Skip to content

Empower Your Microsoft Entra PIM Notifications

Are you missing out on Microsoft Entra PIM notifications? Frustrated admins have been searching for answers, but the mystery persists. Until now. Join me as I reveal the secrets behind the missing notifications and introduce your new gossipmonger.

In this blog post, you’ll learn:

  • Why PIM notifications may be missing from your Azure Active Directory.
  • How to use the Entra Admin Center to configure your gossipmonger for PIM activities.
  • Tips and best practices for managing PIM notifications and ensuring your organization’s security.

Get ready to solve the mystery of the missing PIM notifications in Microsoft Entra with this guide, and find a way to configure a trusted gossipmonger.

Table of Contents

What is Privileged Identity Management?

Privileged Identity Management (PIM) is a powerful Azure Active Directory (AAD) service that helps organizations manage, control and monitor access to essential resources.

PIM provides time-based and approval-based activation of privileged roles, enabling administrators to control access to critical resources such as Azure AD, Azure, Microsoft 365, and Intune.

Microsoft Entra PIM Notifications
Reduce the potential for lateral movement in the event of account compromise by eliminating persistent access to privileged roles and resources. Enforce just in time access to critical roles with PIM.

With PIM, administrators can enforce just-in-time (JIT) access to privileged roles, require approval for activation, and use multi-factor authentication to activate any role. Additionally, PIM allows administrators to use justification to understand why users activate roles and receive notifications when privileged roles are activated.

Furthermore, PIM enables organizations to conduct access reviews to ensure users still need roles and download audit history for internal or external audits. Finally, PIM prevents the removal of the last active Global Administrator and Privileged Role Administrator role assignments.

By leveraging the full capabilities of PIM, organizations can proactively monitor and secure their environments, maintain compliance, and protect against security threats.

The Challenge With The Missing Notifications

Since most cyberattacks leverage privileged access, it is imperative to closely monitor the
assignment and activation of the highest privileged roles for signs of compromise. This should include notifications when a highly privileged role is assigned to a user and when a user activates a highly privileged role.

The Intended Email Notifications

PIM should inform you by email notifications when privileged roles are assigned, activated, and other important events. These emails can include links to tasks relevant to the notifications if you need to activate a role manually.

The sender of these e-mails is “azure-noreply@microsoft.com” with a display name like “Microsoft Azure”, and the e-mail subject will be prefixed with “PIM”. Here is an example of such a notification.

Microsoft Entra PIM Notifications

These e-mails are sent at the following events:

  • When a PIM activation is awaiting approval
  • When a PIM activation has completed
  • When PIM is enabled

Another example is the weekly PIM report which summarizes the PIM activities. This report will show the number of PIM activations and changes throughout the week. Here is an example of how this looks:

All of these emails should support, inform and give insights into the tenant’s privileged role usage.

The Missing Email Notifications

The challenge for many receivers of these e-mails has been a perceived inconsistency in receiving these notifications. Some notifications are received, while others don’t.

After investigating the situation thoroughly, I found that the notifications were only sent to users with activated administrator roles in PIM. Users eligible for PIM but without active activation did not receive these PIM e-mail notifications. This behavior was seen by studying the Exchange logs, and it did logically match up to explain the irregularities experienced with the missing messages.

The documentation from Microsoft was at the time ambiguous on this, as seen in the following screenshot:

The Microsoft documentation stated that the notifications also should have reached eligible users. The documentation has now been corrected based on the new experience, and I am happy to have been able to contribute to this article on Microsoft Learn.

The following table will now explain the receivers of these e-mail notifications:

UserRole activation pending approvalRole activation completePIM is enabled
Privileged Role Administrator
(Activated)
YesYes (if notification enabled)Yes
Security Administrator
(Activated)
NoYes (if notification enabled)Yes
Global Administrator
(Activated)
NoYes (if notification enabled)Yes

Empower Your Microsoft Entra PIM Notifications

The main idea behind Privileged Identity Management (PIM) is to provide just-in-time privileged access to Azure AD and Azure resources. My blog post covering Five Approaches For Local Admin Access On The Azure AD Joined PC has previously mentioned PIM as a helpful technology. It now turns out that this also gives just-in-time access to the notifications related to the PIM activations.

Some admins strongly desire to receive these notifications directly in their mailbox to have a close insight into role-based activities in the tenant. Elsewhere, such notifications are essential to notify delegated approvers when a role request awaits approval.

Take 1 – Configure notification settings for each role

To receive the PIM notifications, we can modify the default role settings. This will give us a granular way of selecting which notifications to receive and where we want these. This can be done in the Assignment Settings on each role. In the Entra Admin Center, this can be found under Identity Governance – Privileged Identity Management – Azure AD Roles – Roles – <selected role> – Assignments – Settings as shown in the following screenshots:

By editing the role setting details, we can find a tab covering what notifications should be implemented on the particular role. We can add extra recipients to the users with activated roles. An example of this is shown in the following screenshot:

This will give a granular way of configuring recipients based on the different actions in each role. You can send the notifications to personal mailboxes, group mailboxes, or even the mail address of a Teams channel.

Get the email address for a receiving channel in a team

The challenge with this way of doing notifications is handling all the granular details on each role eligible for PIM.

Take 2 – Use the Break Glass Admin Account As Your Gossipmonger

Sometime after I discovered this change in notification behavior, my subconscious devised a solution related to the Break Glass Admin account.

This kind of idea often comes along while I am walking my dog, humming old Johnny Cash melodies – “Tell the gossipers and liars, I will see them in the fire, Let the train blow the whistle when I go…“. I will let the idea go for you, with no desire for cash.

The BGA account is permanently assigned a Global Admin role in the tenant intended to be used as an emergency access account in Azure AD.

Since this account is permanently activated, it will receive all PIM notifications. Based on this fact, my subconscious idea hit: Can we use the BGA account as our notification Gossipmonger?

By using the “Other emails” field in Azure Active Directory for the Break Glass Admin (BGA), we can forward the notifications to the desired recipient. An example configuration of this is visualized in the following screenshot:

PS! The account’s name in this screenshot is just for visualization in this article. Giving the BGA account a less descriptive name would be a better practice.

After saving this configuration, a message trace in Microsoft Exchange Admin Center shows that activation notifications are sent from azure-noreply@microsoft.com to the alternative email address added for the BGA account:

This configuration will effectively catch all PIM notifications without adapting the notification settings on all Azure AD roles. As easy as pie!

Take 3 – Discover and monitor

It is essential to discover and monitor access to critical resources. We need to ensure we know who has access to what and receive notifications when new assignments are granted to accounts in our organization. Getting these by e-mail, as discussed thus far, can be great for some organizations, but as necessary is the activity resource log.

The resource log can be found by navigating to Privileged Identity Management – Azure AD Roles – Resource Audit.

This will give you the desired insight with the opportunity to search, filter and sort the view.

Access Reviews should also be set up at specific frequencies to look critically at who has access to elevated roles and ensure any ghost accounts don’t haunt the system. This will, however, not be a part of this blog post.

Concluding thoughts

Missing notifications cause a stir,
Admins left searching without a cure.
But fear not, the mystery will be solved,
And PIM notifications will soon be involved.

Privileged access is what PIM controls,
And just-in-time activation is its role.
But inconsistent emails have caused a fuss,
Leaving admins without any trust.

To receive notifications, settings can be changed.
For each role, a granular approach is arranged.
Or Break Glass Admin can be the one,
Forwarding notifications to get the job done.

Configure and manage, with ease and grace,
And secure your organization’s privileged space.
With PIM and its notifications in check,
Rest easy; your security won’t be a wreck.

External references

Published inAzureEntraMicrosoft 365Security

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *