PIM Audit History and Reports

PIM Audit History and Reports: A Complete Guide for SC-300

Understanding PIM Audit History and Reports

Why Is PIM Audit History Important?

Privileged Identity Management (PIM) Audit History and Reports are critical components of identity governance in Microsoft Entra ID (formerly Azure AD). Organizations that grant privileged access to resources must be able to answer fundamental questions: Who activated what role? When did they activate it? Why was it approved? Who approved it? Without robust audit trails, organizations face significant security, compliance, and operational risks.

Here's why PIM audit history matters:

1. Regulatory Compliance: Regulations such as SOX, GDPR, HIPAA, and ISO 27001 require organizations to maintain detailed records of privileged access. PIM audit history provides the evidence needed during compliance audits.

2. Security Incident Investigation: When a security breach occurs, audit logs allow investigators to trace back who had elevated privileges and when, helping to identify the attack vector and scope of compromise.

3. Accountability: Audit trails ensure that every privileged action is attributable to a specific identity, creating a culture of accountability among administrators.

4. Operational Visibility: Understanding patterns of role activation helps organizations optimize their PIM policies, such as adjusting activation durations or approval workflows.

5. Zero Trust Alignment: PIM auditing supports the Zero Trust principle of "assume breach" by continuously monitoring and logging privileged access activities.

What Are PIM Audit History and Reports?

PIM Audit History and Reports refer to the logging, tracking, and reporting capabilities built into Microsoft Entra Privileged Identity Management. These features capture a comprehensive record of all PIM-related activities across both Microsoft Entra roles and Azure resource roles.

The key components include:

1. PIM Audit Logs
These logs capture all activities related to PIM operations, including:
- Role assignment creation and removal
- Role activation and deactivation
- Role setting changes (e.g., changing activation duration, requiring MFA, requiring approval)
- Approval and denial of role activation requests
- Access review creation, updates, and results
- Alert generation and dismissal

2. Resource Audit
For Azure resource roles, the resource audit provides a view of all PIM-related activities for a specific Azure resource, such as a subscription, resource group, or individual resource like a virtual machine or storage account.

3. My Audit
This is a personal view that allows individual users to see their own PIM activity history, including their role activations, approvals they've made, and other personal PIM actions.

4. PIM Reports
Microsoft Entra ID provides several built-in reports related to PIM:
- Role assignment activity report: Shows eligible and active role assignments over time
- Role activation activity report: Shows activation frequency, duration, and patterns
- Access review history report: Summarizes results of completed access reviews
- Alert history: Tracks security alerts generated by PIM, such as too many permanent administrators

5. Microsoft Entra Audit Logs Integration
PIM events are also written to the Microsoft Entra audit logs, meaning they can be:
- Exported to Azure Monitor (Log Analytics)
- Streamed to Azure Event Hubs
- Sent to Azure Storage accounts
- Integrated with SIEM solutions like Microsoft Sentinel

How Does PIM Audit History Work?

Understanding the mechanics of PIM auditing is essential for the SC-300 exam:

Step 1: Event Generation
Every action taken within PIM generates an audit event. For example, when a user activates an eligible role assignment, PIM logs:
- The user's identity (who)
- The role being activated (what)
- The target resource or directory (where)
- The timestamp (when)
- The justification provided (why)
- The approval chain (who approved, if applicable)
- The activation duration
- The IP address of the requestor

Step 2: Event Storage
Audit events are stored in the Microsoft Entra audit log. The default retention period depends on your license:
- Microsoft Entra ID Free: 7 days
- Microsoft Entra ID P1: 30 days
- Microsoft Entra ID P2: 30 days
- For longer retention, logs must be exported to Azure Monitor Log Analytics, Azure Storage, or a SIEM solution

Step 3: Accessing Audit History
There are multiple ways to access PIM audit data:

Via the Microsoft Entra Admin Center:
- Navigate to Identity Governance > Privileged Identity Management
- Select Microsoft Entra roles or Azure resources
- Click on Resource audit or My audit
- Filter by date range, role, action type, or principal

Via Microsoft Graph API:
- Use the directoryAudits endpoint to programmatically query PIM-related audit events
- Filter using the loggedByService property set to "PIM"

Via Azure Monitor / Log Analytics:
- Configure diagnostic settings to send Microsoft Entra audit logs to a Log Analytics workspace
- Use Kusto Query Language (KQL) to write custom queries against the AuditLogs table
- Create custom workbooks and dashboards for PIM monitoring

Via Microsoft Sentinel:
- Connect the Microsoft Entra data connector
- Use built-in analytics rules to detect suspicious PIM activities
- Create custom hunting queries for PIM-related threats

Step 4: Analyzing and Reporting
Once audit data is available, administrators can:
- Generate reports showing all role activations within a specific time period
- Identify users who activated roles most frequently
- Review approval workflows and identify bottlenecks
- Detect anomalous patterns, such as activations outside business hours
- Correlate PIM events with sign-in logs for a complete picture

Key PIM Audit Event Categories

For the SC-300 exam, know these key categories of PIM audit events:

1. Role Management Events:
- Add member to role (eligible or active)
- Remove member from role
- Role setting changes

2. Role Activation Events:
- User activates role
- User deactivates role
- Activation expires
- Activation requires approval

3. Approval Events:
- Approval request created
- Approval granted
- Approval denied
- Approval request timed out

4. Access Review Events:
- Access review created
- Access review completed
- Review result applied
- User reviewed (approved/denied)

5. Alert Events:
- Alert triggered (e.g., too many Global Administrators)
- Alert dismissed
- Alert remediated

Configuring Long-Term Retention

A common exam scenario involves ensuring PIM audit data is retained beyond the default 30-day period. The solution is:

1. Go to Microsoft Entra admin center > Monitoring > Diagnostic settings
2. Create a new diagnostic setting
3. Select AuditLogs (and optionally SignInLogs)
4. Choose a destination:
- Log Analytics workspace – for querying and visualization
- Azure Storage account – for long-term archival
- Azure Event Hubs – for streaming to external SIEM
5. Save the diagnostic setting

This is critical because without this configuration, PIM audit data is only available for 30 days.

PIM Alerts and Their Audit Trail

PIM generates security alerts that are also captured in the audit history. Key alerts to know:

- Roles are being assigned outside of PIM: Someone is making direct permanent role assignments bypassing PIM
- Too many Global Administrators: The number of Global Administrators exceeds the recommended threshold
- Roles don't require MFA for activation: Privileged roles are configured without MFA requirement
- Users aren't using their privileged roles: Eligible assignments exist but are rarely activated
- Potential stale role assignments: Role assignments that haven't been used recently

Integration with Access Reviews

PIM audit history also captures access review activities. When an access review is created for PIM roles:
- The creation of the review is logged
- Each reviewer's decision (approve/deny/don't know) is logged
- The application of review results (removing access, maintaining access) is logged
- Any auto-applied results for non-responsive reviewers are logged

This provides a complete audit trail showing that privileged access is being regularly reviewed and certified.

Permissions Required to View PIM Audit History

Know these permission requirements for the exam:

- Global Administrator: Can view all PIM audit history for Microsoft Entra roles
- Privileged Role Administrator: Can view all PIM audit history for Microsoft Entra roles
- Security Reader: Can view PIM audit logs (read-only)
- Security Administrator: Can view PIM audit logs
- Reports Reader: Can view Microsoft Entra reports including PIM data
- For Azure resource roles, the Owner or User Access Administrator of the resource can view the resource audit
- Any user can view their own My Audit history


===== Exam Tips: Answering Questions on PIM Audit History and Reports =====

Tip 1: Know the Difference Between Resource Audit and My Audit
Exam questions often test whether you understand that Resource Audit shows all PIM activities for a given resource or directory, while My Audit shows only the current user's personal PIM activity. If a question asks how a user can see their own activation history, the answer is My Audit.

Tip 2: Retention Period Questions Are Common
Remember that Microsoft Entra audit logs have a 30-day default retention for P1/P2 licenses. If a question asks how to retain PIM audit data for 1 year or longer, the answer involves configuring diagnostic settings to export to Azure Storage (for archival) or Log Analytics (for querying). Never select "change the retention setting in PIM" — that option doesn't exist.

Tip 3: Know the Diagnostic Settings Destinations
When asked about integrating PIM audit data with external systems:
- Log Analytics workspace = for KQL queries, workbooks, and dashboards
- Azure Storage account = for long-term archival and compliance
- Event Hubs = for streaming to third-party SIEM solutions
- Microsoft Sentinel = for advanced threat detection (uses Log Analytics under the hood)

Tip 4: Understand Which Roles Can Access Audit Data
If a question asks which role is needed to view PIM audit history, remember that Global Administrator, Privileged Role Administrator, and Security Administrator can all view PIM audit logs. Security Reader has read-only access. Don't confuse this with Global Reader, which has more limited PIM visibility.

Tip 5: Recognize PIM Alert Scenarios
Exam questions may describe a scenario and ask which PIM alert would be triggered. For example: "An admin notices that role assignments are being made directly in Microsoft Entra ID without using PIM" — the alert is "Roles are being assigned outside of PIM."

Tip 6: Distinguish Between Microsoft Entra Roles and Azure Resource Roles
PIM audit history works for both Microsoft Entra roles (like Global Administrator, Exchange Administrator) and Azure resource roles (like Subscription Owner, Resource Group Contributor). Exam questions may test whether you navigate to the correct blade. Microsoft Entra role audits are under the Microsoft Entra roles section; Azure resource role audits are under the Azure resources section.

Tip 7: Know What Information Is Captured in an Activation Event
If asked what details are logged when a user activates a PIM role, remember: user identity, role name, target resource, timestamp, justification/reason, ticket number (if configured), approval status, activation duration, and IP address.

Tip 8: Access Reviews + Audit Trail Questions
If a question asks how to prove that privileged access was regularly reviewed for compliance purposes, the answer involves both access reviews (to perform the actual review) and PIM audit history (to provide the evidence trail). Access review results are captured in audit logs.

Tip 9: Microsoft Graph API for Automation
If a question describes a scenario requiring automated or programmatic access to PIM audit data, the answer is the Microsoft Graph API using the directoryAudits endpoint. You can filter by the service name "PIM" to isolate PIM-specific events.

Tip 10: Watch for "Least Privilege" Traps
Many questions test least privilege. If asked what is the minimum role needed to view PIM audit history (without making changes), the answer is typically Security Reader — not Global Administrator or Privileged Role Administrator, which would be over-privileged for read-only scenarios.

Tip 11: Know the Workbooks
Microsoft provides PIM-specific Azure Monitor Workbooks that can visualize role activation trends, approval patterns, and more. If a question asks about creating dashboards or visual reports for PIM activity, the answer often involves Azure Monitor Workbooks connected to a Log Analytics workspace receiving Microsoft Entra audit logs.

Tip 12: Scenario-Based Question Strategy
For scenario questions about PIM auditing, follow this decision tree:
- Need to view who activated a role? → PIM Resource Audit
- Need to view your own activations? → PIM My Audit
- Need long-term retention? → Diagnostic settings to Azure Storage or Log Analytics
- Need to send data to a SIEM? → Diagnostic settings to Event Hubs or Microsoft Sentinel connector
- Need automated reporting? → Microsoft Graph API or KQL queries in Log Analytics
- Need to prove compliance? → Access reviews + audit logs exported for long-term retention

By mastering these concepts and exam strategies, you will be well-prepared to answer any SC-300 question related to PIM Audit History and Reports with confidence.