Forum Discussion

Copper Contributor

Sep 17, 2022

Azure AD PIM - Question on effective time usage of eligible roles after their JIT Activation

Hi Community, Using Azure AD PIM, suppose I have a role (example: Security Administrator) set as permanent eligible with "Activation maximum duration (hours)" = "8hrs". Suppose I usually activate t...

azure

elieelkarkafi

MVP

Sep 20, 2022

psal88 there is an audit logs view in Azure AD that shows all the activity performed by the users . you can filter by user , service , activity and date. So , if the aim to know how much the user used his eligible role during the 8 hours from the activation time , you can filter by this user and check first activity after activation and last activity , then you would realize how much time he used his eligible role within those 8 hours

PaoloSala88

Copper Contributor

Sep 20, 2022

Thanks elikarkafy, but how can I understand from the logs that the activities performed by the user are actually those (and only those) which are permitted by the role (e.g. Security Administrator)?

Thanks,
Paolo

elieelkarkafi
MVP
Sep 20, 2022
PaoloSala88as I understand that your security administrator role is granted with specific access to some of your azure resources then you can use the azure resource activity in PIM . please refer to the below link to see how

https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/azure-pim-resource-rbac#view-activity-and-activations