Introduction
We have already hit part 3 of this blog series, which brings us to one of my favorite functionalities within Azure AD, called Azure AD access reviews. Azure AD access reviews are beneficial and powerful if we speak about Identity Governance. It allows us to keep control over our identities.
In the past, we were used to creating or inviting user accounts and disable them when we received an e-mail from the HR department. This wasn’t foolproof. Nowadays, we have guests, contractors, partners, and other types of users in our tenants. These aren’t in most of the scenarios in control of the HR team.
In my previous blog, we spoke about providing access to company resources with Azure AD access packages. Azure AD access reviews are a highly recommended addition when working with access packages.
With Azure AD access reviews, you can control periodically and verify that only legitimate users access company resources.
Use cases
Access reviews can be helpful in the following situations:
- Employees don’t need access to Microsoft Teams anymore, so you want to ensure they don’t have access.
- In control of data when employees will join, move or leave the organization.
- If you want to be sure that business-critical data access is reviewed.
- Provide access to newly hired employees, so they’ll be productive and have access to the needed resources.
- Comply with the organizational need for security.
Requirements
Before we will start with the steps, here are some requirements to make use of Azure AD access reviews:
- Azure AD Premium P2 License
- You must be assigned the Global Administrator or User Administrator role
- Additional: you should be a Microsoft 365 and Security group owner (which is at the time of writing a Preview feature)
Access reviews in action
Now let’s start with configuring an Access Review
- Browse to the Identity Governance section, which can be found in the Azure Portal > Azure Active Directory > Identity Governance > Access Reviews > New access review
- Now select what type of review you want to create. In this section, we have two options, and we can review access to Teams + Group or application.
The differences between these:
- Teams + Group:
They are used to review member access to a specific Microsoft Teams channel or Microsoft 365 Group. - Application:
They are used for review assignment access to an application (most likely Enterprise applications).
3. In my example, we will create an access review for the LinkedIn Application and use the All Users’ review scope. You can also use the “Guest users only” option when you are only concerned about them.
4. This step specifies the reviewers, durations in days, review recurrence, and start date of the particular access review.
The options we have for the reviewers are:
Selected user(s) or group(s):
Select this option if you want to specify a user or group that needs to review the access of this application (or group).
Users review their access:
Select this option if you decide to leave the review for the user itself (self-service).
Managers of users:
With this option selected, the Manager attribute (in AD/AAD) of this user account will be used.
Now specify the duration in days, recurrence, and start date. These fields are mandatory.
Step 5. This step specifies the settings and actions as soon as the access review is created.
Some settings that I want to highlight:
Auto applies results to resource:
When removing the access with the created access review, the user will still sign in to the tenant.
Action to apply on denied guest users: (Only visible when choosing the option “Guest users only,” specified in step 3)
We have two options here; when choosing option one (Remove user’s membership for resource), the user won’t be able to access the resource but can remain to sign in. The other option is to block the user from signing in for 30 days and remove the user from the tenant. With the setting configured, user access will be denied, and the account will be available for 30 days. After 30 days, the account will be removed.
Step 6. Specify the review name, description, and create the access review.
User experience
- The user (in case of self-service) or reviewer receives an e-mail and will be asked to review the access (in our case, for the LinkedIn application)
- To start the review, we can click on the “Start review” button, or we can browse to the ‘My Access portal.’ This will show us the current open Access reviews.
- When we click on the access review, it will show us an overview of the evaluation that we need to complete. In my case, I chose All users in the Review scope (step 3 in my previous chapter).
- Now we need to decide if we want to Approve, Deny, Don’t know, or accept the recommendation.
I want to highlight the Don’t know button. If we choose to use this, the user gets to keep their access, and our choice is recorded in the audit log. - Now, if we Approve the access, it will ask us for a reason. Fill in the reason and click on submit.
Step 6: The result will appear in the My Access portal and on the Azure Portal within the Identity Governance section.
Final words
This powerful feature keeps us in control and ensures that we control our access to Teams, Groups, or Applications. Feel free to leave a comment if you have questions.
References:
Microsoft docs: https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview
Microsoft docs for reviewing the access: https://docs.microsoft.com/en-us/azure/active-directory/governance/perform-access-review
Thanks Bilal very detailed!
Can anybody in the tenant be a reviewer? Does the reviewer require any form of license? E1, E3 or E5?
Any user in an Azure AD tenant can be designated as a reviewer for access reviews. Reviewers do not require any specific license, such as E1, E3, or E5, to perform their reviewing tasks. This flexibility allows organizations to involve various stakeholders in access reviews without additional licensing costs.