Permissions

Overview

This page describes the permissions and access model for this agent. The agent uses read-only access to Privileged Identity Management (PIM) data, audit logs, and identity activity information through Security Copilot Plugins. It is designed to analyze PIM activations, privileged access behavior, and compliance metrics without making any configuration changes.

How It Works

The agent connects securely to your Microsoft Entra environment through Security Copilot Plugins to retrieve PIM activation data, audit logs, and sign-in information. It evaluates role usage patterns, compliance with activation policies, and anomaly detection in privileged activity. Optionally, the agent can generate Azure Workbooks for continuous PIM monitoring and visualization.

All interactions follow these principles:

• Read-only access: The agent does not modify or assign roles, change PIM settings, or alter audit data.

• Least privilege: Only the permissions required to read PIM and audit data are used.

• Transparency: All data access is auditable in Microsoft Entra and follows Microsoft compliance standards.

Required Entra ID Roles

Assign the following roles to the administrator account that installs and runs the agent:

Data Access Transparency

The following table outlines what data the agent can access and for what purpose.

Data handling:

• The agent does not modify, delete, or export data outside the tenant boundary.

• All access occurs through Security Copilot Plugins using delegated or application-level permissions.

• Access events are recorded in Microsoft Entra audit logs for visibility and traceability.

Agent Settings

When running the agent, you can configure optional settings to refine analysis and reporting output.

Example Queries

• "Analyze PIM activations for the last 30 days"

• "Show me Global Administrator access this week"

• "Generate PIM compliance report for last quarter"

• "Detect anomalies in privileged access with Azure Workbook"

Azure Workbook Generation

When GenerateWorkbook: true is specified, the agent produces an Azure Workbook configuration file that can be deployed for ongoing PIM monitoring.

The workbook includes dashboards for:

• Real-time PIM activation trends

• Failed activation attempts

• Role usage and frequency metrics

• Activation reason compliance tracking

• Anomaly alerts and risk visualization

Deploy the workbook in the Azure portal under: Monitor → Workbooks → Import → Upload Configuration File

Data Requirements

To ensure accurate and meaningful results, verify that:

• PIM is actively used with role activations occurring regularly.

• Activation reasons are required in PIM policy for compliance analysis.

• At least 7–30 days of activation data is available.

• MFA is enforced for PIM activations.

• Audit logging is enabled in Microsoft Entra.

Security and Compliance Considerations

• All communication through Security Copilot Plugins is encrypted using HTTPS and authenticated via Microsoft identity services.

• The agent adheres to Microsoft’s zero trust and least privilege principles.

• Access can be reviewed or revoked at any time through Entra ID role assignments or application consent management.

Next Steps

• Confirm that the administrator account has all required roles assigned.

• Run the agent to analyze PIM activation activity and compliance status.

• Deploy the optional Azure Workbook for continuous privileged access monitoring.