I'm looking for a solution to automatically revoke a user's PIM access if they haven't been using it for a specific period. For instance, if someone hasn't elevated their access in two months, is there a way to set up a system that detects this inactivity and removes their access? Any advice or policies that could help? Thanks!
5 Answers
Regular access reviews might be your best bet. It seems that when people stop using a role, it’s usually for those rare, important tasks. Imagine suddenly losing access right when you need it—that could be a nightmare! So, regular checks might be smarter than an automatic removal policy.
If you're logging PIM activations, you could create a PowerShell script to flag who hasn't elevated roles in a set number of days. That could make tracking inactivity easier!
You might think about setting a specific time limit for how long access is valid. Automating it can save a lot of hassle down the line.
You can actually use the alert features in PIM to help with this. By adjusting the settings, you can set alerts based on inactivity, like if someone hasn't signed in for a certain number of days. This way, you get notified when access should be evaluated or revoked. It’s a good way to keep track of things.
Alternatively, is there a way to make PIM reactivation automatic when roles expire during working hours? That could save a lot of headaches when things get busy!
So you’re saying I can customize the alert settings to get notifications? That sounds super helpful!