To approve a role request in the portal, perform the following steps:
- Navigate to the Azure portal by opening https://portal.azure.com.
- Search for or select Privileged Identity Management or PIM.
- On the left-hand menu, choose Approve Requests.
- Select the approval request and click Approve as per the example in Figure 4.13:
Figure 4.13 – Eligible role approval
- Enter a justification and click Confirm. The role has now been activated.
PIM provides a much safer mechanism for granting elevated access to users. You will always need at least one account, but preferably two that have the global administrator role accessible at all times – but these accounts should be used only when necessary.
Although PIM is beneficial, you must still ensure the eligible roles are kept up to date. To help with this process, you should perform periodic access reviews.
Understanding access reviews
Throughout an employee’s time at a company, their role may change. People get promoted or even demoted; they make sideways moves to other departments, take on more responsibilities, or delegate existing ones.
As users’ work-related tasks change, so do their access requirements to the systems they need to perform their work. To help keep track of changing requirements, you can use access reviews to periodically confirm accounts’ existing rights are adequate for the job, based on the least privileged principle.
Access reviews can be used in two different ways. First, an access review can request that users confirm their access levels; the other option is to request that an administrator or line manager perform the review. The latter needs more granular planning and setup, but does, of course, lead to more accurate responses.
You can also set up access reviews as a one-off task, or you can automatically schedule them at set periods – weekly, monthly, quarterly, semi-annually, or annually.
You need a Premium P2 License for users who are assigned as reviewers – including self-reviewers. You do not need a license to create an access review.
For example, if you create an access review for 100 users, but identify a single user as the reviewer, you only need one license. However, if you set the access review to have everybody perform their review, you would need 100 licenses.
The easiest way to understand the access review process is to step through an example. There are two types of access reviews, and they are performed through different blades. The first is a review of group membership – this is useful if you assign roles to groups rather than directly to users, and this is performed through the Identity Governance blade.