Comparing Entra ID Access Reviews and Time-Limited Eligibility in PIM

0
12
Asked By CuriousCat42 On

I'm curious about the overlap between Entra ID access reviews and time-limited eligibility periods in Privileged Identity Management (PIM). It seems you can either set PIM users to be permanently eligible and then conduct periodic access reviews, or you might just let role or group memberships expire every few months. Wouldn't extending temporary eligibility to a role or group achieve similar outcomes as conducting access reviews, but with less complexity? The only trade-off seems to be the loss of multi-level approvals. What do you all think?

4 Answers

Answered By SafetyFirst81 On

While they may look similar at first glance, they actually serve different purposes. PIM expiry helps maintain an access lifecycle, while access reviews focus on accountability. For regulated environments, it's usually best to have both in place.

Answered By DiligentAdmin On

There are definite risks if things slip through the cracks during user offboarding. For instance, if a user is set to have 6 months of eligibility but leaves after 1 month, it wouldn't make sense to wait for 5 months for their access to expire. Access reviews help highlight any oversights in offboarding.

OnPointFeedback -

I totally agree! Having access reviews on a schedule can catch these misses. If that user leaves at 1 month and their access isn’t reviewed, you could be waiting needless months for them to lose permissions.

Answered By AdminWhiz On

The goal of PIM is to avoid standing permissions, allowing users to have roles active only for a few hours, not months. This minimizes risk because, in the event of a breach, there's a good chance that compromised accounts won't have active roles. My organization uses a mix of eligible and active roles tailored to job functions, ensuring that access is granted thoughtfully and revised regularly through access reviews.

Answered By TechGuru99 On

If a Global Admin leaves and their access isn’t revoked for three months, it could be a problem. Ideally, when someone leaves, their account should be disabled immediately, which would also unassign their roles. Access reviews don't offer any advantage in such scenarios compared to role eligibility that coincides with the access review schedule.

QuickFixer -

Exactly! The first step should always be to disable the account right away. Waiting for reviews just complicates matters without offering any real protection.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.