One crucial area you will need to understand is managing Azure Active Directory (Azure AD) access reviews for members and guests. Access reviews in Azure AD are a crucial part of governance strategies within Microsoft 365 and Teams. Admins can review users’ access to applications, groups, and roles to ensure that only the appropriate individuals have access, thereby reducing the risk of unnecessary or risky access.
Understanding Members and Guests
Before you can manage Azure AD access reviews for members and guests, it’s pivotal to understand what these roles entail on Microsoft Teams.
- Members: Members are often internal users within an organization. They can be a part of multiple teams and have permissions such as adding guests, editing sent messages, and deleting sent messages.
- Guests: Guests are typically external users or users from outside the organization. Their permissions are lesser compared to members and can be controlled by Teams admins.
Understanding Azure AD Access Reviews
Azure AD Access Reviews is a feature that allows organizations to manage and control user access to groups, applications, and privileged roles. Performed by group owners or designated reviewers, these access reviews ensure users have appropriate access to resources.
During a review, the reviewer can:
- Approve or deny a user’s continued access
- See the recommendation from Azure AD
Creating Access Reviews
To create an access review, you need to follow these steps:
- Sign in to the Azure portal as a Global Administrator or User Administrator.
- Go to Azure Active Directory > Identity Governance > Access Reviews.
- Click on ‘New Access Review’ and fill in the required fields.
- Under ‘Reviewers’, decide who will perform the review. You can choose either selected reviewers, members (self), or even guests (self) in Teams.
- Click ‘Start’ to initiate the review.
Managing Access Reviews
To manage ongoing Access reviews, navigate to Azure Active Directory > Identity Governance > Access Reviews > Access reviews. Here you will find a list of all on-going and past access reviews. You can filter and sort this list for easy referencing.
For instance, if you want to review all the guests who have access to a specific team:
- Go to Azure Active Directory > Identity Governance > Access Reviews.
- Click on ‘New Access Review’.
- Under ‘Users’, select ‘Guest users’, and under ‘Resources’, select ‘Microsoft 365 groups’, and then select the team of interest.
- Click ‘Start’ to initiate the review.
Auditing Access Reviews
The Results of Azure AD Access Reviews can be audited for future reference or for compliance. You can export the results of a review at any time to a .csv file for comprehensive analysis.
Overall, the concept of managing Azure AD access reviews is integral to the function of Microsoft Teams. Understanding how to create, manage, and audit these reviews efficiently can significantly enhance your ability to manage Microsoft Teams, getting you one step closer to passing the MS-700 exam. Remember to cover this topic thoroughly in your study plan and put the theoretical knowledge into practice to fully grasp its working.
Practice Test
True or False: Azure AD access reviews can be performed for both internal members and guest users.
- True
- False
Answer: True.
Explanation: Azure AD’s access review feature allows administrators to review the access rights of both members within their organization and guest users.
The Azure AD access review process can be automated.
- True
- False
Answer: True.
Explanation: Azure AD access reviews can be scheduled on a recurring basis to automate the review process and minimize the administrative effort.
What can Azure AD Access Reviews be used for?
- A) Employees’ access to certain resources
- B) Review of guest user access
- C) Monitoring resource usage
- D) Tracking employee time
Answer: A, B.
Explanation: Azure AD Access Reviews are primarily used to manage and review the access of both internal members and guest users to various organization’s resources.
True or False: You cannot set up Azure AD Access Reviews to recur every certain number of days, weeks, or months.
- True
- False
Answer: False.
Explanation: Azure AD Access Reviews can indeed be set up to automatically recur on a specified schedule.
Which of the below is not a decision that can be applied in Azure AD Access Review?
- A) Approve
- B) Deny
- C) Don’t know
- D) Skip
Answer: D) Skip
Explanation: In the Azure AD Access Review, there are three decisions that can be applied – Approve, Deny, or Don’t know.
Single select: Who can be assigned as reviewers in a Azure AD access review?
- A) Administrators
- B) Normal Users
- C) External Users
- D) All of the above
Answer: A) Administrators
Explanation: Only Administrators have the necessary permissions to perform an access review in Azure AD.
True or False: It is not possible to take action on Azure AD Access Review decisions using Power Automate.
- True
- False
Answer: False.
Explanation: Power Automate can indeed be used to take action on decisions from Azure AD Access Review by using the new Azure AD Access Review connector.
Single select: Azure AD access review allows you to…
- A) Understand what guests can do in Teams
- B) Understand who has access to Teams
- C) Automate reviewing access to Teams
- D) All of the above
Answer: D) All of the above
Explanation: Azure AD Access Reviews provides a comprehensive solution for understanding, managing, and automating access, which includes understanding actions of guests, reviewing who has access, and automating these reviews.
What happens after Azure AD access review is completed?
- A) The members’ and guests’ access is automatically updated
- B) A report is generated for review
- C) Both A and B
- D) Nothing happens
Answer: C) Both A and B
Explanation: After Azure AD access review, based on the decisions made, users’ access is updated automatically and a detailed report is also generated which can be reviewed by administrators.
True or False: Azure AD Access Reviews require Azure AD Premium P2 license.
- True
- False
Answer: True.
Explanation: To perform Azure AD Access Reviews, it’s necessary to have an Azure AD Premium P2 license as it’s a premium feature.
True or False: It’s necessary to manually update members and guests’ access after Azure AD Access Review.
- True
- False
Answer: False.
Explanation: Azure AD automates the process of updating the access of members and guests based on the decisions made during the Access Review.
True or False: Only an Azure AD admin can initiate an Access Review.
- True
- False
Answer: True.
Explanation: Only an Azure AD admin has the necessary permissions to start an Access Review in the Azure AD environment.
True or False: Azure AD Access reviews are limited to only Microsoft Team’s access.
- True
- False
Answer: False.
Explanation: Azure AD Access Reviews can be performed for all applications and resources that make use of Azure AD for authentication, not just Microsoft Teams.
True or False: Azure AD access reviews cannot take into account conditional access policies.
- True
- False
Answer: False.
Explanation: Azure AD Access Reviews can review user’s access based on conditional access policies active during the period of the Access Review.
True or False: You can create an Azure AD access review for all users or a specific group of users.
- True
- False
Answer: True.
Explanation: With Azure AD Access Reviews, you have the flexibility to either review the access rights of all users or just a specific subset or group of users.
Interview Questions
What is Azure AD Access Review?
Azure AD Access Review is a feature that allows administrators to govern user access to Azure AD resources. It enables regular review of user roles and access permissions to ensure necessary access.
How can you initiate an Azure AD Access Review?
An Azure AD Access Review can be initiated by going to the Azure portal. Under the Identity Governance section, you select Access reviews, and then + New to begin an access review.
How does Azure AD Access Review support guest user access review in Microsoft Teams?
Azure AD Access Review allows administrators to review and manage guest user access in Microsoft Teams. Administrators can set up policies to review guest user roles and access permissions and take necessary actions based on the review.
What are the options available for defining the reviewers in Azure AD Access Review?
The available options are: Self – where the users review their own access; Selected users – where specific users are selected to review access; and Group owners or Connected organization’s reviewers – where the owners of the group or connected organizations are assigned to review access.
Is it possible to automate the Azure AD Access review process?
Yes, automated periodic Access Reviews can be set up through the Azure AD Access Review feature. This ensures users’ access rights within Teams are frequently assessed and acted upon if discrepancies are found.
How can you set up access reviews for all guests in Teams and other Microsoft 365 groups in Azure AD?
The access review can be set up by going to the Access review option in the Azure portal. You need to define the scope as ‘Guest users in all Microsoft Teams and Microsoft 365 groups’, and then go ahead with the setup for frequency and duration.
What actions can you take based on the access review results in Azure AD?
After an access review, you can choose to approve, deny, or take no action on a user’s access. You can also remove a user’s access or suggest them to be removed as a result of the review.
Can non-administrators perform Azure AD access reviews?
Yes, non-administrators like team owners, resource owners, and business decision-makers can participate in Azure AD Access reviews if they are assigned as reviewers.
What are the prerequisites for conducting an Azure AD access review?
To conduct an Azure AD Access review, you need an Azure AD Premium P2 license. Besides, you need appropriate permissions such as User Access Administrator or Global Administrator to start a review.
What will happen after the Azure AD Access review cycle ends?
After the access review ends, recommendations are made for each user based on their activity. The decision can be applied to remove or maintain the user’s access to a particular resource.
Which type of groups are supported by Azure AD Access Review?
Azure AD Access Review supports security groups, Microsoft 365 groups, and Teams.
Can we review the access of internal users with Azure AD Access review?
Yes, apart from guest or external users, Azure AD Access Review can also be used to manage and review the access rights of internal users in the organization.
Can Azure AD Access Reviews be deleted?
Yes, Access Reviews that are no longer needed can be deleted. However, the review history will be retained for regulatory and audit purposes.
How are recommendations generated in Azure AD Access Reviews?
Recommendations in Azure AD Access Reviews are generated based on user activity and sign-in frequency. If a user hasn’t accessed a resource during the review period, a recommendation would be to remove the user’s access.
What is the role of Azure AD Access Review in maintaining compliance?
Azure AD Access Review helps in maintaining compliance by ensuring only necessary users have access to the specific resources. It provides administrators with the tool to routinely review, monitor, and manage user access, thus avoiding any unnecessary exposure or risk.
extutorials.com