You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/privileged-identity-management/azure-pim-resource-rbac.md
+3-138Lines changed: 3 additions & 138 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -20,9 +20,9 @@ ms.author: rolyon
20
20
---
21
21
# View who has Azure resource roles in PIM
22
22
23
-
With Azure Active Directory Privileged Identity Management (PIM), you can now manage, control, and monitor access to Azure Resources within your organization. This includes Subscriptions, Resource Groups, and even Virtual Machines. Any resource within the Azure portal that leverages the Azure Role Based Access Control (RBAC) functionality can take advantage of all the great security and lifecycle management capabilities Azure AD PIM has to offer, and some great new features we plan to bring to Azure AD roles soon.
23
+
With Azure Active Directory Privileged Identity Management (PIM), you can manage, control, and monitor access to Azure resources within your organization. This includes subscriptions, resource groups, and even virtual machines. Any resource within the Azure portal that leverages the Azure role-based access control (RBAC) functionality can take advantage of the security and lifecycle management capabilities in Azure AD PIM.
24
24
25
-
## PIM for Azure Resources helps resource administrators
25
+
## PIM for Azure resources helps resource administrators
26
26
27
27
- See which users and groups are assigned roles for the Azure resources you administer
28
28
- Enable on-demand, "just in time" access to manage resources such as Subscriptions, Resource Groups, and more
@@ -32,103 +32,7 @@ With Azure Active Directory Privileged Identity Management (PIM), you can now ma
32
32
- Get reports about resource access correlated resource activity during a user’s active session
33
33
- Get alerts when new users or groups are assigned resource access, and when they activate eligible assignments
34
34
35
-
Azure AD PIM can manage the built-in Azure Resource roles, as well as custom (RBAC) roles, including (but not limited to):
36
-
37
-
- Owner
38
-
- User Access Administrator
39
-
- Contributor
40
-
- Security Admin
41
-
- Security Manager, and more
42
-
43
-
>[!NOTE]
44
-
Users or members of a group assigned to the Owner or User Access Administrator roles, and Global Administrators that enable subscription management in Azure AD are Resource Administrators. These administrators may assign roles, configure role settings, and review access using PIM for Azure Resources. View the list of [built-in roles for Azure resources](../../role-based-access-control/built-in-roles.md).
45
-
46
-
## Tasks
47
-
48
-
PIM provides convenient access to activate roles, view pending activations/requests, pending approvals (for [Azure AD directory roles](azure-ad-pim-approval-workflow.md)), and reviews pending your response from the Tasks section of the left navigation menu.
49
-
50
-
When accessing any of the Tasks menu items from the Overview entry point, the resulting view contains results for both Azure AD directory roles and Azure Resource roles.
My roles contain a list of your active and eligible role assignments for Azure AD directory roles, and Azure Resource roles.
55
-
56
-
## Activate roles
57
-
58
-
Activating roles for Azure Resources introduces a new experience that allows eligible role members to schedule activation for a future date/time and select a specific activation duration within the maximum (configured by administrators). Learn about [activating Azure AD roles here](pim-how-to-activate-role.md).
From the Activations menu, input the desired start date and time to activate the role. Optionally decrease the activation duration (the length of time the role is active) and enter a justification if required; click activate.
63
-
64
-
If the start date and time is not modified, the role will be activated within seconds. You will see a role queued for activation banner message on the My Roles page. Click the refresh button to clear this message.
65
-
66
-
67
-
68
-
If the activation is scheduled for a future date time, the pending request will appear in the Pending Requests tab of the left navigation menu. In the event the role activation is no longer required, the user may cancel the request by clicking the Cancel button on the right side of the page.
To find and manage roles for an Azure Resource, select Azure Resources under the Manage tab in the left navigation menu. Use the filters or search bar at the top of the page to find a resource.
The Admin View dashboard has four primary components. A graphical representation of resource role activations over the past seven days. This data is scoped to the selected resource and displays activations for the most common roles (Owner, Contributor, User Access Administrator), and all roles combined.
81
-
82
-
To the right of the activations graph, are two charts that display the distribution of role assignments by assignment type, for both users and groups. Selecting a slice of the chart changes the value to a percentage (or vice versa).
83
-
84
-
85
-
86
-
Below the charts, you see the number of users and groups with new role assignments over the last 30 days (left), and a list of roles sorted by total assignments (descending).
Administrators can manage role assignments by selecting either Roles or Members from the left navigation. Selecting roles allows admins to scope their management tasks to a specific role, while Members displays all user and group role assignments for the resource.
93
-
94
-
95
-
96
-
97
-
98
-
>[!NOTE]
99
-
If you have a role pending activation, a notification banner is displayed at the top of the page when viewing membership.
100
-
101
-
## Assign roles
102
-
103
-
To assign a user or group to a role, select the role (if viewing Roles), or click Add from the action bar (if on the Members view).
104
-
105
-
106
-
107
-
>[!NOTE]
108
-
If adding a user or group from the Members tab, you’ll need to select a role from the Add menu before you can select a user or group.
Choose the appropriate assignment type from the dropdown menu.
117
-
118
-
**Just In Time Assignment:** It provides the user or group members with eligible but not persistent access to the role for a specified period of time or indefinitely (if configured in role settings).
119
-
120
-
**Direct Assignment:** It does not require the user or group members to activate the role assignment (known as persistent access). Microsoft recommends using direct assignment for short-term use such as on-call shifts, or time sensitive activities, where access won’t be required when the task is complete.
A check box below the assignment type dropdown allows you to specify if the assignment should be permanent (permanently eligible to activate Just in Time Assignment/permanently active for Direct Assignment). To specify a specific assignment duration, unselect the check box and modify the start and/or end date and time fields.
125
-
126
-
>[!NOTE]
127
-
The check box may be unmodifiable if another administrator has specified the maximum assignment duration for each assignment type in the role settings.
128
-
129
-
130
-
131
-
## View activation and Azure Resource activity
35
+
## View activation and Azure resource activity
132
36
133
37
In the event you need to see what actions a specific user took on various resources, you can review the Azure Resource activity associated with a given activation period (for eligible users). Start by selecting a user from the Members view or from the list of members in a specific role. The result displays a graphical view of the user’s actions on Azure Resources by date, and the recent role activations over that same time period.
134
38
@@ -138,12 +42,6 @@ Selecting a specific role activation will show the role activation details, and
138
42
139
43
140
44
141
-
## Modify existing assignments
142
-
143
-
To modify existing assignments from the user/group detail view, select Change Settings from the action bar at the top of the page. Change the assignment type to Just In Time Assignment or Direct Assignment.
To review role assignments in your Subscription, select the Members tab from the left navigation, or select roles, and choose a specific role to review members.
@@ -157,39 +55,6 @@ Select Review from the action bar to view existing access reviews and select Add
157
55
>[!NOTE]
158
56
Reviews are only supported for Subscription resource types at this time.
159
57
160
-
## Configure role settings
161
-
162
-
Configuring role settings define the defaults applied to assignments in the PIM environment. To define these for your resource, select the Role Settings tab from the left navigation, or the role settings button from the action bar in any role to view the current options.
163
-
164
-
Clicking Edit from the action bar at the top of the page allows you to modify each setting.
165
-
166
-
167
-
168
-
169
-
170
-
Changes to settings are logged on the role settings page including the last updated date time, and the administrator that changed the settings.
Resource audit gives you a view of all role activity for the resource. You can filter the information using a predefined date or custom range.
177
-
178
-
Resource audit also provides quick access to view a user’s activity detail. In the view, all “Activate role” Actions are links to the specific requestor’s resource activity.
Using just enough administration (JEA) best practices with your resource role assignments is simple with PIM for Azure Resources. Users and group members with assignments in Azure Subscriptions or Resource Groups can activate their existing role assignment at a reduced scope.
184
-
185
-
From the search page, find the subordinate resource you need to manage.
Select My roles from the left navigation menu and choose the appropriate role to activate. Notice the assignment type is Inherited, since the role was assigned at the subscription, rather than the resource group, as shown below.
0 commit comments