result for Microsoft Entra roles screenshot.

Note

Microsoft Entra roles have a concept of role-assignable groups, where a group can be assigned to the role. When this happens, the group will show up in the review instead of expanding the members of the group, and a reviewer will either approve or deny the entire group.

Results page listing users, outcome, reason, reviewed by, applied by, and apply result for Azure resource roles screenshot.

Note

If a group is assigned to Azure resource roles, the reviewer of the Azure resource role will see the expanded list of the users in a nested group. Should a reviewer deny a member of a nested group, that deny result will not be applied successfully because the user will not be removed from the nested group.

Reviewers

On the Reviewers page, you may view and add reviewers to your existing access review. You may also remind reviewers to complete their reviews here.

Note

If the reviewer type selected is user or group, you can add more users or groups as the primary reviewers at any point. You can also remove primary reviewers at any point. If the reviewer type is manager, you can add users or groups as the fallback reviewers to complete reviews on users who do not have managers. Fallback reviewers cannot be removed.

Reviewers page listing name and user principal name for Azure resource roles screenshot.

Next steps