Microsoft released a new public preview where admins can be alerted when assignments to Azure resources are made outside of Privileged Identity Management.
This was already possible in combination with Azure AD roles, but the new preview now applies to Azure resources as well. Where alerts on Azure AD roles are enabled by default, alerts for Azure resources need to be enabled by an administrator first.
This feature is extremely valuable when you want to govern your Privileged Access implementation, to make sure given access is always time-bound and least privileged. By enabling this alert, you can stay informed when a role is managed directly through the Azure IAM resource blade or the Azure Resource Manager API, instead of PIM.
How to enable it?
You can enable the alert by going into the Azure AD Privileged Identity portal. Select Azure resources from the left side panel, and choose the subscription that you want to be alerted on*.
*During the public preview of the Roles are being assigned outside of Privileged Identity Management (Preview) alert, Microsoft supports only permissions that are assigned at the subscription level.
Next, select Alerts, and select Settings.
Select the new alert, and click Enable. Confirm to enable the alert.
Let’s put it to the test
Now, when roles are added outside of PIM, an alert is sent out via email. You can also see the alert being raised in the Azure portal.
When the alert is raised, you can fix the issue straight from the PIM portal. Select the alert, and click Fix.
PIM will then delete the role from the resource.
This is also visible in the Activity log.
Wrap things up
As you can see, this feature is quite powerful. I’m sure this will help Privileged Identity admins to keep an eye on the resources, and act where necessary. Azure AD Privileged Identity Management is becoming better and better by the day!
Learn more: What’s new? Release notes – Azure Active Directory – Microsoft Entra | Microsoft Docs
Configure security alerts for Azure roles in Privileged Identity Management – Azure Active Directory – Microsoft Entra | Microsoft Docs