Azure AD Access Reviews

Introduction

Azure Active Directory (Azure AD) Access Reviews enables organizations to manage user access to applications, groups, and resources. It provides a structured framework for periodically reviewing and auditing who has access to what, ensuring that only the necessary permissions are granted and maintained. This is crucial for maintaining a strong security posture, meeting compliance requirements, and reducing the risk of unauthorized access.

What are Access Reviews?

Azure AD Access Reviews is a feature that allows you to create and manage review cycles for access rights. You can define who should perform the review (e.g., resource owners, managers, or specific users), what they should review, and how frequently these reviews should occur. The process typically involves:

• Defining the scope: Specify the groups, applications, or other resources for which access needs to be reviewed.
• Selecting reviewers: Choose individuals or a group to perform the review.
• Setting a schedule: Determine the frequency of reviews (e.g., weekly, monthly, quarterly, annually).
• Reviewing access: Reviewers go through the list of users with access and decide whether to maintain, remove, or request more information about each access grant.
• Taking action: Based on the review results, access can be automatically revoked or flagged for manual intervention.

Key Benefits

• Enhanced Security: Regularly audit and revoke unnecessary access, reducing the attack surface.
• Improved Compliance: Meet regulatory and compliance requirements (e.g., SOX, HIPAA, GDPR) by demonstrating control over access rights.
• Reduced Risk: Minimize the risk of data breaches and insider threats by ensuring timely removal of access for employees who change roles or leave the organization.
• Streamlined Management: Automate the access review process, saving time and effort for IT administrators and resource owners.
• Increased Visibility: Gain clear insights into who has access to critical resources.

Common Scenarios

Azure AD Access Reviews are valuable in numerous scenarios, including:

• Guest User Access: Regularly review and remove access for external users who no longer need it.
• Application Access: Ensure that users still require access to specific applications, especially those with sensitive data.
• Group Membership: Review who is a member of privileged groups (e.g., Global Administrators, specific security groups) and remove unnecessary members.
• Entitlement Management: Integrate with Azure AD Entitlement Management to review access to resources assigned through policies.
• New Hire Onboarding: While not a direct onboarding tool, access reviews ensure that the correct access is granted and then periodically validated.

How Access Reviews Work

The process typically involves the following steps:

1. Creation: An administrator creates an access review, defining the scope (e.g., a Microsoft 365 group, an Azure AD security group, or an application).
2. Reviewer Assignment: The administrator specifies who will perform the review. This can be:
   • The group/application owner(s)
   • Specific users
   • Users themselves (self-review)
3. Review Period: A start and end date for the review cycle is set, along with a recurrence pattern (e.g., monthly).
4. User Action: During the review period, assigned reviewers receive email notifications and can access the Access Reviews portal. They can approve or deny access for each user.
5. Automated Actions: If automated actions are configured, the system can automatically revoke access for users whose access is denied or not reviewed within the specified timeframe.
6. Policy Enforcement: Access reviews can enforce policies related to least privilege and separation of duties.

Getting Started

Prerequisites

To use Azure AD Access Reviews, you need:

• Azure AD Premium P2 licenses: Access Reviews is a feature of Azure AD Premium P2. Each user participating in an access review requires a license.
• Global Administrator, User Administrator, or Identity Governance Administrator role: These roles are required to create and manage access reviews.
• Appropriate permissions for reviewers: For example, if reviewing a group, the reviewer needs to be able to see group membership.

Creating an Access Review

Here’s a simplified overview of how to create an access review:

1. Navigate to the Azure portal and select Azure Active Directory.

2. In the left navigation menu, under Identity Governance, select Access Reviews.

3. Click New access review.

4. What do you want to review?: Select the type of resource (e.g., Groups, Applications).

5. Select Members: Choose specific groups, applications, or users.

6. Settings:

   • Review name: Provide a descriptive name.
   • Review frequency: Choose daily, weekly, monthly, quarterly, or annually.
   • Duration of review: Set how long the review will be open.
   • Start date: Choose when the review begins.
   • Reviewers: Select who will perform the review.
   • Auto-apply results to resource: Configure whether to automatically remove access or require manual approval.
   • Send reminder emails: Enable reminders for reviewers.

7. Click Start.

Best Practices

• Start small: Begin with less critical groups or applications to familiarize yourself with the process.
• Clear ownership: Ensure that resource owners understand their role in the review process.
• Regular cadence: Stick to a consistent review schedule.
• Automate where possible: Leverage auto-apply results for efficiency, but monitor the outcomes.
• Educate reviewers: Provide guidance to reviewers on how to make informed decisions.
• Combine with other governance tools: Integrate Access Reviews with Entitlement Management for a comprehensive access lifecycle.
• Regularly review policies: Ensure your access review policies are up-to-date with your organization's needs.