In this blog post, I will demonstrate the steps to export Entra ID PIM role assignments report to CSV file. A PIM (Privileged Identity Management) role allows organizations to manage, control, and monitor access to important resources. Essentially, it enables just-in-time privileged access.
A PIM role may grant elevated rights to certain areas in Entra ID. For example, Application administrator role provides users access to create and manage all aspects of app registrations and enterprise apps. Therefore, leaving this role assigned to a user longer than the required time could pose security risk. If the work related to app registration is completed, you can remove the PIM role assignment for the user.
You can generate a PIM (Privileged Identity Management) role assignment report from Entra ID to review all users with privileged roles. This report helps identify users who may have been incorrectly assigned a PIM role, allowing administrators to take corrective action. Regularly generating and analyzing this report ensures better access control, reduces security risks, and helps maintain principle of least privilege by removing unnecessary role assignments. This proactive approach strengthens security and prevents unauthorized access to sensitive resources.
Export PIM role assignments from Entra ID
Let’s check the steps to export PIM role assignments report from Entra admin center:
- Sign in to Microsoft Entra admin center > Identity > Identity Governance > Privileged Identity Management > Microsoft Entra roles.
- Click on Roles > Export to export the PIM role assignments in a CSV file.
- Report has been exported successfully. In the CSV file, you will find the following Information:
- Assignment State
- User Group Name
- Role Name
- PrincipalName
- Member Type
- Assignment Start Time (UTC)
- Assignment End Time (UTC)
- Review the list for each user and check if a user should have the PIM role assigned or not. If a PIM role is not required for a user, you can remove the role and re-export the report. You can also keep a monthly copy of the report for record.
