Anyone can receive Privileged Identity Management (PIM) notifications, depending on the role, the specific event that triggers the notification, and how the notification settings are configured.
By default, notifications are sent to the user who performed the action, the administrator who assigned the role, and any designated approvers or reviewers. The notification system can also be customized on a per-role basis to include additional users or groups, or to suppress certain emails.
Who receives notifications by role and event
**1. The End User (Assignee)**The user who has an eligible or time-bound assignment to a privileged role will receive notifications about their own role status. Key notifications for the end user include:
- When a privileged role has been assigned to them.
- When their eligibility to activate a role is about to expire.
- When their active role assignment has expired.
- When their request to activate, extend, or renew a role has been completed.
- When they are part of an access review campaign, they are notified to review their own access.
**2. The Administrator (Privileged Role Administrator, Global Administrator)**Administrators responsible for managing PIM and privileged roles receive notifications related to user activities and potential security risks.
- Role Activation Requests: Notifications are sent when a user requests to activate an eligible role. This is particularly important for roles requiring approval.
- Approval Decisions: All administrators and approvers receive a notification when an approval request is approved or denied.
- Role Changes: Notifications alert administrators when a user's role is activated, extended, or renewed.
- Role Assignments Outside of PIM: PIM is designed to detect and notify administrators of privileged role assignments that are made outside of the PIM interface. This is a critical security alert.
- Security Alerts: Administrators are notified of other suspicious or unsafe activities, such as roles being activated too frequently or too many permanent Global Administrators existing.
- Weekly Digest: Administrators receive a weekly digest email summarizing PIM activity for Microsoft Entra roles, including the number of activated roles and new assignments.
3. The ApproverIn role settings where a request must be approved, the designated approver (or approvers) receives specific notifications.
- Pending Approval: Approvers receive an email when a user submits a request for a privileged role activation that is pending their review.
- Approval Resolved: Approvers are notified after a request is approved or denied by another approver.
4. The ReviewerDuring a PIM access review campaign, designated reviewers are notified to evaluate the access of users or groups.
- Access Review Pending: Reviewers receive an email prompting them to perform their access review before a specified end date.
- Review Completion: Notifications are sent once the review has been completed and the decisions have been applied.
Notification customization and control
Organizations can fine-tune who receives notifications and what triggers them, allowing for a more focused and effective security posture.
**Configuration by role:**Notification settings are configured per role. This allows for granular control, such as sending alerts for highly sensitive roles (like Global Administrator) to a different group than less critical roles.
**Customization options:**For each notification type, administrators can customize the recipients:
- Turn off emails: Disable specific email notifications entirely.
- Send to additional recipients: Add extra email addresses, including mail-enabled security groups or the address for a Teams channel, to receive copies of notifications.
- Send only critical emails: Filter out less urgent notifications, such as assignment extension emails, and only send those that require immediate action, like an approval request.
**Notification settings location:**Notification settings for a specific role can be accessed in the Microsoft Entra admin center by navigating to Identity Governance > Privileged Identity Management > Microsoft Entra roles > Roles and then selecting the specific role and its Settings. For security alerts, the settings are configured under Alerts > Settings.
Conclusion
PIM notifications are a cornerstone of a secure privileged access strategy, ensuring that all relevant stakeholders are informed of critical and potentially risky activities. While administrators, approvers, and assignees are the core recipients, the system's strength lies in its configurability. By customizing notification settings on a per-role and per-event basis, organizations can create a robust and automated alerting system that aligns with their specific security requirements, minimizing the risk of a breach caused by misused privileged access.