Hi There,

This will be the third article from the Azure AD Identity Governance series.
And today I would like to show you the Access Reviews from Azure AD Identity Governance perspective.

The previous articles are available here:

Access Reviews Overview

Have you ever thought whether it is possible to review guest users group or application membership?

If yes, this is the article for you. Today I will show you how to use Access Reviews for:

  • Access packages
  • Teams + Groups
  • Applications (integrated with our Azure AD)

But before we go deeper, let’s clarify what are the Access Reviews, according to the Microsoft documentation…

Access reviews enable organizations to efficiently manage group memberships, access to enterprise applications, and role assignments. User’s access can be reviewed on a regular basis to make sure only the right people have continued access.

https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview

NOTE!!!

Access reviews are a powerful tool that comes with the Azure AD Premium P2 license level.

So access reviews are kind of scheduled or manual reviews that can check group membership and application access. It could be also used as a part of the Access Packages configuration (Lifecycle tab, Access Review section).

Review workflow

Diagram below depicts workflow for access reviews.

Access reviews overview

Because Access Reviews is an ongoing process, it is hard to find a start and stop of it.
But there are 5 elements of this process:

  1. Request notification – As a resource owner or person who was assigned to perform access review, we will receive an email with notification that the process started for the specific resource type (group, application, access package).
  2. Membership review – Based on our knowledge and recommendations, we can decide whether the user should remain or be removed from the resource access.
  3. Membership confirmation – In this step, we will confirm that the group of users that were reviewed should keep their access to the resource.
  4. Stale membership removal – Self-explanatory – we are going to remove users who should not have access to the resource or they even did not use that kind of access for the last 30 days (based on the recommendation)
  5. Status report – At the ‘end’ of the review, Admin will be informed that the access review round has been finished and what the results are.

Program

Similar to the Access Packages where we had all of them configured under the Catalog.
For Access reviews, we are using Programs.
Program is a ‘container’ that helps us to group reviews logically (for departments, projects, etc.)

Review timeline

So this is the workflow but what is the timeline for it?
It’s easy, we can choose whether it should be done:

  • Once
  • Weekly
  • Monthly
  • Quarterly
  • Semi-annually
  • Annually

Additionally, we can configure Duration for this access review (how many days it will take to finish).
We will describe it later in the Configuration part of the article.

Reviewers

Every review should be done by specific people. With access reviews, we can configure reviewers from the following options:

  • Group Owners – every group has its owner.
  • Selected users or groups – we might decide that the specific users should perform the review.
  • Self-review – users can review their access on their own
  • Managers of users (in Preview) – This is based on the Manager attribute from Azure AD.

Configuration

We can configure access reviews in two ways:

  1. During the access package configuration
  2. Manually as a part of a separate review (then we need to create Program(s))

Access Package Review

In this article, I’m not going to repeat the information from my previous article but in the Test in lab section, I will show you the results of the Access Reviews for access packages.

Teams/Group/Application access review

Let’s start with something very easy – creating Program.

To do that, we need to go to the Azure AD, then from the left side menu, choose Identity Governance and click Programs under Access Reviews section, or just simply click the following link:
https://portal.azure.com/#blade/Microsoft_AAD_ERM/DashboardBlade/Programs

On the Identity Governance | Programs screen click New Program

Access Reviews Programs overview

Fill the required information:

  • Name – as I mentioned before, you can think about Programs from project or department, type of access perspective as an example. In my case, I will create a program called External_collaboration.
  • Description – 😉 It shouldn’t be a problem for you.
Creating new program

When your program creation is finished, please click on it. As you can see in the picture below, there are no reviewed apps or groups. This is because we did not create Access Review yet.

Program overview

Click on the Access reviews on the left side menu to move to the access reviews list which is connected to this program. On the Access reviews screen click New access review

Creating Access review

On the New access review screen, you have to choose either you want to create a Teams + Groups review or the Application review.

This is the step where the configuration roads will split based on our decision what do we want to review.

Step 1: Teams + Group access review

So you choose Teams + Groups. but here we have another cross roads

Step 2: Selecting group and teams – This is a standard operation we need to select a group from our Azure AD. The last step (3) will be to select a review scope:

  • For everyone
  • For Guest users only
Review for Teams and Groups

Step 2: Using preview feature to review all M365 groups with guest users ( a super cool feature to check where our guests were added). Of course, we can exclude groups if needed.
Because we choose M365 groups with guest users, in the last step (3) there is only one option available – Guest users only.

Review for guest users

Step 1: Application access review

Again cross road. Sounds familiar ? 🙂

Step 2 Select application. Same as for the Groups and Teams configuration, we need to provide an application for which we want to configure access review.

Step 3 Select review scope. Again same here 🙂

When you click Next: Reviews, all possible roads will meet in the same place, which is the Reviews tab.

The diagram below should help you not to lose focus with configuration steps 😉

Access Review configuration map

Under the Reviews tab, we need to decide who and how often should perform the review.

Reviews configuration

Under the Select reviewers section, we have four options:

  • Group Owner(s)
  • Selected user(s) or group(s)
  • Users review own access
  • Managers of users (preview)

It’s up to you what you will choose. In my case, I will use 2nd option and choose my global admin account.

Selecting reviewers

We also need to decide how often reviews will recur.

Depends on our corporate policies and security team recommendations, we can choose very granular reviews, including weekly, monthly even annually. I will choose One Time.

The next thing that I need to provide is the duration time the review will take place and the start date

Review configuration

When all configuration from Reviews tab is done click Next to go to the Settings tab.

Access reviews settings

Wow, this is a lot of things that we can configure, even recommendation helpers.

My recommendation is to play with those settings to find the best configuration that meets your requirements – have some fun with it.

When done click Next to go to the summary page where you can provide review name and description.

Confirm all the configuration that was made using Create button

So our first access review was done.

Now I will show you how to send a reminder to the reviewers (just in case of any)

In order to do that, we need to go here:
https://portal.azure.com/#blade/Microsoft_AAD_ERM/DashboardBlade/Controls

From the access reviews list, choose the proper one, and then from the left side menu choose Reviewers (under Manage section)

Reviews reminder

And click Remind. This will send the reminder mail to all reviewers configured for this access review.

Reviews reminder

Now, all set so let’s move to the next section and see how it looks from the myaccess.microsoft.com portal perspective.

Test in lab

This is the time when all magical configuration will give us the results – working solution that might be used in our environment to:

  • Verify where guest users have access (groups, teams, application)
  • Verify who have access where (internal and external users)

Teams/Group/Application access review

To proceed with access review, we need to go to the well known myaccess.microsoft.com portal.

My Access portal options

Then from the left side menu (click on the ‘hamburger’ icon) and choose Access reviews.

This is the same place for access reviews for:

  • Groups and Apps (this part of the lab)
  • Access packages (next part of the lab)
Access reviews for groups and apps

Click on the Groups and Apps and then select review from the list

You will see the list of the group members (depends on the number of members, it could be huuuge)

Group members under review

Now you have a couple of options with reviews:

  1. One by one review – the time consuming one
  2. Pick required members and approve/deny membership – an easy one
  3. Accept recommendations – tricky one (might cause some problems)

Pictures below will show all mentioned options.

Picking required members
Applying decision for members
Review summary (1)
One by One review
Accepting recommendations
Review summary

Access Package Review

Same as in the section above, we need to start from the myaccess.microsoft.com portal.
The whole process is the same, with one small difference at the beginning.
Under the Access Review page, we need to choose the Access packages tab.

Access package review

This is the end of my article regarding a cool feature called Access Reviews.

Stay tuned for the next episode related to the Azure Identity Governance – Using PIM

1 Comment

  1. Hi Robert, This is really useful and I’m planning to implement this feature, but I’m not sure how to apply settings to get email if any changes happened to the assigned groups and weekly once review email. It would be really helpful if you could provide some suggestions on the same. Thanks!

Write A Comment