cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Azure AD PIM - Question on effective time usage of eligible roles after their JIT Activation

psal88
Copper Contributor

‎Sep 17 2022 08:50 AM

‎Sep 17 2022 08:50 AM

Azure AD PIM - Question on effective time usage of eligible roles after their JIT Activation

Hi Community,

Using Azure AD PIM, suppose I have a role (example: Security Administrator) set as permanent eligible with "Activation maximum duration (hours)" = "8hrs".
Suppose I usually activate the role for 8 hours (after which due to JIT role activation I will have to request activation again).
Is there a simple or unambiguous way to tell if I have actually used the security administrator role for the full eight hours set, or - even if I have set the activation maximum duration (hours) to eight hours - to tell if I have used it for maybe just 5 minutes (or less than the time set during activation)?

I need to do this kind of analysis of actual use of the role in order to be able to correctly calibrate the upper limit of hours for the setting of the "Activation maximum duration (hours)" parameter.

 

Thanks in advance for your support,

Paolo

Labels:
3,354 Views
0 Likes
3 Replies
Reply
3 Replies
eliekarkafy

‎Sep 20 2022 12:02 AM

‎Sep 20 2022 12:02 AM

Re: Azure AD PIM - Question on effective time usage of eligible roles after their JIT Activation

@psal88 there is an audit logs view in Azure AD that shows all the activity performed by the users . you can filter by user , service , activity and date. So , if the aim to know how much the user used his eligible role during the 8 hours from the activation time , you can filter by this user and check first activity after activation and last activity , then you would realize how much time he used his eligible role within those 8 hours 

 

 

1 Like
Reply
PaoloSala88

‎Sep 20 2022 01:03 AM - edited ‎Sep 20 2022 01:06 AM

‎Sep 20 2022 01:03 AM - edited ‎Sep 20 2022 01:06 AM

Re: Azure AD PIM - Question on effective time usage of eligible roles after their JIT Activation

Thanks elikarkafy, but how can I understand from the logs that the activities performed by the user are actually those (and only those) which are permitted by the role (e.g. Security Administrator)?

Thanks,
Paolo

0 Likes
Reply
eliekarkafy

‎Sep 20 2022 01:17 AM

‎Sep 20 2022 01:17 AM

Re: Azure AD PIM - Question on effective time usage of eligible roles after their JIT Activation

@PaoloSala88as I understand that your security administrator role is granted with specific access to some of your azure resources then you can use the azure resource activity in PIM . please refer to the below link to see how 

 

https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/azure-pim-re...

 

1 Like
Reply