You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
title: Extend or renew Azure resource role assignments in PIM - Azure Active Directory | Microsoft Docs
2
+
title: Extend or renew Azure resource role assignments in Privileged Identity Management - Azure Active Directory | Microsoft Docs
3
3
description: Learn how to extend or renew Azure resource role assignments in Azure AD Privileged Identity Management (PIM).
4
4
services: active-directory
5
5
documentationcenter: ''
@@ -12,35 +12,35 @@ ms.tgt_pltfrm: na
12
12
ms.devlang: na
13
13
ms.topic: conceptual
14
14
ms.subservice: pim
15
-
ms.date: 04/02/2018
15
+
ms.date: 10/23/2019
16
16
ms.author: curtand
17
17
ms.custom: pim
18
18
ms.collection: M365-identity-device-management
19
19
---
20
20
21
21
22
22
23
-
# Extend or renew Azure resource role assignments in PIM
23
+
# Extend or renew Azure resource role assignments in Privileged Identity Management
24
24
25
-
Azure Active Directory (Azure AD) Privileged Identity Management (PIM) introduces new controls to manage the access and assignment lifecycle for Azure resources. Administrators can assign membership using start and end date-time properties. When the assignment end approaches, PIM sends email notifications to the affected users or groups. It also sends email notifications to administrators of the resource to ensure that appropriate access is maintained. Assignments might be renewed and remain visible in an expired state for up to 30 days, even if access is not extended.
25
+
Azure Active Directory (Azure AD) Privileged Identity Management (PIM) provides controls to manage the access and assignment lifecycle for Azure resources. Administrators can assign roles using start and end date-time properties. When the assignment end approaches, Privileged Identity Management sends email notifications to the affected users or groups. It also sends email notifications to administrators of the resource to ensure that appropriate access is maintained. Assignments might be renewed and remain visible in an expired state for up to 30 days, even if access is not extended.
26
26
27
27
## Who can extend and renew?
28
28
29
-
Only administrators of the resource can extend or renew role assignments. The affected member can request to extend roles that are about to expire and request to renew roles that are already expired.
29
+
Only administrators of the resource can extend or renew role assignments. The affected user or group can request to extend roles that are about to expire and request to renew roles that are already expired.
30
30
31
31
## When are notifications sent?
32
32
33
-
PIM sends email notifications to administrators and affected members of roles that are expiring within 14 days and one day prior to expiration. It sends an additional email when an assignment officially expires.
33
+
Privileged Identity Management sends email notifications to administrators and affected user or groups of roles that are expiring within 14 days and one day prior to expiration. It sends an additional email when an assignment officially expires.
34
34
35
-
Administrators receive notifications when a member of an expiring or expired role requests to extend or renew. When a specific administrator resolves the request, all other administrators are notified of the resolution decision (approved or denied). Then the requesting member is notified of the decision.
35
+
Administrators receive notifications when a user or group assigned an expiring or expired role requests to extend or renew. When a specific administrator resolves the request, all other administrators are notified of the resolution decision (approved or denied). Then the requesting user or group is notified of the decision.
36
36
37
37
## Extend role assignments
38
38
39
-
The following steps outline the process for requesting, resolving, or administering an extension or renewal of a role assignment.
39
+
The following steps outline the process for requesting, resolving, or administering an extension or renewal of a role assignment.
40
40
41
-
### Member extend
41
+
### Self-extend expiring assignments
42
42
43
-
Members of a role assignment can extend expiring role assignments directly from the **Eligible** or **Active** tab on the **My roles** page of a resource and from the top level **My roles** page of the PIM portal. Members can request to extend eligible and active (assigned) roles that expire in the next 14 days.
43
+
Users or groups assigned to a role can extend expiring role assignments directly from the **Eligible** or **Active** tab on the **My roles** page of a resource and from the top level **My roles** page of the Privileged Identity Management portal.Users or groups can request to extend eligible and active (assigned) roles that expire in the next 14 days.
44
44
45
45
46
46
@@ -54,70 +54,70 @@ To request an extension of this role assignment, select **Extend** to open the r
54
54
55
55
To view information about the original assignment, expand **Assignment details**. Enter a reason for the extension request, and then select **Extend**.
56
56
57
-
>[!Note]
57
+
>[!NOTE]
58
58
>We recommend including the details of why the extension is necessary, and for how long the extension should be granted (if you have this information).
59
59
60
60
61
61
62
-
In a matter of moments, resource administrators receive an email notification requesting that they review the extension request. If a request to extend has already been submitted, a toast notification appears at the top of the Azure portal explaining the error.
62
+
In a matter of moments, resource administrators receive an email notification requesting that they review the extension request. If a request to extend has already been submitted, an Azure notification appears in the portal.
63
63
64
64
65
65
66
-
Go to the **Pending requests** page in the left pane to view the status of your request or to cancel it.
66
+
Go to the **Pending requests** page to view the status of your request or to cancel it.
67
67
68
68
69
69
70
-
### Admin approve
70
+
### Admin approved extension
71
71
72
-
When a member submits a request to extend a role assignment, resource administrators receive an email notification that contains the details of the original assignment and the reason for the request. The notification includes a direct link to the request for the administrator to approve or deny.
72
+
When a user or group submits a request to extend a role assignment, resource administrators receive an email notification that contains the details of the original assignment and the reason for the request. The notification includes a direct link to the request for the administrator to approve or deny.
73
73
74
-
In addition to using following the link from email, administrators can approve or deny requests by going to the PIM administration portal and selecting **Approve requests** in the left pane.
74
+
In addition to using following the link from email, administrators can approve or deny requests by going to the Privileged Identity Management administration portal and selecting **Approve requests** in the left pane.
75
75
76
76
77
77
78
-
When an Administrator selects **Approve** or **Deny**, the details of the request are shown, along with a field to provide justification for the audit logs.
78
+
When an Administrator selects **Approve** or **Deny**, the details of the request are shown, along with a field to provide a business justification for the audit logs.
79
79
80
80
81
81
82
82
When approving a request to extend role assignment, resource administrators can choose a new start date, end date, and assignment type. Changing assignment type might be necessary if the administrator wants to provide limited access to complete a specific task (one day, for example). In this example, the administrator can change the assignment from **Eligible** to **Active**. This means they can provide access to the requestor without requiring them to activate.
83
83
84
-
### Admin extend
84
+
### Admin initiated extension
85
85
86
-
If a role member forgets or is unable to request a role membership extension, an administrator can extend an assignment on behalf of the member. Administrative extensions of role membership do not require approval, but notifications are sent to all other administrators after the role has been extended.
86
+
If a user assigned to a role doesn't request an extension for the role assignment, an administrator can extend an assignment on behalf of the user. Administrative extensions of role assignment do not require approval, but notifications are sent to all other administrators after the role has been extended.
87
87
88
-
To extend a role membership, browse to the resource role or member view in PIM. Find the member that requires an extension. Then select **Extend** in the action column.
88
+
To extend a role assignment, browse to the resource role or assignment view in Privileged Identity Management. Find the assignment that requires an extension. Then select **Extend** in the action column.
89
89
90
-
90
+
91
91
92
92
## Renew role assignments
93
93
94
-
While conceptually similar to the process for requesting an extension, the process to renew an expired role assignment is different. Using the following steps, members and administrators can renew access to expired roles when necessary.
94
+
While conceptually similar to the process for requesting an extension, the process to renew an expired role assignment is different. Using the following steps, assignments and administrators can renew access to expired roles when necessary.
95
95
96
-
### Member renew
96
+
### Self-renew
97
97
98
-
Members who can no longer access resources can access up to 30 days of expired assignment history. To do this, they browse to **My Roles** in the left pane, and then select the **Expired roles** tab in the Azure resource roles section.
98
+
Users who can no longer access resources can access up to 30 days of expired assignment history. To do this, they browse to **My Roles** in the left pane, and then select the **Expired roles** tab in the Azure resource roles section.
The list of roles shown defaults to **Eligible roles**. Use the drop-down menu to toggle between Eligible and Active assigned roles.
103
103
104
-
To request renewal for any of the role assignments in the list, select the **Renew** action. Then provide a reason for the request. It's helpful to provide a duration in addition to any additional context that helps the resource administrator decide to approve or deny.
104
+
To request renewal for any of the role assignments in the list, select the **Renew** action. Then provide a reason for the request. It's helpful to provide a duration in addition to any additional context or a business justification that can help the resource administrator decide to approve or deny.
105
105
106
106
107
107
108
108
After the request has been submitted, resource administrators are notified of a pending request to renew a role assignment.
109
109
110
110
### Admin approves
111
111
112
-
Resource administrators can access the renewal request from the link in the email notification or by accessing PIM from the Azure portal and selecting **Approve requests** from the left pane.
112
+
Resource administrators can access the renewal request from the link in the email notification or by accessing Privileged Identity Management from the Azure portal and selecting **Approve requests** from the left pane.
113
113
114
114
115
115
116
-
When an administrator selects **Approve** or **Deny**, the details of the request are shown along with a field to provide justification for the audit logs.
116
+
When an administrator selects **Approve** or **Deny**, the details of the request are shown along with a field to provide a business justification for the audit logs.
117
117
118
118
119
119
120
-
When approving a request to renew role assignment, resource administrators must enter a new start date, end date, and assignment type.
120
+
When approving a request to renew role assignment, resource administrators must enter a new start date, end date, and assignment type.
121
121
122
122
### Admin renew
123
123
@@ -129,5 +129,5 @@ To view a list of all expired role assignments, on the **Members** screen, selec
129
129
130
130
## Next steps
131
131
132
-
-[Approve or deny requests for Azure resource roles in PIM](pim-resource-roles-approval-workflow.md)
133
-
-[Configure Azure resource role settings in PIM](pim-resource-roles-configure-role-settings.md)
132
+
-[Approve or deny requests for Azure resource roles in Privileged Identity Management](pim-resource-roles-approval-workflow.md)
133
+
-[Configure Azure resource role settings in Privileged Identity Management](pim-resource-roles-configure-role-settings.md)
Copy file name to clipboardExpand all lines: articles/active-directory/privileged-identity-management/pim-resource-roles-start-access-review.md
+7-9Lines changed: 7 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,5 +1,5 @@
1
1
---
2
-
title: Create an access review of Azure resource roles in PIM - Azure Active Directory | Microsoft Docs
2
+
title: Create an access review of Azure resource roles in Privileged Identity Management - Azure Active Directory | Microsoft Docs
3
3
description: Learn how to create an access review of Azure resource roles in Azure AD Privileged Identity Management (PIM).
4
4
services: active-directory
5
5
documentationcenter: ''
@@ -11,40 +11,38 @@ ms.tgt_pltfrm: na
11
11
ms.devlang: na
12
12
ms.topic: conceptual
13
13
ms.subservice: pim
14
-
ms.date: 04/29/2019
14
+
ms.date: 10/23/2019
15
15
ms.author: curtand
16
16
ms.custom: pim
17
17
ms.collection: M365-identity-device-management
18
18
---
19
19
20
-
# Create an access review of Azure resource roles in PIM
20
+
# Create an access review of Azure resource roles in Privileged Identity Management
21
21
22
22
Access to privileged Azure resource roles for employees changes over time. To reduce the risk associated with stale role assignments, you should regularly review access. You can use Azure Active Directory (Azure AD) Privileged Identity Management (PIM) to create access reviews for privileged Azure resource roles. You can also configure recurring access reviews that occur automatically.
23
23
24
24
This article describes how to create one or more access reviews for privileged Azure resource roles.
25
25
26
26
## Prerequisites
27
27
28
-
-[Privileged Role Administrator](../users-groups-roles/directory-assign-admin-roles.md#privileged-role-administrator)
28
+
[Privileged Role Administrator](../users-groups-roles/directory-assign-admin-roles.md#privileged-role-administrator)
29
29
30
30
## Open access reviews
31
31
32
32
1. Sign in to [Azure portal](https://portal.azure.com/) with a user that is a member of the Privileged Role Administrator role.
33
33
34
34
1. Open **Azure AD Privileged Identity Management**.
35
35
36
-
1. In the left menu, click**Azure resources**.
36
+
1. In the left menu, select**Azure resources**.
37
37
38
-
1.Click the resource you want to manage, such as a subscription or management group.
38
+
1.Select the resource you want to manage, such as a subscription or management group.
39
39
40
-
1. Under Manage, click**Access reviews**.
40
+
1. Under Manage, select**Access reviews**.
41
41
42
42
Once you have specified the settings for an access review, click **Start**. The access review will appear in your list with an indicator of its status.
0 commit comments