This blog is the second in a small series on Azure AD Premium P2’s Identity Governance toolkit.

Historically, the apps, groups, and rights a user had were all under central and constant management by IT.  Azure AD and modern management have pushed this towards ‘self-service’, including guest users, which improves productivity.  The goal of Azure AD access reviews is to improve the management of user rights and access, in this modern environment, throughout their lifecycle in your tenant.  It empowers you with automated tools to control their groups, apps, and roles (admin rights).

Access reviews are managed across the Azure AD portal based on what access you’re actually reviewing.  For this reason, think of access reviews not as a product, but rather a feature of the product that opens up with appropriate licensing (covered later).

  • If you want to manage app access, you manage this from Azure AD’s access review page or its enterprise applications page.
  • If you want to manage group membership, you manage this from Azure AD’s access review page or its groups page.
  • If you want to manage roles (permissions) on Azure resources or Azure AD, you manage this from within the Privileged Identity Management page of the Azure AD portal.
  • If you want to management entitlement management access packages, covered in Part 1 of this series, use the access package page.

Access reviews are conducted either by the user themselves or a reviewer (sometimes called a sponsor in the case of guests).  This user does not to be an administrator, but global admins, user admins, security admins, and security readers have permissions to access reviews that they are not the allocated reviewer of.

Every access review is linked to a program (the default one if you don’t choose otherwise).  These are groups of access reviews that you might use if there is a particular requirement for the review.  For example, a compliance program.

You need Azure AD Premium P2 licenses for anyone who will be reviewing access (theirs or others’).  As with entitlement management, one licensed internal user gives you license compliance for five guest users.

Run-through

1. Navigate to the Azure AD > Identity Governance > Access reviews > Onboard.

2. Choose to Onboard Now, which enables access reviews for the Azure AD directory.  Note that if you don’t complete this step, the Overview page of access reviews will report an error Tenant is not onboarded for Access Reviews feature.  I have no idea why access reviews need to be enabled manually…

3. You are kicked out of the panes you had opened and a notification displays that onboarding is running and, very quickly, completed.  Acknowledge this and browse back to Access reviews.

4. As mentioned earlier in the article, you can create access reviews from the normal administrative page of the function you want to audit.  For example, you can create one from the groups AAD page under the activity section.  However, for this demo, I’ll work within the dedicated access reviews page and choose + New access review.

5. There are a ton of options.  Let me focus on explaining the more significant ones.

Start date controls when the access review is initiated.  The main use case for this is aligning it to a calendar week or month.  For example, you anticipate different use patterns during that window that if you otherwise just chose the default current date.

Frequency controls how often this access review is repeated.  That is, how often the review is initiated again using the start date as a reference point.  For example, if I choose Monday as a start date, then weekly, it’ll run every Monday.  If I choose semi-annually and start 1 January, the next runs 1 July.

Duration and end date are exclusive options and the former only applies if you choose a recurring frequency.  End date does what it says on the tin and duration is controlled by the frequency’s upper limit.  For example, a weekly access review can only run for six days; an annual one can run for 360 days.  For recurring reviews, you can also control how many times in total it should run, or a final date after which no more run.

For users, you can choose all users in an enterprise app’s assignment scope, guests, groups, or everyone.  In the review screenshotted below, I’ve chosen to do an access review for everyone using an enterprise app called IIS Hello World.  Alternatively, I could limit it to guest users of the app.  Two things of note:

  • I am told about historic reviews for my choice.
  • If I scope to a selection that’s empty, the access review automatically closes itself after creation.  For example, scoping to guests when there are none.

Reviewers are who visits the access review page to view details of the review and can be named users (not groups) or the user being reviewed themselves in a mode called assigned access review or self-access review.  In the demo below, I’ve chosen self-access.

Upon completion settings control what happens after the reviewer has chosen to remove or approve access.  You have controls over what to do if the reviewer doesn’t choose anything: do nothing, remove, approve, or follow the Azure-generated recommendation (based on use patterns).  My recommendation for the self-access review scenario is to choose to remove access against if reviewers don’t respond.

Advanced settings let you choose whether or not recommendations (mentioned above) are shown to the reviewer, whether or not justification is required (for both assigned review and self-access), and whether or not admins and reviewers get emails at the end and beginning of reviews (or reminders to action).  New to access reviews, you can also include additional custom text in those emails, for example, a quick explainer in your own words about what access reviews are or who to consult for help.

6. The reviewer – self or someone else – receives an email advising they must start the review and when to do so by.  This comes in from azure-noreply@microsoft.com which you cannot change.  The wording in the case of self-access is a bit strange, as it asks them to do it for “one or more users”.  It would be nice if it were a bit finer tuned between self-access and someone else reviewing.

7. After clicking Start review in the email, you are taken to My Access (myaccess.microsoft.com) if self-assessing.  If you read the first blog in this series on entitlement management, this page will be familiar as it’s also where users can manage access packages for easy onboarding to collections of apps and groups.

8. The user is simply asked if they need continued access and, if selected when the access review was created, a reason why.

9. As an administrator, navigate to the access review: Azure AD > Identity Governance > Access reviews > [access review name]

10. In the results page, I can see that my demo user has approved themselves for continued use of the app.

11. If I ran this in assigned access review mode – ie, someone else reviewed the user’s access – their result would be displayed here.  Then, if the setting to auto-apply results to resource were set to enable, that would automatically be applied.  Were it set to disable, an administrator would need to choose to apply on the overview page.