You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/role-based-access-control/check-access.md
+3-36Lines changed: 3 additions & 36 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ author: rolyon
6
6
manager: amycolannino
7
7
ms.service: role-based-access-control
8
8
ms.topic: quickstart
9
-
ms.date: 12/09/2024
9
+
ms.date: 12/12/2024
10
10
ms.author: rolyon
11
11
ms.custom: mode-other
12
12
#Customer intent: As a new user, I want to quickly see access for myself, user, group, or application, to make sure they have the appropriate permissions.
@@ -73,10 +73,6 @@ If you have a Microsoft Entra ID P2 or Microsoft Entra ID Governance license, [M
73
73
74
74
Follow these steps to check the access for a single user, group, service principal, or managed identity to the previously selected Azure resource.
75
75
76
-
If you have a Microsoft Entra ID P2 or Microsoft Entra ID Governance license, [Microsoft Entra Privileged Identity Management (PIM)](/entra/id-governance/privileged-identity-management/pim-configure) functionality is integrated so you should follow the steps on the **PIM** tab.
77
-
78
-
# [Default](#tab/default)
79
-
80
76
1. Select **Access control (IAM)**.
81
77
82
78
1. On the **Check access** tab, select the **Check access** button.
@@ -95,39 +91,10 @@ If you have a Microsoft Entra ID P2 or Microsoft Entra ID Governance license, [M
95
91
96
92
- Role assignments added with Azure RBAC.
97
93
- Deny assignments added using Azure Blueprints or Azure managed apps.
98
-
- Classic Service Administrator or Co-Administrator assignments for classic deployments.
99
-
100
-
:::image type="content" source="./media/shared/rg-check-access-assignments-user.png" alt-text="Screenshot of role and deny assignments pane for a user." lightbox="./media/shared/rg-check-access-assignments-user.png":::
101
-
102
-
# [PIM](#tab/pim)
103
-
104
-
1. Select **Access control (IAM)**.
105
-
106
-
1. On the **Check access** tab, select the **Check access** button.
107
-
108
-
A **Check access** pane appears.
109
-
110
-
1. Select **User, group, or service principal**.
111
-
112
-
1. In the search box, enter a string to search the directory for name or email addresses.
113
-
114
-
:::image type="content" source="./media/shared/rg-check-access-select.png" alt-text="Screenshot of Check access select list." lightbox="./media/shared/rg-check-access-select.png":::
115
-
116
-
1. Select the user to open the **assignments** pane.
117
94
118
-
On this pane, you can see the access for the selected user at this scope and inherited to this scope. Assignments at child scopes aren't listed. You see the following assignments:
95
+
If there are any [eligible or time-bound role assignments](pim-integration.md), you can view these assignments on the **Eligible assignments** tab.
119
96
120
-
- Role assignments added with Azure RBAC.
121
-
- Deny assignments managed by Azure.
122
-
- Classic Service Administrator or Co-Administrator assignments for classic deployments.
123
-
124
-
:::image type="content" source="./media/check-access/rg-check-access-assignments-user-pim.png" alt-text="Screenshot of role assignments pane for a user for PIM integration." lightbox="./media/check-access/rg-check-access-assignments-user-pim.png":::
125
-
126
-
You also see a **Eligible assignments** tab with any eligible and time-bound role assignments. To start the activatation process, you can add a check mark next to a role you want to activate and then select **Activate role**. For more information, see [Eligible and time-bound role assignments](pim-integration.md) and [Activate eligible Azure role assignments](role-assignments-eligible-activate.md).
127
-
128
-
:::image type="content" source="./media/check-access/rg-check-access-assignments-user-pim-eligible.png" alt-text="Screenshot of role assignments pane and the Eligible assignments tab for a user for PIM integration." lightbox="./media/check-access/rg-check-access-assignments-user-pim-eligible.png":::
129
-
130
-
---
97
+
:::image type="content" source="./media/shared/rg-check-access-assignments-user.png" alt-text="Screenshot of role and deny assignments pane for a user." lightbox="./media/shared/rg-check-access-assignments-user.png":::
Copy file name to clipboardExpand all lines: articles/role-based-access-control/role-assignments-eligible-activate.md
+7-9Lines changed: 7 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ author: rolyon
5
5
manager: amycolannino
6
6
ms.service: role-based-access-control
7
7
ms.topic: how-to
8
-
ms.date: 12/09/2024
8
+
ms.date: 12/12/2024
9
9
ms.author: rolyon
10
10
---
11
11
@@ -16,7 +16,7 @@ Eligible Azure role assignments provide just-in-time access to a role for a limi
16
16
## Prerequisites
17
17
18
18
- Microsoft Entra ID P2 license or Microsoft Entra ID Governance license
19
-
-[Eligible role assignment](./role-assignments-portal.yml#step-6-select-assignment-type)
19
+
-[Eligible role assignment](pim-integration.md#pim-functionality)
20
20
-`Microsoft.Authorization/roleAssignments/read` permission, such as [Reader](./built-in-roles/general.md#reader)
21
21
22
22
## Activate group membership (if needed)
@@ -31,19 +31,17 @@ These steps describe how to activate an eligible role assignment using the Azure
31
31
32
32
1. Sign in to the [Azure portal](https://portal.azure.com).
33
33
34
-
1. Click **All services** and then select the scope. For example, you can select **Management groups**, **Subscriptions**, **Resource groups**, or a resource.
34
+
1. Click **All services** and then select the scope. For example, you can select **Management groups**, **Subscriptions**, or **Resource groups**.
35
+
36
+
You can activate eligible role assignments at management group, subscription, and resource group scope, but not at resource scope.
35
37
36
38
1. Click the specific resource.
37
39
38
40
1. Click **Access control (IAM)**.
39
41
40
-
1. In the **Action** column, click **Activate** for the role you want to activate.
41
-
42
-
The **assignments** pane appears and lists your eligible role assignments.
43
-
44
42
:::image type="content" source="./media/role-assignments-eligible-activate/activate-role.png" alt-text="Screenshot of Access control page and Activate role assignments pane." lightbox="./media/role-assignments-eligible-activate/activate-role.png":::
45
43
46
-
1.Add a check mark next to a role you want to activate and then click **Activate role**.
44
+
1.In the **Action** column, click **Activate** for the role you want to activate.
47
45
48
46
The **Activate** pane appears with activate settings.
49
47
@@ -65,7 +63,7 @@ These steps describe how to activate an eligible role assignment using the Azure
65
63
66
64
When activation is complete, you see a message that the role was successfully activated.
67
65
68
-
Once an eligible role assignment has been activated, it will be listed as an active time-bound role assignment on the **Role assignments**tab. For more information, see [List Azure role assignments using the Azure portal](./role-assignments-list-portal.yml#list-role-assignments-at-a-scope).
66
+
Once an eligible role assignment has been activated, it will be listed as an active time-bound role assignment on the **Check access** and **Role assignments**tabs. For more information, see [List Azure role assignments using the Azure portal](./role-assignments-list-portal.yml#list-role-assignments-at-a-scope).
0 commit comments