Hey everyone, I need help figuring out how to set up an alert for when someone uses the "Access manage for Azure Resources" feature. Specifically, this option allows a Global Administrator to manage access across all Azure subscriptions, which can bypass the Privileged Identity Management (PIM) policies we have in place. It seems like a useful 'break glass' option, but I'd really like to receive an email alert whenever it's used to keep track of this access. Any ideas on how to do that?
3 Answers
Well, if you've given a Global Administrator (GA) that much access, monitoring their actions is crucial. The flexibility offered by PIM and role-based access control should be a safety net for scenarios like this. Establishing alerts for any bypass of those policies isn't unreasonable!
You actually have a way to handle this! Every time that slider is toggled, Azure logs an event categorized as Microsoft.Authorization/roleAssignments/write. You can set up the Activity Log to feed into Log Analytics and create an alert in Azure Monitor based on that event. This way, you can get email or SMS notifications when it happens. If this method feels too complex, it might be worth reevaluating how you're using break-glass accounts overall.
I get where you're coming from. It's all about balancing the power granted to GAs and keeping everything in check. Definitely sounds reasonable to set up an alert for when those privileges are bypassed.
Related Questions
Cloudflare Origin SSL Certificate Setup Guide
How To Effectively Monetize A Site With Ads