Access reviews in Azure AD identity governance are periodic reviews to assess users’ access to applications and group membership. Access reviews are essential to minimize risks that come with unwanted and unnecessary access to applications and data.
The ability to perform these reviews is crucial in managing identity and access effectively, which makes this a vital part of the MS-100 exam.
II. Key Concepts
There are several key principles to comprehend when planning and implementing access reviews:
- Reviewers: Those assigned to perform the access review. They can be individual users, group owners, resource owners, or even the individuals themselves.
- Frequency: This could range from being continuously, annually, semi-annually, quarterly, monthly, or weekly depending on the security needs of your organization.
- Scope: This could be narrowly set to cover specific apps and groups or could be broadly applied across the organization.
III. Planning Access Reviews
Proper planning for access reviews involves understanding the unique needs of the organization. Factors that you need to consider are the type of access that requires review, who should be reviewers, what will be the review frequency, and what is an appropriate scope for the review.
A comprehensive planning table might look like this:
Review Type | Reviewer | Frequency | Scope |
---|---|---|---|
Application Access | App Owners | Quarterly | Specific Apps |
Group Memberships | Group Owners | Semi-Annual | All Groups |
External Users | Resource Owners | Annual | All Resources |
IV. Implementing Access Reviews
In Azure AD, you can conduct an access review via the Azure portal, through APIs, or via PowerShell.
For instance, to create an access review through the Azure portal:
- Navigate to Azure Active Directory -> Identity governance -> Access reviews
- Click on “+ New” to begin a new access review
- Fill in the required details including name, description, start date, frequency, and duration
- Specify the reviewers and the scope
- Click “Start” to begin the access review
V. Managing Access Reviews
Once an Access Review is created, it can be managed through the Azure portal. This includes monitoring its progress, sending reminder emails to reviewers, stopping ongoing reviews and so forth.
To conclude, mastering the concept of planning and implementing access reviews in Azure AD identity governance is critical for securing access to company resources and passing the MS-100 Microsoft 365 Identity and Services exam. Ensure that you not only understand this theoretically but also gain practical experience by performing access reviews.
Practice Test
True or False: An access review in Azure AD Identity Governance can be used to review user access to applications and licenses.
- True
- False
Answer: True
Explanation: An access review in Azure AD Identity Governance provides administrators with the ability to review user access to applications, group memberships, and licenses in order to ensure that the correct users have access to the correct applications.
In Azure Active Directory, who can perform an access review?
- a) Administrators exclusively
- b) Users excluding administrators
- c) Both administrators and non-administrator users
- d) Non-administrator users exclusively
Answer: c) Both administrators and non-administrator users
Explanation: Depending on the configuration, both administrators and non-administrator users can perform access review in Azure AD.
Access reviews in Azure AD Identity Governance can be scheduled to recur. True or False?
- True
- False
Answer: True
Explanation: Access reviews can be scheduled to recur on a daily, weekly, monthly, or custom basis depending on the requirements of the organization.
You can create access reviews for guests or external users in the Azure Active Directory. True or False?
- True
- False
Answer: True
Explanation: Azure AD Identity Governance allows access reviews for guests or external users to ensure secure and appropriate access.
Which feature in Azure AD Identity Governance allows you to define the policy that users must follow when requesting access to resources?
- a) Access Reviews
- b) Entitlement Management
- c) Identity Protection
- d) Terms of use
Answer: b) Entitlement Management
Explanation: Entitlement Management allows you to define the access package and policy that users must follow when requesting access to resources.
Are Azure AD Administrator roles included in the access review in Azure AD Identity Governance?
- Yes
- No
Answer: Yes
Explanation: Azure AD roles can be included in the access review which enables administrators to review a user’s administrative roles regularly.
Can an access review be performed for a single user in Azure AD Identity Governance?
- Yes
- No
Answer: No
Explanation: An access review in Azure AD Identity Governance cannot be performed just for a single user. It must be done for a group of users or for an application.
Which of the following can be a reviewer for an access review in Azure AD Identity Governance?
- a) Group Owner
- b) Selected User
- c) Self
- d) All of the above
Answer: d) All of the above
Explanation: In access reviews, administrators can select group owners, individual users, or even allow users to self-review their access.
In Azure AD Identity Governance, does the access review include service principals?
- Yes
- No
Answer: No
Explanation: In Azure AD Identity Governance, the access review does not include service principals. It only includes users and groups.
Is it mandatory to configure a justification for approval or denial in an access review?
- Yes
- No
Answer: No
Explanation: Although it is recommended for understanding and transparency, it is not mandatory to configure a justification for approval or denial in an access review.
You can enforce an access review decision even before the access review completion. True or False?
- True
- False
Answer: False
Explanation: The enforcement of an access review decision can’t take place until the review is fully completed.
Azure AD Identity Governance access reviews can be built upon Privileged Identity Management (PIM) roles. True or False?
- True
- False
Answer: True
Explanation: Azure Access reviews can be performed regularly on privileged roles which were assigned through Azure AD Privileged Identity Management (PIM).
In Access Review, what does ‘apply results’ mean?
- a) Start the review
- b) Save the review
- c) Implement the decisions from the review
- d) Discard the review
Answer: c) Implement the decisions from the review
Explanation: ‘Apply results’ allows the implementation of the decisions made from the review i.e., any changes such as role removal or access denial are enacted.
You cannot create and manage access reviews without an Azure Ad Premium P2 license. True or False?
- True
- False
Answer: True
Explanation: Access reviews are a part of Azure AD Premium P Therefore, to create and manage access reviews, you need an Azure AD Premium P2 license.
Global Administrators and User Administrators are the only roles that can create and manage access reviews. True or False?
- True
- False
Answer: False
Explanation: In addition to Global Administrators and User Administrators, roles such as Compliance Administrator, Compliance Data Administrator, and Security Administrator can also create and manage access reviews.
Interview Questions
What is the main purpose of implementing access reviews in Azure AD Identity Governance?
The main purpose is to regulate who has access to certain data and applications, and to review on a regular basis sensitive access privileges to ensure they still necessary and appropriate.
What is one of the primary features of Azure AD access reviews?
One of the primary features it can automatically review member assignments for access and can help organisations efficiently manage group membership.
What role should a user generally have to create an access review in Azure AD?
The user needs to have one of these roles: Global Administrator, User Administrator, or a custom role with the right permissions.
Can we perform access review for the guest accounts in Azure Active Directory?
Yes, Azure AD access review not only allows you to review and manage the access of employees but it can also help in managing guest users’ access.
What are decisions in the Access Review’s context?
Decisions are the outcomes of an Access Review. The reviewers could make decisions like Approve, Deny, or Don’t know.
What happens if the user does not respond to the access review request?
If the user does not respond within the stipulated time, Azure AD can be configured to take a default action of ‘Approve’ or ‘Deny’.
What is a periodic access review?
A periodic access review is scheduled to automatically recur at a frequency defined by the organization, allowing for regular review of access permissions.
How does Azure AD handle conflicted access review results?
With conflicting results, Azure AD follows the ‘deny’ if any conflict rule. If any reviewer denies access, Azure AD denies the access, overriding any prior approval.
Can Azure AD Access Reviews verify application access within the corporate network?
Yes, Azure AD Access Reviews can be used to verify whether access to certain applications, both in and out of the corporate network, is still required.
What is the use of Microsoft Graph APIs in relation to Azure AD Access Reviews?
Microsoft Graph APIs can be used to create, read, update, and delete access reviews, decisions, and settings programmatically.
Does Azure AD allow self-review as an access review process?
Yes, Azure AD includes the option for self-review where users can validate their own access.
Who can be assigned as a reviewer in an access review process?
In the access review setting, you can assign individuals or groups as reviewers, or assign the review back to the resource owners or the users themselves.
Can I apply additional filters when performing Azure AD Access reviews?
Yes, additional filters such as ‘Sign-in frequency’ can be used to further refine and focus access reviews on high-risk users.
Can we review all types of applications using Azure AD Access reviews?
Yes, Azure AD access review can review access to all Azure AD integrated applications, including Office 365, SaaS, and on-premises applications.
What happens when the completion of an access review?
At the end of the review, the system will apply the decision (Approve or Deny), and access will be granted or revoked based on that decision.