Unit 8: Analyze Privileged Identity Management audit history and reports
Privileged Identity Management (PIM) provides built-in auditing and reporting to help organizations track how privileged access is used. These audit capabilities are essential for security monitoring, investigations, and compliance.
Using PIM audit history, administrators can:
- See who activated privileged access.
- Understand when and why access was used.
- Verify that approvals and policies were followed.
- Support internal and external audits.
Audit data is available for privileged access group members and owners within Microsoft Entra ID.
Important limitation to understand
If your organization uses Azure delegated resource management (for example, a managed service provider), then:
- Role assignments performed by the service provider are not shown in the PIM audit history for your tenant.
- Only actions performed within your Microsoft Entra organization are visible.
This is important for audit scope and compliance discussions.
Types of audit views in PIM
PIM provides two primary audit views for privileged access groups:
| Audit type | Purpose |
|---|
| Resource audit | Shows all activity related to a specific privileged access group |
| My audit | Shows activity related only to the signed-in user |
Each view serves a different governance purpose.
View resource audit history
What is Resource audit?
Resource audit provides a centralized view of all actions performed on a privileged access group.
This includes:
- Membership activations.
- Ownership activations.
- Role assignment-related activity.
- Administrative changes affecting the group.
This view is typically used by:
- Security teams.
- Identity administrators.
- Auditors.
Steps: View resource audit history
- Open Microsoft Entra Privileged Identity Management.
- Select Groups.
- Select the privileged access group you want to review.
- Under Activity, select Resource audit.
- Filter the audit history using:
- A predefined date range, or
- A custom date range.
The audit list updates based on the selected filter.
When to use Resource audit
Use Resource audit when you need to:
- Investigate suspicious privilege usage.
- Validate that approvals were granted correctly.
- Review historical privileged access for compliance.
- Confirm that PIM policies are being enforced.
View personal audit history (My audit)
What is My audit?
My audit allows an individual user to view their own privileged activity within a privileged access group.
This view includes:
- When you activated access.
- Which group you activated.
- The time range of activation.
- Your own role-related activity.
This view does not show other users’ actions.
Steps: View My audit
- Open Microsoft Entra Privileged Identity Management.
- Select Groups.
- Select the privileged access group.
- Under Activity, select My audit.
- Filter the audit history using:
- A predefined date range, or
- A custom date range.
When to use My audit
Use My audit when you want to:
- Review your own privileged access usage.
- Verify when you activated a role.
- Support internal reviews or justifications.
- Confirm activation history for troubleshooting.
Governance and compliance value
PIM audit history supports:
- Zero Trust principles by validating least privilege usage.
- Audit readiness by maintaining a record of privileged actions.
- Accountability by linking actions to specific users.
- Operational visibility into how privileged access is used over time.
Audit logs help answer key governance questions:
- Who accessed privileged roles?
- When was access activated?
- Was approval required and followed?
- Was access time-limited?
Exam-focused summary
- PIM provides audit history for privileged access groups.
- Resource audit shows activity for the entire group.
- My audit shows activity for the signed-in user only.
- Audit history can be filtered by date range.
- Delegated access via managed service providers may not appear.
- Audit history is critical for security monitoring and compliance.