Do you ever find yourself in a situation where you’re granting people rights to groups, applications, or mailboxes, and suddenly you notice an account that you know shouldn’t have access anymore, but still does?
This is an example of a challenge that many organizations face on a daily basis. Procedures exist to revoke access, but they often involve manual work. In the hustle and bustle of daily operations, there’s a risk that these checks get overlooked.
There are many tools available to automate these tasks. Today, we will explore how Microsoft addresses this issue through Access Reviews and the recently added AI features.
Entra ID Governance – Access Reviews
With the name change from Azure AD to Entra, many products have also been renamed and even placed under different categories. Access Reviews, for example, are now part of Entra ID Governance.
So, what exactly are Access Reviews?
Access Reviews allow organizations to efficiently manage group memberships, applications, and role assignments. User access can be periodically reviewed to ensure that only authorized individuals have access.
To use the basic functionalities of Access Reviews, you’ll need at least an Entra ID P2 (formerly Azure AD P2) license. If you want to take advantage of more advanced options such as Inactive Users Review or Machine Learning support, you’ll need an Entra ID Governance license. For more information on the licensing model, you can visit the following Microsoft page.
Create an Access Review
You can create an Access Review in multiple ways. For now, let’s use the Entra portal.
- Go to the menu and select Identity governance.
- Click on Access reviews.
- Then, click on New access review.
Great, let’s walk through the process of setting up an Access Review with the selected options:
Scope: We’ve chosen to review Teams + Groups.
Group Selection: We’ve opted for reviewing selected groups, and we’ve chosen the “Paralegals” group.
Review Type: We want to review all users within the group, so we select All users.
Inactive Users: We won’t mark the option to review only inactive users; we want to review all users.
Now you’re ready to proceed with the Access Review with these settings.
On the Reviews tab we go for the following settings:
Multi-stage Review: We’ve chosen not to use a Multi-stage review.
Select reviewers: We’ve selected “Selected user(s) or group(s)” and chosen the IT department group as the reviewer.
Duration (in days): We’ve set the review duration to five days, allowing one workweek for the review to be completed.
Review Recurrence: We’ve selected a monthly recurrence starting today, with no end date. This means the review will repeat monthly and continue indefinitely.
Now, with these settings, you’re ready to proceed with the settings section.
On the Settings tab, we can specify the desired action when the review is conducted. If you want to auto apply the recommendations, check the option Auto apply results to resource. For now we leave this option unmarked.
For the option If reviewers don’t respond, we indicate what should happen if the reviewers don’t perform the review on time. You have the following choices:
- No change
- Remove access
- Approve access
- Take recommendations
In our case, since we don’t want to immediately revoke access for all users, we choose No change. Determine at this step what is right for the organization.
At the end of the review, we want to send a notification to the Leadership team. We specify this under At the end of the review, send notification to.
To make the right choice, we check the option No sign-in within 30 days. The review will then identify which accounts have not attempted to log in in the past 30 days.
What’s new for Access Reviews is the User-to-Group Affiliation option. This is a new feature that uses Machine Learning to provide recommendations based on group managers. It checks the level of affiliation based on group managers and provides advice accordingly. For now, we leave this option as it is since we don’t use group managers in the environment.
Under Advanced settings, we make the following choices:
- We check Justification required. This requires the reviewer to justify their choice.
- We also check Email notifications. We want the reviewers to receive an email when the review starts, and the review owners to receive an email when the review is completed.
- We also check Reminders. During the review, reminders will be sent to the reviewers if the review is not yet completed.
- Next, we can provide a piece of text to the reviewer. Fill in the text box under Additional content for reviewer email.
On the Review + Create tab, we give the review a name and a description. Additionally, on this page, you’ll see a summary of the review settings. By clicking Create at the bottom, the review will be created.
Conducting the review
Now the Access Review is in place, it is time to conduct the review. You can start the review by clicking on the button in the e-mail or from within the My Access portal.
When you are in the My Access portal, click on Access reviews in the navigation bar. You will see a list of all available reviews. Click on the review you wish to start.
You will find a list of all the users under review. Note that in the Recommendation column, there is an Approve or Deny recommendation. If it says Deny, there is also a brief explanation to assist with your decision.
We want to approve Adele. Mark the checkbox in front of Adele and click on Approve.
Then, you need to give an explanation why the user needs to be approved.
Back on the list, you will now see that Adele has been approved by the reviewer. When you click on Details, you can view when Adele was approved, by whom, and the explanation.
Please note that in the Details pane, you can change the decision to Deny or Don’t know. Choosing Don’t know will be logged in the Audit logs, and no action will be taken.
When you finish the review, it will be shown at the Overview page of the Access Review.
At the results page, you can monitor the decisions that are made and enable actions such as stopping, resetting, or downloading results.
Performing periodic reviews is key when it comes to Identity management within your Entra environment. It helps you reduce the risk of unauthorized access, so if you haven’t already, make this a part of your routine!