AAD Access Reviews: How to manage guest access in Azure Active Directory pt. 1
Azure B2B collaboration enables you to work with people across organizational boundaries. As an example, guest users from other tenants can be added through Office 365 applications like Microsoft Teams, Planner, and Office Groups by users, or they can be invited by administrators.
Besides the fact that you should secure guest user access with conditional access policies (e. g. require MFA for guest users to access your organizational resources), there might be also a need for compliance and governance scenarios. Depending on your configuration and line of business, the number of guest users within your tenant is likely to continue increasing, as contractors or third-parties are brought into your tenant for collaboration, so it’s important that this access is monitored regularly. Before we go into detail, there is a way to highlight stale guest users and their group membership via PowerShell outlined in this article by Tony Redmond. Guest users who no longer need access to your tenant should have their account disabled or removed as quickly as possible to reduce risk, but this is sometimes easier said than done in large tenants with dynamic business settings.
This blog covers two parts of Azure Identity Governance: Azure AD access reviews and Azure AD entitlement management. These features can help you tackle guest user management challenges as outlined above.
Azure AD access reviews
Azure AD access reviews are not just for managing guest users within your tenant: the feature enables organizations to manage group memberships, access to enterprise applications, and role assignments. The access rights of your users can be reviewed on a regular basis to make sure only the right people have access to your resources.
Reviewers for guest users can be:
- Specified reviewers: Certain users within your organization
- Group owners: Office 365 Group owners that also includes Teams
- Self-review: Guest users can review access on their own
To enable Azure AD access reviews in your tenant, login as a Global Administrator or User Administrator in the Azure portal. Select Azure Active Directory and then Identity Governance. There, you can find the access reviews as shown in the following screenshot.
Note: Each user who interacts with access reviews must have a paid Azure AD P2 license. For more information about the licensing requirements, see Azure AD B2B collaboration licensing guidance.
Create an access review
An access review can be created for a single group (Office 365 Group or security group) or multiple groups. Selecting more than one group will create multiple access reviews. Most of the configuration is relatively self-explanatory, as outlined below:
Define a review name, description, start date, frequency, scope (guest users only or everyone), select the group(s) and the reviewers.
To track and collect access reviews for different purposes, you can organize them into programs:
This enables you to prepare different reports for an auditor and you can focus on the access reviews in scope for a particular initiative.
While the process so far is straightforward, there are some advanced settings available which are worth mentioning in more detail:
- Auto apply results to resource: To automatically remove access for users that were denied, set it to ‘Enable’. To manually apply the results when the reviews completes, set it to ‘Disable’.
- If reviewers don’t respond (within the configured review period):
- No change: Leave user’s access unchanged
- Remove access: Remove user’s access
- Approve access: Approve user’s access
- Take recommendations: Take the system’s recommendation on denying or approving the user’s continued access
- Show recommendations: Show the reviewers the system recommendations based on the user’s access information.
- Require reason on approval: The reviewer has to supply a reason for approval.
- Mail notifications: Send an email notification to reviewers when an access review starts, and to administrators when a review completes.
- Reminders: Send reminders to reviewers who have not completed their review.
Start the access review
As soon as you start your access review, Azure AD will send an email to reviewers shortly after the review starts. The Identity Governance section in the Azure portal provides an overview of the configured reviews, settings, and provides log files for auditing.
Depending on your configuration, access can be reviewed either by clicking on the link you received by email or by signing in to the MyApps portal at https://myapps.microsoft.com.
The following picture shows the email notification:
The following picture shows the MyApps portal:
You can approve or deny access for one or more users, or you can accept the system recommendations. If you want to change your response, you can approve a previously denied user or deny a previously approved user until the access review has ended. If there are multiple reviewers like in the picture above, the last submitted response is recorded.
Azure AD access review provides better access management capabilities, not only for users and guest users, but also for applications.
Access reviews can be used to:
- Monitor how many users have administrative access
- If there are any invited guest users or partners that have not been removed for a certain amount of time
- When automation is not feasible, for example when users still need access after leaving the group to train their replacement
- For business-critical data access and auditing outside of the regular IT process
As not every organization has Azure P2 licenses, the use case should be more than only managing guest user access. Especially in larger organizations there can be a huge amount of Office 365 Groups and Teams with many invited guest users. It’s hard and time-consuming to manually select groups for your access reviews and you should consider a scripted solution with the Microsoft Graph API.