Azure AD Access Reviews

Azure AD Access reviews are a vital component of Microsoft Entra Identity Governance capabilities, and they are essential for maintaining a secure environment. Identity Governance provides organizations with the means to ensure proper management of digital identities through:

• Access lifecycle management (Azure AD Access Reviews)
• Identity lifecycle management
• Privileged access for administrators

Azure AD offers a set of access review features that allow for the management of user access to a variety of resources, including group memberships, applications, and roles. These features are in line with the Azure Security Benchmark v3 which provides guidance on securing cloud-based resources. During the access review process, reviewers can verify whether users still require access to these resources, and if not, they can proceed to remove the access, ensuring that only authorized personnel have access to the critical assets.

Using this feature requires Azure AD Premium P2 licenses.

Create Azure AD Access reviews

Using the Azure Portal, we can configure, manage, and monitor the results of access reviews. Moreover, it’s also possible to configure access reviews through the Microsoft Graph API. Configure the Access Review feature in Azure AD by navigating to Azure AD —> Identity Governance —>Access reviews.

Define the scope: We wish to use Access Reviews to check access to groups and teams. This is because groups and teams often include numerous members, and it can be challenging to manage their access to various resources without some form of review mechanism in place.

Determine the reviewers: Identify the reviewers and fallback reviewers who will perform the access reviews and inform them accordingly. In this example, we select users’ managers as the reviewers.

Specify recurrence of review

1. Review start date: We select the desired start date for the access review, and the review period commences on the specified date, lasting for a duration of 14 days from the start date.
2. Frequency, duration: To conduct the review every quarter, we adjust the frequency setting accordingly.
3. End date: To conduct the reviews indefinitely, we set the end date to “Never.” However, these settings can be modified to align with your preferred review frequency. For instance, you can choose to limit the reviews to a specific number of times, such as three, or set an end date for your review period.
4. Reviewers: As previously mentioned, it is our preference for managers to perform the access reviews and to designate fallback reviewers as necessary.

Upon completion settings: Enabling the “If reviewer don’t respond” setting and selecting the “Remove access” option is a good way to ensure that users who have not been reviewed will have their access removed. This can be an effective security measure to prevent unauthorized access to resources. It’s important to make sure that the review period is set appropriately and that users are given adequate notice and reminders to respond to the review. You may also want to consider setting up a process to handle exceptions, such as when both a reviewer and fallback reviewer are unavailable.

In addition, auto-applying results to resources can be a useful feature to ensure that changes are implemented quickly and efficiently. However, it’s important to review the system’s recommendations before they are applied to make sure they align with your organization’s security goals.

It is recommended to notify additional admins on review completion by selecting users or groups and adding them to the list. When adding users or groups to the notification list, it’s important to ensure that they have the necessary permissions to access the information that is being shared. It’s also important to clearly communicate the purpose of the review and the actions that will be taken as a result of the review, so that everyone involved understands the process and their roles in it.

Enable reviewer descision helpers setting: Enabling this feature will cause the system to recommend reviewers to deny access to users who have not signed in within the past 30 days, regardless of whether the sign-ins were interactive or non-interactive. It’s possible that this recommendation could be overly strict, leading to access being denied to users who are still authorized to use a resource but may not have signed in within the 30-day period for various reasons.

User-to-Group Affiliation: Enabling this feature will cause the system to recommend reviewers to deny access to users who have low affiliation with other users within the group. It’s important to note that the user must have a “Manager” attribute in order for this decision helper to work. The “Manager” attribute is typically used to indicate that a user has some level of responsibility or authority within the organization.

Advanced settings: It’s a good practice to encourage users to provide a reason for their approval or denial of access during the review process. This can help ensure that the decision-making process is transparent and that reviewers have the necessary context to make informed decisions.

Additionally, configuring Azure AD to send emails to reviewers when an access review starts, and to the review owner when the review completes, can help keep everyone involved in the review process informed and up to date on its progress. This can help ensure that the review is completed in a timely and efficient manner.

Sending reminder emails for in-progress access reviews to all reviewers during the midpoint of the review period is also a good practice. This can help ensure that reviewers are aware of the review and that they are able to complete their reviews within the allocated timeframe.

Once the Access Review feature is configured, it will run according to the settings specified. The reviewers will receive notifications when it is time to conduct the access review, and they will be able to access the review through the Azure portal. The results of the access review will be reported in the Azure portal, and appropriate actions can be taken based on the feedback received.

This is what our configuration settings look like:

Conduct the reviews: To ensure compliance with the review frequency and expiration policies, it’s important to conduct access reviews on a regular basis. Reviewers will be notified via email and asked to review the access of users, confirming whether they still require access to the resources. To initiate the review, there are two options available: either clicking on the “Start review” button in the email received or navigating to the “My Access portal.” This will allow reviewers to view ongoing access reviews and take necessary actions.

To conduct an access review, select the review you wish to complete and choose between the options to approve, deny, don’t know, or accept the recommendation. Reviewers can use the “Don’t know” button to log their decision in the audit log while allowing the user to maintain their access.

As part of the Azure AD Access reviews process, it’s important to ensure that decisions to approve or deny access are made based on clear and transparent criteria. To help with this, the system prompts reviewers to provide a justification before submitting their decision. Once the necessary justification is provided, the reviewer can finalize the process by clicking the “submit” button, and the decision and justification will be recorded in the system.

Monitor Access reviews

You can view the outcome of your access review in both the My Access portal and the Azure Portal under the Identity Governance category. The Overview page shows the status of the ongoing review, including progress updates on the current review instance. Access rights remain unchanged in the directory until the review is finished. Additionally, blades within the Current section are visible only during the review instance, not after it’s finished.

The Results page shown on the picture below offers additional insights on each user under review, and enables actions such as stopping, resetting, and downloading results.

Ensuring that your Azure AD Access reviews process is conducted effectively is critical to maintaining a secure environment. By conducting reviews regularly and following best practices, you can reduce the risk of unauthorized access. By integrating feedback and continuously improving the review process, you can help ensure that your organization is well-positioned to meet the evolving challenges of access management.