Automating Access Review in Microsoft 365
With Microsoft 365 access to your data is in motion unlike it has been before. Users can access your organization's data from personal devices and can even invite guests to collaborate. With this free-flowing access, productivity receives a big boost but so do the challenges around security. How do we make sure there aren't stale user accounts that have access to your environment that is no longer in use? Let's take another example. Let's say you have a user on the IT help desk. He has limited administrative rights to your Microsoft 365 tenant just like he's supposed to. Then he gets a transfer/promotion. Now he's in marketing. How do you make sure his administrative access has been removed?
The answer is simple, access review. With Azure AD access reviews you can review group memberships, access to applications, and role members. You can configure access review to happen on a regular basis to make sure only the right people have access.
What licenses are required?
To use access review you'll need an Azure AD Premium P2 license or Enterprise Mobility + Security (EMS) E5 license.
How to setup access review for groups
Let's jump right into setting up access review for a group. Let's set up the group membership to be reviewed monthly. Let's have the group owners review the membership. Then let's have it automatically approve access if there is no response.
1. Log into Azure Active Directory admin center > Azure Active Directory > Identity Governance > Access reviews > New access review.
2. In Select what to review click Teams + Groups. In Review scope click Select Teams + groups. Click Select group(s). Select the group you want to review. Click Select. Click All users next to Scope. Click Next: Reviews.
3. Set the Select reviewers field to Group owner(s). Set the duration (in days) to 7. Set the Review recurrence to Monthly. Click Next: Settings.
4. check the Auto apply results to resource. Set If reviewers don't respond to No change. Click Next: Review + Create.
5. Give you access review a helpful name then click Create.
That's it. Now the owners of the group will receive a notification asking them to review the group membership monthly. They'll have one week to respond and they can automatically remove users from the group.
How to manage access review on groups
Now that the access review is configured what will the reviewers see? How do they manage the group through the access review? Not to worry, I'll explain.
1. The reviewers will receive the following email. Click Start review.
2. Click the checkbox next to the users that are still approved for the group. Click Approve. Give the reason. Click submit.
3. Click the checkbox next to the users that are no longer approved for the group. Click Deny. Give the reason. Click Submit.
If a user is denied you may not see the change right away. They will be removed when the review period has ended or when an administrator stops the review.
How to setup access review on roles
Configuring a role for access review is a bit different. The options are still about the same but there located in different spots. This time, let's configure the admins to review their own access. In short, we'll be removing admin roles from any user who doesn't respond. We'll also be configuring the review to happen every 7 days with a asdfasldkf of 3 days.
1. Log in to Azure Active Directory admin center > All services > Azure AD Privileged Identity Management.
2. Click Azure AD roles > Access reviews > New.
3. Set the name to "Review User Admin Rights". Set the Frequency to Weekly. Set the duration to 3 days. Set the End to Never. Click Select privileged role(s). Search for User Administrator. Click User Administrator. Click Done.
4. Expand the Upon completion settings. Set Auto apply results to resource to Enable. Set If reviewers don't respond select Remove access.
5. Expand Advanced settings. Set Require reason on approval to Disable.
6. Click Start.
How to manage access review on roles
So now you're set up so admins have to approve their own role access every 7 days. So what does that look like? Well, first they'll receive a similar email to the one above. Then they'll be directed to a site where they can approve their own access.