It allows IT administrators to review and manage users’ access to applications and data. When dealing with Microsoft applications and services, specifically for taking the SC-300 Microsoft Identity and Access Administrator exam, having an understanding of how to create and configure access reviews is essential.
Configuring Access Reviews
You can set up access reviews through the Azure Active Directory (Azure AD) portal. Here is a step by-step guide on how you can create access reviews:
- Sign in to Azure AD: In Azure AD, sign in with an account that has the necessary permissions (Azure AD Global Administrator or User Administrator).
- Choose Identity Governance: In the left-hand menu, select ‘Identity Governance.’
- Initiate Access Review: Click on ‘Access Reviews’ > ‘New Access Review.’
- Define Basics: Input the name of the review, select if it’s for groups or applications, and choose the specific group or application for review.
- Select Reviewers: Choose who the reviewers will be. This could be members of the group, selected individuals, or application owners.
- Set Review Frequency: Decide on the frequency of the review, either once or on a recurring basis.
- Define Settings: Configure the settings for the review. You can set automatic decision options for recommendations that are not reviewed, decide whether to remove or block access for denied pushers, and more.
- Review and Create: Check your inputs and confirm the creation of the access review.
Perform an Access Review
The reviewers will be able to complete the access review when it starts. They can configure who has access to what based on their findings.
- Launch Access Review: In the Azure AD, under ‘Access Reviews’, select ‘All Reviews’ and find the review to action.
- Review the Users: The list of users involved in the review will appear. For each user, reviewers can accept, deny, or leave undecided access, add comments, and see Microsoft’s recommendation.
- Complete the Review: Once the reviewer has made their decisions, they can mark the review as completed.
Access Review for Groups
For Groups, access reviews can help ensure that only authorized individuals are members. Some of the features of access reviews for groups include:
- Ensuring the users still need access to the resources provided by their group memberships.
- Verifying guest users’ continued need for access to resources.
- Automating decisions to approve access, deny access, or take no action if no reviewer responds.
Access Review for Applications
For Applications, access reviews can validate that only approved users have roles. Some features for applications include:
- Verification that users with assigned roles still require them.
- Automation of approval, denial, or inaction for roles if no reviewer responds.
Remember that creating and configuring access reviews are important steps in managing user identities and access within an organization. Through an effective access review process, we can ensure that only the right individuals have access to resources, thereby enforcing organizational security, compliance and reducing the risk of unauthorized access. The principles presented above will funnel into your preparation for the SC-300 Microsoft Identity and Access Administrator exam. Practice these steps to familiarize yourself with the process.
Practice Test
True/False: An access review can be configured to send the decision to users who manually approved or denied access.
- True
- False
Answer: True
Explanation: The access review can indeed be configured to send users the decision to manually approve or deny access, providing better access management and transparency.
Which application is required for administering access reviews of groups and apps?
- a. Azure Active Directory
- b. Microsoft Teams
- c. Microsoft OneDrive
- d. Power BI
Answer: a. Azure Active Directory
Explanation: Access reviews for groups and apps are administered via Azure Active Directory, which enables organizations to manage access to applications.
Single Select: Access reviews can only be performed on Azure AD roles.
- a. True
- b. False
Answer: b. False
Explanation: Access reviews aren’t only performed on Azure AD roles. They can also be performed on all users with access to an application or a membership to a group.
Multiple Select: What are the types of access reviews in Azure Active Directory?
- a. User access reviews
- b. Guest access reviews
- c. Role-based access reviews
- d. Policy-based access reviews
Answer: a. User access reviews, b. Guest access reviews, c. Role-based access reviews
Explanation: The types of access reviews in Azure Active Directory are User access reviews, Guest access reviews, and Role-Based access reviews. Policy-based access reviews is not a type.
An access review policy can only be created by a global administrator.
- a. True
- b. False
Answer: b. False
Explanation: An access review policy can be created not only by a global administrator, but also by User access administrators, Privileged role administrators, and compliance data administrators.
Access Review decisions can be automated based on user activity.
- a. True
- b. False
Answer: a. True
Explanation: Access review decisions can indeed be automated based on users’ activity.
Single Select: What is the maximum duration an access review can be scheduled?
- a. 2 weeks
- b. 6 months
- c. 1 year
- d. Indefinitely
Answer: b. 6 months
Explanation: An access review can be scheduled to run for a maximum duration of 6 months.
Multiple Select: Which types of users can initiate access reviews in Azure AD?
- a. Guest users
- b. Admin users
- c. Delegated users
- d. All users
Answer: b. Admin users, c. Delegated users
Explanation: Only admin users and delegated users can initiate access reviews in Azure AD, according to their assigned permissions.
The review status of access review includes “Active”, “Completing”, “Completed”, “Applied” and “Removed”.
- a. True
- b. False
Answer: a. True
Explanation: The possible states for an access review include “Active” when it’s happening, “Completing” when it’s in the process of ending, “Completed” when it has ended, “Applied” once all the access changes are done and “Removed” when the access review is deleted.
Every access review must have an owner.
- a. True
- b. False
Answer: a. True
Explanation: Every access review must have an owner who can manage it, receive the access review results and make decisions if necessary.
True/False: Automatic access reviews are strictly limited to group memberships and applications.
- True
- False
Answer: False
Explanation: While automatic access reviews are typically used for managing group memberships and applications, they can also support Azure AD roles and administrative roles.
All users within an organization may participate in an Access Review.
- a. True
- b. False
Answer: b. False
Explanation: Not all users may participate in an Access Review. The participation depends on their role and permissions.
True/False: There is no way to view past access review activities.
- True
- False
Answer: False
Explanation: Past access review activities can be viewed from the “Access reviews history” tab in Azure AD access reviews.
The feature “Apply results” for an access review in Azure AD, automatically applies the results of the review to the users reviewed.
- a. True
- b. False
Answer: a. True
Explanation: This feature allows the automated application of results post-review, removing the necessity to do manually.
It is possible to configure ‘justification’ to be required while denying the access during access reviews.
- a. True
- b. False
Answer: a. True
Explanation: The ‘justification’ feature can be configured in Azure AD access reviews, to mandate reviewers to provide a reason when denying access.
Interview Questions
What is the purpose of access reviews in Azure Active Directory?
The purpose of access reviews is to ensure resources in your organization are efficiently distributed and access is granted appropriately. It helps to apply least privilege access principles by allowing you to periodically review access to groups and applications and remove access when necessary.
Who can perform an access review in Microsoft Azure?
Access reviews can be performed by the resource owner, delegated reviewers, or the members themselves (self-review).
How can you start an access review for groups and apps in Azure AD portal?
To start an access review, navigate to the Azure portal > Azure Active Directory > Identity Governance > Access reviews > New access review.
What are the prerequisites for creating an access review?
You need an Azure Active Directory Premium P2 license and the necessary permissions to conduct access reviews. This includes being a Global Administrator or a User Administrator.
What does the “Start date” parameter mean when configuring an access review?
“Start date” is the date on which the access review begins. From this date, reviewers have the duration of the review to complete their decisions.
What do the settings “Require reason on approval” and “Require reason on denial” mean when configuring an access review?
When these settings are enabled, they require the reviewer to provide a reason when they approve or deny access during the review.
How often can access reviews occur in Microsoft Azure?
Access reviews can be a one-time event or recur regularly (daily, weekly, monthly, quarterly, or semi-annually).
What is the difference between “Reviewers” and “Select review members” when creating an access review?
“Reviewers” are the individuals conducting the review, while “Select review members” lets you choose who is under review. You can select all members or specific members to be under review.
What happens when the “Auto apply results to resource” setting is turned on in access review settings?
When “Auto apply results to resource” is turned on, the system automatically updates the user’s access based on the reviewer’s decisions after the review ends.
What are the available actions that a reviewer can take during an access review?
During an access review, a reviewer can approve or deny a user’s access to a resource. They may also select “Not Reviewed” if they choose not to make a decision.
How do you view the decisions made during an access review?
After an access review is completed, go to the Azure portal > Azure Active Directory > Identity Governance > Access reviews. Click the name of the completed review to see the decisions.
Can users under review see the decisions made on their access during an access review?
No, users under review cannot see the decisions made on their access during an access review. Only the reviewers and Azure AD administrators can see the report.
What happens if a reviewer does not complete the review by the end date?
If the “Auto apply results to resource” feature is enabled and the reviewer does not complete the review by the end date, Azure AD automatically applies the default decision that was configured when the review was set up.
How can you track the progress of an ongoing access review?
You can track the progress of an ongoing access review by going to the Azure portal > Azure Active Directory > Identity Governance > Access reviews. Click the name of the ongoing review to see its progress.
Can you terminate an access review once it has been started?
Yes, you can terminate an access review at any time before the scheduled end date. However, any decisions made up to that point will be retained.
extutorials.com