This will be the third article from the Azure AD Identity Governance series.
And today I would like to show you the Access Reviews from Azure AD Identity Governance perspective.
The previous articles are available here:
Access Reviews Overview
Have you ever thought whether it is possible to review guest users group or application membership?
If yes, this is the article for you. Today I will show you how to use Access Reviews for:
- Access packages
- Teams + Groups
- Applications (integrated with our Azure AD)
But before we go deeper, let’s clarify what are the Access Reviews, according to the Microsoft documentation…
Access reviews enable organizations to efficiently manage group memberships, access to enterprise applications, and role assignments. User’s access can be reviewed on a regular basis to make sure only the right people have continued access.https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview
Access reviews are a powerful tool that comes with the Azure AD Premium P2 license level.
So access reviews are kind of scheduled or manual reviews that can check group membership and application access. It could be also used as a part of the Access Packages configuration (Lifecycle tab, Access Review section).
Diagram below depicts workflow for access reviews.
Because Access Reviews is an ongoing process, it is hard to find a start and stop of it.
But there are 5 elements of this process:
- Request notification – As a resource owner or person who was assigned to perform access review, we will receive an email with notification that the process started for the specific resource type (group, application, access package).
- Membership review – Based on our knowledge and recommendations, we can decide whether the user should remain or be removed from the resource access.
- Membership confirmation – In this step, we will confirm that the group of users that were reviewed should keep their access to the resource.
- Stale membership removal – Self-explanatory – we are going to remove users who should not have access to the resource or they even did not use that kind of access for the last 30 days (based on the recommendation)
- Status report – At the ‘end’ of the review, Admin will be informed that the access review round has been finished and what the results are.
Similar to the Access Packages where we had all of them configured under the Catalog.
For Access reviews, we are using Programs.
Program is a ‘container’ that helps us to group reviews logically (for departments, projects, etc.)
So this is the workflow but what is the timeline for it?
It’s easy, we can choose whether it should be done:
Additionally, we can configure Duration for this access review (how many days it will take to finish).
We will describe it later in the Configuration part of the article.
Every review should be done by specific people. With access reviews, we can configure reviewers from the following options:
- Group Owners – every group has its owner.
- Selected users or groups – we might decide that the specific users should perform the review.
- Self-review – users can review their access on their own
- Managers of users (in Preview) – This is based on the Manager attribute from Azure AD.
We can configure access reviews in two ways:
- During the access package configuration
- Manually as a part of a separate review (then we need to create Program(s))
Access Package Review
Teams/Group/Application access review
Let’s start with something very easy – creating Program.
To do that, we need to go to the Azure AD, then from the left side menu, choose Identity Governance and click Programs under Access Reviews section, or just simply click the following link:
On the Identity Governance | Programs screen click New Program
Fill the required information:
- Name – as I mentioned before, you can think about Programs from project or department, type of access perspective as an example. In my case, I will create a program called External_collaboration.
- Description – 😉 It shouldn’t be a problem for you.
When your program creation is finished, please click on it. As you can see in the picture below, there are no reviewed apps or groups. This is because we did not create Access Review yet.
Click on the Access reviews on the left side menu to move to the access reviews list which is connected to this program. On the Access reviews screen click New access review
On the New access review screen, you have to choose either you want to create a Teams + Groups review or the Application review.
This is the step where the configuration roads will split based on our decision what do we want to review.
Step 1: Teams + Group access review
So you choose Teams + Groups. but here we have another cross roads
Step 2: Selecting group and teams – This is a standard operation we need to select a group from our Azure AD. The last step (3) will be to select a review scope:
- For everyone
- For Guest users only
Step 2: Using preview feature to review all M365 groups with guest users ( a super cool feature to check where our guests were added). Of course, we can exclude groups if needed.
Because we choose M365 groups with guest users, in the last step (3) there is only one option available – Guest users only.
Step 1: Application access review
Again cross road. Sounds familiar ? 🙂
Step 2 Select application. Same as for the Groups and Teams configuration, we need to provide an application for which we want to configure access review.
Step 3 Select review scope. Again same here 🙂
When you click Next: Reviews, all possible roads will meet in the same place, which is the Reviews tab.
The diagram below should help you not to lose focus with configuration steps 😉
Under the Reviews tab, we need to decide who and how often should perform the review.
Under the Select reviewers section, we have four options:
- Group Owner(s)
- Selected user(s) or group(s)
- Users review own access
- Managers of users (preview)
It’s up to you what you will choose. In my case, I will use 2nd option and choose my global admin account.
We also need to decide how often reviews will recur.
Depends on our corporate policies and security team recommendations, we can choose very granular reviews, including weekly, monthly even annually. I will choose One Time.
The next thing that I need to provide is the duration time the review will take place and the start date
When all configuration from Reviews tab is done click Next to go to the Settings tab.
Wow, this is a lot of things that we can configure, even recommendation helpers.
My recommendation is to play with those settings to find the best configuration that meets your requirements – have some fun with it.
When done click Next to go to the summary page where you can provide review name and description.
Confirm all the configuration that was made using Create button
So our first access review was done.
Now I will show you how to send a reminder to the reviewers (just in case of any)
In order to do that, we need to go here:
From the access reviews list, choose the proper one, and then from the left side menu choose Reviewers (under Manage section)
And click Remind. This will send the reminder mail to all reviewers configured for this access review.
Now, all set so let’s move to the next section and see how it looks from the myaccess.microsoft.com portal perspective.
Test in lab
This is the time when all magical configuration will give us the results – working solution that might be used in our environment to:
- Verify where guest users have access (groups, teams, application)
- Verify who have access where (internal and external users)
Teams/Group/Application access review
To proceed with access review, we need to go to the well known myaccess.microsoft.com portal.
Then from the left side menu (click on the ‘hamburger’ icon) and choose Access reviews.
This is the same place for access reviews for:
- Groups and Apps (this part of the lab)
- Access packages (next part of the lab)
Click on the Groups and Apps and then select review from the list
You will see the list of the group members (depends on the number of members, it could be huuuge)
Now you have a couple of options with reviews:
- One by one review – the time consuming one
- Pick required members and approve/deny membership – an easy one
- Accept recommendations – tricky one (might cause some problems)
Pictures below will show all mentioned options.
Access Package Review
Same as in the section above, we need to start from the myaccess.microsoft.com portal.
The whole process is the same, with one small difference at the beginning.
Under the Access Review page, we need to choose the Access packages tab.
This is the end of my article regarding a cool feature called Access Reviews.
Stay tuned for the next episode related to the Azure Identity Governance – Using PIM