Deep Dive: Azure AD Identity Governance Access Reviews

What are Access Reviews?

Azure AD Access Reviews allows organizations to manage identity and access lifecycle for resources like Azure AD groups, Azure AD integrated applications, and SharePoint Online sites. It enables you to systematically review and prove that the right people have the right access to the right resources, ensuring compliance and reducing security risks.

By automating the process of access reviews and recertification, Access Reviews helps organizations:

Reduce the risk of over-privileged users.
Ensure compliance with regulatory requirements (e.g., SOX, GDPR).
Improve operational efficiency by automating manual review processes.
Maintain a clear audit trail of access decisions.

Key Use Cases

Group Membership Recertification

Regularly review who is a member of critical Azure AD groups, especially those granting access to sensitive data or applications.

Application Access

Ensure that users who still require access to business-critical applications are provisioned correctly and have the appropriate permissions.

External User Access

Review access for guest users from other organizations who have been invited to collaborate, ensuring their access is still necessary.

Role Assignment Review

For roles assigned via Azure AD Privileged Identity Management (PIM), Access Reviews can help recertify assignments for eligible or active role assignments.

Policy Enforcement

Continuously verify that access aligns with defined access policies and business needs.

How It Works

Access Reviews operate on a scheduled basis. You define what resource needs to be reviewed, who performs the review, and how often it should occur. The process typically involves:

Definition: Configure an access review for a specific group, application, or site.
Scheduling: Set the frequency (e.g., monthly, quarterly, annually) and duration of the review.
Assignment: Designate reviewers. This can be the resource owner, a designated group of employees, or even the users themselves (self-review).
Notification: Reviewers receive email notifications with a link to the access review portal.
Review: Reviewers examine the list of users and their access, approving or denying access for each user.
Automation: Based on the defined settings, Azure AD can automatically remove access for users whose access is denied or who don't respond within the specified timeframe.

Azure AD Identity Governance provides the engine to orchestrate these reviews efficiently.

Creating an Access Review

You can create access reviews directly within the Azure portal:

Navigate to Azure Active Directory > Identity Governance > Access Reviews.
Click New access review.
Select the scope: Users (for group membership, application access) or Run as program (for service principals, managed identities).
Choose the resource type (e.g., Groups, Applications).
Select the specific groups or applications to review.
Configure the review settings:

Reviewers: Specify who will perform the review (e.g., Members, Owners, Specific users/groups).
Frequency: Set how often the review should repeat.
Duration: Define how long the review period lasts.
Start and End dates.

Configure Auto-apply changes: Decide whether to automatically remove access for denied users or those who don't respond.
Set up notifications and provide review guidance.

Here's a simplified example of the configuration options:

                
// Example Configuration Snippet (Conceptual)
{
  "displayName": "Quarterly Review of 'Finance Team' Group Membership",
  "scope": {
    "resourceId": "/groups/FinanceTeamGUID",
    "resourceType": "group"
  },
  "reviewers": [
    {"type": "groupOwners"}
  ],
  "frequency": "Quarterly",
  "durationInDays": 7,
  "autoApplyUponCompletion": {
    "deniedDecisionBehavior": "removeAccess",
    "notReviewedDecisionBehavior": "removeAccess"
  },
  "notifications": {
    "remindersEnabled": true,
    "reminderFrequencyInDays": 2
  }
}
                
            

Reviewing Access

When an access review is active, assigned reviewers will receive an email notification:

The notification includes a link to the Access Reviews portal where they can see the list of users assigned to the resource.

For each user, reviewers can:

Approve: Keep the user's access.
Deny: Revoke the user's access.
Not Sure: Leave the decision to the system or a fallback reviewer.

Clear comments explaining the decision are highly encouraged to maintain an audit trail.

Automating Actions

The power of Access Reviews is amplified by its automation capabilities:

Automatic Removal: For users whose access is denied by a reviewer, or for users who do not respond to the review within the designated period, Azure AD can automatically revoke their access.
Role Assignment Management: When integrated with Azure AD Privileged Identity Management (PIM), Access Reviews can manage the lifecycle of privileged role assignments, ensuring only necessary users retain elevated permissions.
Audit Logs: All review activities, decisions, and automated actions are logged in Azure AD's audit logs, providing a comprehensive history for compliance and troubleshooting.

Best Practices

Start Small: Begin with a few non-critical groups or applications to familiarize yourself with the process.
Define Clear Scopes: Ensure you are reviewing the right resources.
Assign Appropriate Reviewers: Resource owners are typically the best choice. For critical resources, consider multiple reviewers.
Set Sensible Frequencies: Align review frequency with the sensitivity of the resource. High-risk resources may need quarterly or even monthly reviews, while less critical ones can be reviewed annually.
Enable Auto-Apply with Caution: Understand the impact of automatically revoking access, especially for non-responders. Clearly communicate deadlines to users.
Provide Guidance: Use the "Decision assistance and guidance" field to help reviewers make informed decisions.
Integrate with Policies: Use Access Reviews as part of a broader identity governance strategy.
Monitor and Report: Regularly review the results of access reviews and use the data to identify trends or potential issues.

Conclusion

Azure AD Access Reviews is an indispensable tool for maintaining a secure and compliant access environment. By implementing regular, automated reviews, organizations can significantly reduce their attack surface, ensure compliance, and streamline the management of user access to critical resources.

Embrace Identity Governance with Azure AD Access Reviews to build a more robust and trustworthy digital infrastructure.