I would like to write a short blog post about Access reviews in Azure Active Directory, since many customers are not aware of this feature. Customers using on-prem mechanisms to control\maintain security groups and user lifecycles at some point realize that this won’t work for cloud accounts and groups. Access reviews help to maintain control over accounts used in your organization, obtained rights and access to apps on a regular basis.
Identity Governance
Access reviews are a part of Azure Active Directory (Azure AD) Identity Governance. Identity Governance provides a toolset in order to handle identity, access and privileged access lifecycles. Making sure that the right people have the right access to the right resources. Azure AD Identity Governance consists of three main parts
- Entitlement management
- Access Reviews
- Privileged Identity Management (PIM)
More Information: Identity Governance
Access reviews
Access reviews can be accessed through the Azure Portal (https://portal.azure.com) by typing ‘Identity Governance’ in the search bar withing the portal. From ‘Identity Governance’ the features PIM and Entitlement Management are also accessible.
Access reviews can be configured in many ways. You can review Guest users or all users of a Group or an Application and you can schedule the reviews to run on a regular basis. The reviewers can be owners or members of the group themselves and you can show recommendations and auto apply actions. But not so fast…. let’s take a look at two simple, yet powerful, examples and let’s take a look at the actual review.
1) Guest account review
A simple but effective and useful Access review is the review of guest accounts in your Azure Active Directory. If you don’t harden your Azure AD accordingly you can easily loose control over guest accounts. Guest Accounts are often created unintentionally or even intentionally when e.g. sharing documents from Sharepoint with users outside your organization or inviting them to Teams. And even if you have hardened your Azure AD it is a good idea to keep an eye on your guest accounts regularly, since most companies lack on-\off-boarding processes for guest accounts.
With Access reviews we can basically remove users from groups and therefore denying access to resources. We can achieve also something else, we can gain insights of accounts usage and also determine if this account is still in use. IT Admins typically are not in the position to decide if accounts are still in use or not and therefor can be deleted for good.
So, we want to review the guest accounts in our directory and our primary goal is not to just remove them from a security group, but to get rid of unused and orphaned accounts. To do so we review our custom Azure AD security group all the guest accounts are member of. Our goal is to gain insights if the account is needed at all. By running this review we collect useful Information. First of all the Access review will recommend actions based on the user information, if e.g. the User has not logged in since 30 days the system will recommend to deny the users access. Secondly the reviewer may have detailed information about the account and can determine if it is still needed. Since Access review is primarily about removing group members the final deletion of the account has to be done by an administrator manually and is not part of the Access review process at all.
So, let’s create a new Access review by clicking ‘New Access review’
We need to name the review and can select a start date and frequency on which the review is supposed to run. It makes totally sense to run this review regularly, but in our demo we choose ‘one time’. And select the End date to be within the next 24 hours.
An access review can ‚end‘ in three different ways. It runs continuously to start reviews :
- indefinitely
- until a specific date
- after a defined number of occurrences has been completed.
If we had chosen ‘weekly’ or anything else we have to specify the duration. The duration defines how many days each review of the recurring series will be open for input from reviewers. For example, the maximum duration that you can set for a monthly review is 27 days, to avoid overlapping reviews. The maximum duration for a weekly review is 6 days.
In this example the end time is determined by the number of times. Beginning from the start date the Access review will run two times on a weekly base.
Next, we need to decide if we want to review a group of users or an application and the users who can access it. We want to review a user group and choose our custom Azure AD Security group which contains all guests. If your main Goal is to remove Guest accounts from rights Groups you also could choose any other Azure AD Security group and toggle the ‘Guest users only’
Choosing an application enables you to run reviews on every user assigned to that application.
If would prefer a Guest user group because you probably need this group anyway (e.g. Conditional Access) and IMHO it offers more transparency in the later review.
Under ‚Reviewers‚ you can specify the reviewers. This can be the owner of the group, selected users or the members of the group themselves. Keep the license requirements in mind. Reviewing requires the user to have an Azure AD Premium P2 license. In our case the reviewers must be in the position to determine if the reviewed guest users are still needed. We choose the group Owner.
Next we can choose what happens after the review is closed for input.
If we don’t want the reviewers response to be applied automatically we should set the ‘Auto apply results to resource’ to disabled, this enforces an manual administrative interaction. Otherwise the reviewers response will be executed automatically.
If the reviewer does not respond during the review period, we are able to enforce actions by changing the ‘if reviewers don’t respond’ drop down.
The most forceful option would be to ‚remove access‚, I doubt that any company would pick that option, though it would love to see that 😉 this does not mean that you should not use this option but that you, and the reviewers, should be aware of the consequences and responsibility.
I would definitely not recommend to set this to ‘approve access’, which means that the access still is granted if nobody reviewed this. The last option is ‘Take recommendations’. This enforces the system’s recommendation on denying or approving the user’s continued access based on the user’s access information
In our demo we disable the auto-apply results and set the reviewers don’t respond action to ‘no change’.
Last but not least we have some advanced options. You should set this according to your organizational needs. I will leave them to default values for this user case.
- Show
recommendations
- Enable to show the reviewers the system recommendations based the user’s access information.
- Require
reason on approval
- Enable to require the reviewer to supply a reason for approval.
- Mail
notifications
- Enable to have Azure AD send email notifications to reviewers when an access review starts, and to administrators when a review completes.
- Reminders
- Enable to have Azure AD send reminders of access reviews in progress to reviewers who have not completed their review.
That’s it ! Press ‘Start’ to create your first access review. When the Access review is completed we will have an overview of he reviewed accounts and are (hopefully) able to decide, backed by the reviewers/system recommendation, if the account is safe to delete.
2) Admin access review
Another very useful use case it to create an access review on Azure AD roles. You might think ‘easy , I just make an access review on the admins security group’. But how will you ensure that really every with admin privileges is in that group ? And if you want to review other Azure administrative roles ?
There is an easier, built-in, way of doings reviews on administrative roles. This feature is ‘hidden’ within the privileged Identity management (PIM) section in Azure Portal. If you have not enabled PIM yet this is not a problem in order to use the access review. (BTW you should get familiar with the concept of PIM and implementation in your organization)
So, if let’s navigate to ‘Azure AD roles’ under privileged identity management within the Identity Governance.
After that the PIM sections open, which actually looks almost the same. There, again, choose Azure AD roles.
Now we can create an Access review
The Access review settings look almost the same as the Access review settings we did before. But there is one key difference. You can scope Azure AD roles only.
All other settings follow the rules already explained above. This way you are perfectly able to monitor your privileged Azure AD roles on a regular basis and even perform automatic actions.
Review – admins perspective
The created review shows up in the Access reviews.
Clicking on it you get a detailed overview e.g. approved/denied/already reviewed/approval reason and you can adjust the settings of this Access review if you need to.
Review – reviewers perspective
As a reviewer will we receive, if enabled in Access review settings, an mail notification. We can see which user group should be reviewed, the reviews name and the due date
Starting the review we get an overview of all targeted users. Here we can see the current status of the review and apply different filter e.g. ‚Status :reviewed‚.
Really nice is the ‚recommended action‚. The reviewer can instantly see the recommended action and the reason for this suggestion. We want to ‚deny‚ the access. By clicking the user we can select ‚approve‚ (if set in the Access review we must place a justification) ‚deny‚ and ‚don’t know‚. We deny the acces and can see that the status changes to ‚denied‚
When the end date is reached the ‚upon completion‚ settigs apply. So in our case nothing happens automatically (We disabled ‚auto apply‚ in the Access review). In order to take action the global Admin\User Administrator must open the Access review and apply the reviewers actions. After applying them the denied account will be removed from the Azure AD security group.
A detailed view can be accessed over ‚Results‚
From the groups point of view you can see the corresponding Access reviews and their status. Keep in mind that you can review dynamic and static groups and that removing members from a dynamic group is kind of useless. But you can still review these groups because your goal could be to gain insights if these accounts are used at all.
License requirements
Using access reviews requires Azure AD Premium P2 licenses for users performing one of these tasks :
- Member and guest users who are assigned as reviewers
- Member and guest users who perform a self-review
- Group owners who perform an access review
- Application owners who perform an access review
Global Administrators or User Administrators that set up access reviews or configure settings do not need an Azure AD Premium P2 license. So you have to pay attention how you use access reviews. If you use a “self-review” on a group with 1000 Users, you also need a Azure AD P2 licenses for each of these 1000 user. If you have a group of multiple users and only want a small group of users to do an access review you only need licenses for these small group of users. For every assigned License you are allowed to invite up to 5 Guest users.
More information : license requiremens