Access Review Program is a feature of Azure Active Directory (Azure AD) that grants admins the ability to monitor and manage users’ access to applications, groups, and roles. It allows organizations to verify and ensure that the right individuals have the appropriate access to resources. The key pillars of this feature include:
- Ensuring Role appropriateness: Verifying that users still need their existing access.
- Retaining access necessity: Ensuring only essential access is given.
- Automating access review: Monitoring group memberships and Azure AD role assignments.
2. Creating an Access Review
Creating an access review in Azure AD involves navigating to Azure Portal > Azure Active Directory > Identity Governance > Access Reviews > New Access Review. The key elements to fill out while creating an access review include:
- Name: A unique identifier for the access review.
- Start Date: The date when the review begins.
- Frequency: How often the review is performed.
- End Date: The date when the automatic recurring access review ends.
- Reviewers: People responsible for carrying out the access review.
3. Configuring an Access Review
After creating an access review, the next crucial step is to configure it. This involves specifying the settings that determine the scope and behavior of the review. The configuration includes:
- Scope – Define the users and resources for the access review. This can include all users or a specific group in Azure AD, or roles such as Global Admin or User Admin.
- Review Type – This can be either ‘Self’ or ‘Assigned’. In ‘Self’ type, users review their own access, while in ‘Assigned’ type, a specific group of users or managers perform the review.
- Auto Apply Results – This setting determines how the system will effect changes post-review. If enabled, the system automatically implements the recommendations once the review period is over.
Here’s how you can configure an access review via Azure portal:
Go to Azure Portal > Azure Active Directory > Identity Governance > Access Reviews
Select your access review > Settings
Define the scope, review type, and auto apply results settings
Click Save
4. Running, Tracking and Monitoring an Access Review
After configuring an access review, it’s important to monitor the review progress regularly to ensure its effectiveness. Azure AD provides a comprehensive tracking and monitoring interface. You can view the progress of ongoing reviews, act on recommendations, and check historical data of completed reviews.
Example:
Go to Azure Portal > Azure Active Directory > Identity Governance > Access Reviews
Select the review you wish to monitor
You’ll see the details of the review and can take actions like apply recommendations, or stop the review.
Comparison of Manual and Automated Access Reviews
Manual Access Review | Automated Access Review |
---|---|
Time-consuming and prone to errors | Fast and error-free |
Requires significant human effort | Automated and saves time |
Not efficient for large organizations | Ideal for large organizations with numerous access points |
Difficult to maintain records | Easy to track and monitor reviews, stores historical data |
In conclusion, access reviews are an integral part of Microsoft Identity and Access Management. Properly created and configured, access reviews can help organizations ensure security compliance, mitigate risks, and maintain operational efficiency.
Practice Test
True or False: Creating access reviews in Azure AD primarily involves identifying users who have access to resources that they no longer need.
- True
Answer: True
Explanation: The main purpose of access review is to identify users who have access to resources that they no longer need and thus prevent exploiting or misuse of privileges.
Which of the following can be reviewed using access review programs?
- a) Azure AD roles
- b) Azure AD group memberships
- c) Access to enterprise applications
- d) Access to network devices
Answer: a) Azure AD roles, b) Azure AD group memberships, c) Access to enterprise applications
Explanation: Access review can assess Azure AD roles, Azure AD group memberships, and access to enterprise applications. Network devices access is managed via different policies and tools.
In terms of Azure AD access reviews, “users” can be defined as which of the following?
- a) Internal users
- b) External users
- c) Both internal and external users
Answer: c) Both internal and external users
Explanation: In context of Azure AD access review, the term ‘users’ can include members and guests, internal and external users.
True or False: It’s not possible to automate creating access reviews in Azure AD.
- False
Answer: False
Explanation: Azure AD offers the ability to automate access reviews on a recurring basis, you can define the frequency, scope and reviewers.
When does Azure AD automatically apply the decision taken in an Access Review?
- a) Immediately
- b) During off-peak hours
- c) At the end of the review
Answer: c) At the end of the review
Explanation: Azure AD applies the access review decisions automatically at the end of the review period.
Who can be assigned as reviewers for access reviews?
- a) Selected individuals
- b) Group owners
- c) Self (review by the access holder)
- d) All of the above
Answer: d) All of the above
Explanation: Selected individuals, group owners, or even the user themselves (Self-review) can be assigned as reviewers for an access review.
Are access reviews available in all editions of Azure AD?
- a) Yes
- b) No
Answer: b) No
Explanation: Access reviews are a premium feature and are available only in the Azure AD Premium P2 edition.
True or False: Only one access review can be set up at a time per resource.
- False
Answer: False
Explanation: Multiple access reviews can be performed for the same resource at different times or by different reviewers.
Which of the following isn’t a possible decision in an access review?
- a) Approve
- b) Deny
- c) Not Reviewed
- d) Ignore
Answer: d) Ignore
Explanation: Decisions in an access review typically involve ‘Approve’, ‘Deny’ and ‘Not Reviewed’. ‘Ignore’ isn’t an acceptable decision.
What does setting a ‘Recommendation’ in an access review do?
- a) It automatically applies this decision to all users in the review
- b) It suggests this decision as a default to reviewers
- c) It forces reviewers to select this decision
Answer: b) It suggests this decision as a default to reviewers
Explanation: Setting a ‘Recommendation’ suggests the default decision (‘Approve’ or ‘Deny’) to the reviewer, but doesn’t force or automatically apply it.
True or False: Access reviews are a key component of Privileged Identity Management (PIM).
- True
Answer: True
Explanation: Access reviews are a key component of PIM which helps ensure that only the right people have access to your resources.
Interview Questions
What is access review in the context of Microsoft Identity and access management?
An Access Review is a feature that allows organizations to manage and control the access rights of their users. It enables administrators to periodically review and regulate who has access to a given resource, limiting excessive access rights and ensuring that only the appropriate users have access to resources.
How can you create an access review program in Microsoft Azure?
To create an access review, go to the Azure Active Directory portal, select “Identity Governance”, select “Access reviews”, and then “New”. From there, you’ll need to specify the name, description, start date, frequency, and scope of the review, among other options.
What is the role of an access review program?
An access review program allows organizations to effectively manage user access to various resources. It ensures that only necessary and appropriate access is maintained, reducing the risk of inappropriate access or potential breaches.
What are the different types of access reviews available in Microsoft Azure?
There are three types of access reviews in Microsoft Azure: User’s access, Guest user’s access, and Service principle’s access.
How often can you configure access reviews to occur?
You can configure access reviews to occur on a weekly, monthly, quarterly, semi-annually, or annually basis based on the organization’s requirements.
How do you assign a reviewer in an access review program?
While creating an access review program, you can assign the reviewer in the “Reviewers” section. You can assign reviews to an individual, a group of individuals, or require the users’ managers to review their access.
What happens at the end of an access review?
At the end of an access review, depending on the settings chosen, the resource or access can be automatically revoked if not approved during the review, or the results can be compiled for manual processing by an administrator.
What are the possible decisions a reviewer can make in an access review?
A Reviewer can make one of three decisions: Approve, Deny, or Don’t know.
Where can you view the results of an access review?
Access review results can be found in the ‘Access reviews’ section of the Azure portal, under ‘Identity Governance’. There is a dashboard which presents overview information and specific reviews can be selected to see detailed results.
Can you schedule recurring access reviews in Azure Active Directory?
Yes, recurring access reviews can be scheduled in Azure Active Directory. You can determine the frequency of these reviews according to your organization’s needs.
What will happen if no one responds to an access review?
The effect of no response to an access review is determined by the settings chosen when creating the review. Access can either be automatically approved or removed, or the system can do nothing and wait for manual review.
Can access review decisions be audited?
Yes, all decisions made during the access review process are audited and administrators can generate detailed reports to review these decisions.
How can you stop an ongoing access review?
An ongoing access review can be stopped by going to Azure Active Directory, selecting ‘Access Reviews’, choosing the review you wish to stop, and then, selecting ‘Stop review’.
Can you configure the access review process via Azure AD PowerShell or Microsoft Graph?
Yes, both Azure AD PowerShell and Microsoft Graph API support automation and configuration of the access review process.
Can Azure AD access reviews be done for application access?
Yes, Azure AD access reviews can be done for users who have access to applications, in addition to reviewing Azure AD role assignments, group memberships, and more.