Just Thought of to cover the Azure access review in this blogs Because most of the organization looking to provide the secure subscription access to their users and partners and how they archive this task.In current trends most of the organization are using third party tools.
In this blogs i am covering the few things :
- How we can secure the our Azure infrastructure ,
- How we can review the access of users/Partners/Vendors etc.
- we can see the feature of audit logs of azure ad access review policy which will help us keep the data for auditing purpose if its require.
What is Azure AD Privileged Identity Management ?
User AD PIM solution , We can manage, Control and monitor the access with in the organization
- We can Review the Access of Users .
- We can Approve/Reject the Access .
- Using PIM we can provide the time Based Access .
- We can manage the Directory Role using PIM Solution.
How to Create An Azure AD PIM:
Prerequisite:–
- Azure Ad Premium 2 License Required to get all the feature
- P2 License cost may come approx 600 RS/M.
Step: 1
- Click on All services
- Search the Azure Privileged Identity Management
- Click on this
Step: 2:–
- Click on Quick Start.
- Enable the One month Free Azure AD P2 License .
How to Activate the 1 month Free P2 License.
- Click on the My Role
- It will ask to enable the Free trail for Azure Ad services P2 License .
- Click on the role
- Signup
Click on the Azure Ad Premium: 2
Once you will click on that it will start activating the Azure AD P2 License .
Once that is done , We will explore the more option.
Once the Azure AD P2 is enabled you will be able to View and access the below option.
My Roles:
- It will provide the information, What kind of role you have in subscription .
- It will give an access to activate the other tole as well if your administrator has assigned to it.
- It will give the option for eligible role and Expired Role option as well if Role is time bound.
MY Request :
- In my Requested, If i have requested for an access or Any role assignment , then it will show in My Request tab basically just show the request.
:
Approve Requests:
- IF you are a security admin and you need to approved or reject the access , We can do it from here.
Review Access
If we want to review the access of our user access we can do that ,while selecting the Review Access tab and get the data and keep it for auditing purpose.
Azure AD Identity Role:
It will show what AD roles , User has apart from the subscription Role.
- We will have 2 View
- Admin View : which will have audit history other directory Role .
- My View : Which will show only account activation part of Ad Role.
Azure Resources :
Azure Resources tab will show you want kind of recourse you have and you can add multiple resources or subscription which is in one ID can be discover.
My Audit History
In My audit history , We will have the audit logs in azure and help security administrator to understand the task by perform by him or his team . If required , we can keep those logs for auditing purpose.
Lalit, Is there any way to programmatically read the audit history for Azure AD roles?
You need to configure the PIM and you can see those logs in Audit Logs. You can configure to archive in storage accounts.
You can use for AD audit logs: https://docs.microsoft.com/en-us/azure/security/azure-log-audit