Access reviews are a key feature of Azure Active Directory (Azure AD) that allows organizations to efficiently manage group memberships, access to enterprise applications, and role assignments. Using access reviews, you can govern user access by implementing controls that enforce the principle of least privilege. The configuration of access reviews requires an Azure AD Premium P2 license.
There are three types of access reviews, these include Member, Guest, and Service Principle reviews:
- Member Reviews: Performed to ascertain if users have the necessary permissions to access and operate a specific application or resource.
- Guest Reviews: Designed to examine the permissions given to guest or external users accessing the application or resource.
- Service Principle Reviews: Review the access given to service principles in Azure Active Directory.
When preparing for the AZ-500 Microsoft Azure Security Technologies exam, a strong grasp of configuring access reviews is vital.
Implementing an Access Review: A Step-By-Step Guide
Here’s a step-by-step guide to set up access reviews:
- Navigate to the Azure Portal and sign in with an account that has the requisite permissions.
- Select Azure Active Directory > Identity Governance > Access reviews.
- Click on + New to create a new access review.
- Input the necessary information in all the fields. You’ll have to provide details about the start date, frequency, duration, reviewers, and scope of the access review.
- After filling in all the necessary details, click on the ‘Start’ button. Azure will now commence the access review process based on the given parameters.
For instance, if you wish to review the access rights of users to a specific application, you may follow the steps above; instead, while defining the scope of the review (Step 4), select a specific application.
Configuring the Access Reviews Regulatory Settings
Azure Active Directory (Azure AD) also provides settings to regulate access reviews, which influence the outcome:
- Require reason on approval – This setting can be turned on to enforce reviewers to give a reason when approving access.
- Auto apply results to resource – If turned on, this setting will automatically implement the review results, for instance, remove access for users if their access isn’t approved during the review.
- Reminders – Reminders can be set up to remind reviewers to complete their assigned access reviews.
The aforementioned settings and review setup steps are essential for the AZ-500 Microsoft Azure Security Technologies exam and should be understood thoroughly.
Understanding the Results of an Access Review
Once an access review is completed, you can analyze the results on the access review page. The ‘Results’ tab showcases the decisions made by reviewers and the system’s recommendations. The decisions are categorized into four:
- Approve: The user’s access has been approved.
- Deny: The user’s access has been denied.
- Not Reviewed: The user’s access wasn’t reviewed.
- Don’t know: The reviewer wasn’t sure about the user’s access.
In addition to the results, you can download decisions, recommendations, and apply review results using respective buttons on the access review page.
Therefore, understanding and configuring access reviews is pivotal in managing user access and maintaining a secure environment in Azure AD. It is an imperative topic for the AZ-500 Microsoft Azure Security Technologies exam preparation, with hands-on practice being highly beneficial. Remember, a well-implemented access review can go a long way in securing resources and applications in your Azure environment.
Practice Test
True/False: Access Reviews is a feature of Azure Active Directory to help administrators maintain an accurate list of users with access to applications and other resources.
- True
- False
Answer: True.
Explanation: Azure Access Reviews is a feature designed to allow administrators to review and manage users’ access rights to various resources, reducing the risks associated with inappropriate access.
Which of the following are options for the frequency of Access Reviews? (Multi-select)
- a) Annually
- b) Once
- c) Monthly
- d) Weekly
Answer: a, b, c, d.
Explanation: Azure Access Reviews allows setting the frequency of access reviews to annually, once, monthly, or weekly.
True/False: You can configure the access review to include only external or all users.
- True
- False
Answer: True.
Explanation: Azure Access Reviews can be set up to review the access of all users or only users who are external to the organization.
Which of the following can Azure Access Reviews be used for? (Multi-select)
- a) Azure AD roles
- b) Azure AD group memberships
- c) Remote desktop access
- d) Azure subscriptions
Answer: a, b.
Explanation: Azure Access Review can review Azure AD roles and group memberships but not directly manage remote desktop access or Azure subscriptions.
True/False: Only Global Administrators are able to configure Access Reviews.
- True
- False
Answer: False.
Explanation: In addition to Global Administrators, User Administrators and Privileged Role Administrators can also configure Access Reviews.
Who can take action on the decisions of an access review? (Single-select)
- a) Only Global Administrators
- b) The person who initiated the access review
- c) All users in the organization
- d) Both a and b
Answer: d.
Explanation: The final decisions of an access review can be acted upon by both Global Administrators and the person who initially initiated the operation.
In Azure Access Reviews, what does “apply to guest users” mean? (Single-select)
- a) Only guest users will be reviewed
- b) None of the guest users will be reviewed
- c) All users including guest users will be reviewed
Answer: a.
Explanation: When “apply to guest users” is checked during configuration, it means that the access review will be done only for guest users.
True/False: Recurrence in access review refers to how frequently the access review should occur.
- True
- False
Answer: True.
Explanation: Recurrence in Azure Access Reviews specifies the frequency of conducting access reviews, which can be weekly, monthly, quarterly or annually.
How can users’ access be reviewed in Azure AD? (Multi-select)
- a) Manually by administrators
- b) Self-review by users
- c) Automated by AI
- d) None of the above
Answer: a, b.
Explanation: Azure AD offers options for administrators to manually review users access or for users themselves to do a self-review. It does not offer automated reviews by AI.
True/False: An access review can be scoped to all users.
- True
- False
Answer: True.
Explanation: It is possible to scope an access review to all users or only specific ones such as guests.
Interview Questions
What is the main purpose of configuring Access Reviews in Azure?
Access Reviews in Azure primarily serve the purpose of providing regular reviews of user accesses within your organization. This service reduces the risk related to users having access that they no longer need, thus improving the overall security posture.
What Azure service is responsible for managing and implementing access reviews?
The Azure Active Directory (Azure AD) is responsible for managing and implementing access reviews.
Who can start an access review in Azure?
The Azure Active Directory makes it possible for program managers, resource owners, and users in a reviewer role to start an access review.
Can you automate the access review process in Azure?
Yes, you can set up Azure to automatically review and revoke access based on user activity or lack thereof.
What Azure feature lets an access review cover multiple resources at once?
Azure allows creating programmatic access reviews that can involve multiple resources at one time.
How can you see and analyze the results of an access review?
You can download the results of an access review from Azure Active Directory and then analyze using your own tools. Also, summary data is available directly in the Azure portal.
What access levels can be reviewed with Azure’s Access Reviews?
Azure’s Access Reviews can be used to review access to Azure AD roles, Azure resources, and Azure AD directory roles.
How can you decide the frequency of Access Reviews?
In Azure AD, while configuring access reviews, there is an option to decide the frequency – it allows to set the number of days between each review.
Can you use Access Reviews with guest user access?
Yes, Access Reviews can be utilized to review guest user access as well.
What is required to configure access reviews in an Azure AD tenant?
To configure access reviews, either a P2 license for all users included in the review or a P1 license with an additional Access Reviews add-on license is required.
Is it possible to configure access reviews for Azure AD connected applications?
Yes, it is possible to configure access reviews for applications that are connected to Azure AD.
How can you remove access based on the results of an access review?
Azure allows automatic removal of user access based on the results of an access review or the revocation can be done manually.
What happens to a user’s access if the reviewer doesn’t respond in the stipulated time?
Azure allows settings to either default to approval or removal of access if the reviewer doesn’t respond in the stipulated time.
Can you stop a currently ongoing access review?
Yes, a currently ongoing access review can be stopped if needed.
What will happen in Azure if a user is found to have unnecessary or excessive access after review?
If a user is found to have unnecessary or excessive access, their access can be revoked based on the review and the configuration settings in Azure.