Access review of groups or applications

Managing large groups of Users and their access permissions in AAD can be cumbersome, especially in organisations where staff are always being hired, leaving or joining cross-functional teams. An Azure governance feature called ‘Access Reviews’ allows Azure Administrators to create periodic reviews that act as a reminder to check, approve or deny User access to Azure resources.

For instance, if you have a User that first started off requiring access to a Human Resources group, then one year later required access to Microsoft Dynamics 365 group, and then a year after that, required access to the Project Services group, their access management can start becoming a confusing labyrinth of permissions. With Access Reviews, you can enable periodic reviews of specific Users or Groups which then allows you to approve or deny access to resources. This helps with keeping a clean, secure and well-controlled AAD tenant.

Other uses of Access Reviews:

  • New hires or leavers – as new employees join, how do you ensure they have the right access to be productive?
  • Cross-functional teams – as people move teams or leave the company, how do you ensure their old access is removed, especially when it involves guests?
  • Permission management – excessive access permissions can lead to audit findings and compromises as they indicate a lack of control over access. You have to proactively engage with resource owners to ensure they regularly review who has access to their resources.

Microsoft documentation illustrates this point better than I can:

To reduce the risk associated with stale access assignments, administrators can use Azure Active Directory (Azure AD) to create access reviews for group members or application access. If you need to routinely review access, you can also create recurring access reviews.

Azure AD identity governance

There are three items that can be managed from an Access Review blade:

  • Access Reviews
  • Entitlement Management
  • Terms of Use

Note: Access Review requires an Azure AD Premium P2, or Enterprise Mobility + Security E5, subscription.

Access Review Blade: https://portal.azure.com/#blade/Microsoft_AAD_ERM/DashboardBlade/GettingStarted

Once you have set up an Access Review, the review itself takes place through an email notifications.

The steps to review are:

  1. Get notified by email
  2. Review recommendations
  3. Approve or Deny

Get notified by email

Review Recommendations

Approve or Deny

To read more about Access Reviews go to the official Microsoft documentation here: https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview

Some screenshots of the Access Review blade