Introduction
Azure Privileged Identity Management (PIM) creates alerts when there is suspicious or dangerous activity in your organization. At the point when an alert is activated, it appears on the PIM dashboard.
Alert
|
Trigger
|
Recommendation
|
Roles are being assigned outside of PIM
|
An administrator was permanently assigned to a role, outside of the PIM interface.
|
Review the new role task. Since different administrations can just allocate administrators, change it to a qualified task if important.
|
Roles are being activated too frequently
|
There were too many re-activations of the same role within the time allowed in the settings.
|
Contact the client to perceive any reason why they have enacted the role so often. Perhaps as far as possible is unreasonably short for them to finish their tasks, or perhaps they're utilizing contents to go around the procedure.
|
Roles don't require multi-factor authentication for activation
|
There are roles without MFA enabled in the settings.
|
We require MFA for the most highly-privileged roles, but strongly empower that you empower MFA for activation of all roles.
|
Administrators aren't using their privileged roles
|
There are temporary administrators that haven’t activated their roles recently.
|
Start an access review to decide the clients that needn't bother with access any longer.
|
There are too many global administrators
|
There are more global administrators than recommended.
|
On the off chance that you have a high number of worldwide administrators, almost certainly, clients are getting a bigger number of consents than they need. Move clients to less privileged roles or make some of them eligible for the role instead of permanently assigned.
|
Step to Step security alert configuration and settings
Sign in to the Azure portal.
Then, open Azure AD Privileged Identity Management in the Azure portal.
After that, click Azure AD roles and then, click Settings and then Alerts.
After that, click an alert name to configure the setting for that alert.
Administrators aren't utilizing their privileged roles alert
This alert trigger if a client goes a specific measure of time without activating a role.
Number of days: Specify the number of days, from 0 to 100, that a client can go without activating a role.
Roles are being activated too frequently alert
This alert trigger if a client initiates the equivalent privileged role multiple times within a predetermined period. You can arrange both the timeframe and the number of activations.
Activation renewal timeframe: Specify in days, hours, minutes, and second the timeframe you need to use to follow suspicious renewals.
The tenant doesn't have Azure AD Premium P2
The present tenant does not have Azure AD Premium P2.
There are too many global administrators alert
PIM triggers this alert if two distinct criteria are met, and you can arrange both. To start with, you must arrive at a specific limit of global administrators. Second, a specific level of your all-out role assignments must be global administrators. On the off chance that you just meet one of these estimations, the alarm won't show up.
Least number of Global Administrators: Specify the number of global administrators, from 2 to 100, that you think about a dangerous sum.
Level of global administrators: Specify the level of administrators who are global administrators, from 0% to 100%, that is dangerous in your environment.
Summary
In this article, I discussed Security alerts configuration for Azure Active Directory roles in Privileged Identity Management. In my next article, I will cover the next step of this series.