Respond to access review activity, including automated and manual responses

In this post, we’ll delve into concepts comprising of automated as well as manual responses to access review activity, following Microsoft’s official documentation.

Access Review Overview

Access Review in Azure AD facilitates easy management of access rights to resources. It offers a systematic review of users’ access rights ensuring they have access to the right resources. Access Review can be automated or manual. It can also be performed for users with a specific Access Package or those in roles like Global Administrator or Teams Owner.

Automated Access Review Responses

Automated access reviews are configured to automate actions based on certain defined criteria. This can include removing access, approving access, or take no action. For example, when a review has been completed, the following automated actions may be applied:

• 1. Approve Access: If there’s sufficient activity detected or the user’s manager approved the access, the access can be automatically approved.
• 2. Remove Access: If a user fails to provide a response or there’s no activity detected, the access can be automatically removed.
• 3. No Action: If the review cannot conclusively decide on approval or removal, no action is taken.

Keep in mind, with automated access reviews, you can also set the system to “auto-apply results” thereby implementing the actions automatically once the review period ends.

Manual Access Review Responses

Manual access reviews require human interaction and decision-making. In manual access reviews, the reviewer manually goes through each user and makes decisions based on the available data or personal knowledge about the user’s need to have continued access.

One can approve or deny the request with optional comments which will be recorded in the audit logs. In addition, if the reviewer is absent or undecided, a fallback decision can be configured in the settings.

Usage Example

To exemplify, let’s assume there’s an access review created for users in the ‘Teams Owners’ role. For an automated review, the settings might be thus:

• 1. If the user or the user’s manager confirms they still require access, it’s approved.
• 2. If there’s no response or no activity detected in 30 days, access is removed.
• 3. If the results are indecisive, no action is taken.

For a manual review, a designated reviewer will have to review each user’s record and decide whether to continue or revoke access.

Conclusion

Understanding both automated and manual responses to access review activity plays a critical role in the Microsoft Identity and Access Administrator exam. Manual reviews ensure human scrutiny and decision-making based on personal knowledge about the user’s requirements. Automated reviews, on the other hand, rely on predefined rules for the system to follow, ensuring efficiency and consistency in maintaining security.

Whichever method you choose should be based on your organization’s requirement for security, human intervention, and review efficiency.

In the SC-300: Microsoft Identity and Access Administrator exam, both these aspects will be tested, so be ready to interpret, configure, and respond to different scenarios related to access reviews.

Practice Test

True or False: An automated access review response is a process in which system automatically grants or denies user access based on certain rules or logic.

• True

Answer: True

Explanation: Automated access reviews are carried out by a system process that determines whether users still require certain access based on specific conditions or criteria.

Which of the following would most likely require a manual response to an access review?

• A. A system determining if a user still requires access to a specific software.
• B. A manager reviewing if an employee still needs access to a particular document.
• C. An automated process checking if a user’s account has been inactive for a set period.
• D. A system checking if a user’s security credentials are up to date.

Answer: B

Explanation: While systems can automate many access review tasks, a manual review might be more appropriate when it comes to sensitive or strategic documents, which might require a personal judgment.

True or False: Access review responses, whether automated or manual, only encompass approving or denying access.

• False

Answer: False

Explanation: Access review responses can also include actions like removing access, prompting for re-authentication, initiating further review by other parties, or triggering additional security measures.

Which of the following is not a feature of Microsoft’s Azure Active Directory access reviews?

• A. Automated user access reviews.
• B. Manual access reviews.
• C. Real-time access response.
• D. Granting temporary access.

Answer: C

Explanation: While Azure Active Directory does offer a range of features for managing user access, real-time response to access reviews is not explicitly listed among its capabilities.

True or False: The Azure Active Directory allows the setting up of recurring access reviews.

• True

Answer: True

Explanation: Azure Active Directory does have the feature to schedule recurring access reviews, ensuring regular checks on user accesses.

Which of the following scenarios does not require an access review?

• A. When a user’s role changes within the organization.
• B. When the software is updated.
• C. When a user has not accessed the system for an extended period.
• D. When a user’s security credentials expire.

Answer: B

Explanation: Software updates typically do not impact user access and therefore do not require an access review. In contrast, the other listed scenarios deal with potential changes in users’ needs or rights to system.

Who is typically responsible for the manual response to an access review?

• A. The system administrator.
• B. The user.
• C. The software provider.
• D. The IT department.

Answer: A

Explanation: In most organizations, the system administrator is usually responsible for manual responses to an access review.

True or False: It is recommended to manually review access regularly for all users and all resources.

• False

Answer: False

Explanation: While regular access reviews are crucial for maintaining security, it would be impractical and inefficient to manually review access for all users and resources regularly. Automated reviews are more suitable for frequent, routine checks.

Access reviews should be performed:

• A. Only when a security breach is suspected.
• B. On a regular schedule and when significant changes occur.
• C. Only when significant changes occur.
• D. On a daily basis.

Answer: B

Explanation: Regularly scheduled access reviews, as well as reviews triggered by significant changes (like a user role change), help ensure that each user’s access rights remain appropriate and secure.

True or False: Temporary access granted during an access review needs to be manually revoked later.

• True

Answer: True

Explanation: Any temporary permissions granted need to be manually revoked once they are no longer needed. This prevents over-exposure of sensitive data or systems.

Interview Questions

What is an access review in terms of Microsoft Identity and Access Management?

Access Review is a feature of Microsoft’s Identity and Access Management solution that allows administrators to audit and manage users’ access rights. It ensures that the right people have access to the right resources.

What is the significance of manual responses in access review?

Manual responses in access review are imperative if automation is not applicable or suitable to a certain audit scenario. In this case, the administrators themselves review the permissions and adapt them accordingly.

What are the benefits of automating access reviews?

Automating access reviews can increase efficiency, reduce human error, and improve security. Automated reviews can continuously monitor user access and quickly revoke permissions if they are no longer required, reducing the risk of outdated or excessive permissions.

What are the various types of access reviews in Microsoft Identity and Access Management?

There are two primary types of access reviews: User Access Reviews and Group Access Reviews. User Access Reviews allows the review of roles assigned to users, whereas Group Access Reviews allow the checking of group members’ access.

Can access reviews be scheduled in Microsoft Identity Management?

Yes, access reviews can be scheduled. This helps in periodically reviewing and ensuring the appropriate assignment of roles within the organization.

What role do decision-makers play in the manual access review process?

Decision-makers in the manual access review process assess whether a user’s access is appropriate or needs to be adjusted. They manually review and approve or deny continued access for users.

What is the purpose of the ‘Apply to’ condition in setting up access reviews?

The ‘Apply to’ condition determines which users or groups the access review will be applied to. This condition helps narrow down the access review scope and target specific individuals or groups.

Who can create an access review in SC-300 Microsoft Identity and Access management?

Only an access review administrator, global administrator, or user account administrator can create an access review.

What are the steps involved in initiating an access review?

There are generally three steps involved: Defining the scope of the review, determining who reviews the access, and defining the settings for the review.

What happens if an administrator does not respond to an access review?

If an administrator does not respond, the system takes an action based on the default settings set in the access review. The user’s access might be removed, approved, or left unchanged.

Can a Microsoft Identity and Access Administrator delegate the responsibility of an access review?

Yes, an administrator can delegate the responsibility of access reviews to other users or groups as reviewers.

Is it possible to perform access reviews for guest users in Microsoft Identity and Access Manager?

Yes, access reviews in Microsoft Identity and Access Manager allows you to review the access of guest users as well.

What are the response options in a manual review process?

The response options in a manual review process include Approve, Deny, or Don’t Know.

How can you track the progress of an ongoing access review?

You can track the progress of an ongoing access review from the access review page in the Microsoft Azure portal.

What happens once an access review is completed?

Once an access review is completed, the decision-makers’ inputs are applied, and the system escalates those users or applications whose access were denied or revoked, as per the review. The results are available for download and further analysis.