How to configure Azure AD Access Reviews?

How to configure Azure AD Access Reviews?

In the Preview Article – we learned about Azure Active Directory, its purpose and complexities in managing large Azure AD. Learn the Best Practices of Azure AD Access Reviews by clicking here.

In the article, we will see use of Azure AD Access Reviews of Groups –

Scenario & Prerequisite

Users – 3 Azure AD Cloud users (2 have signed in, 1 account has never signed in)

Group – 1 AAD Group which is being used by Azure cloud services and group has 1 owner.

Also ensure that you have Azure AD P2 licenses activated on your Azure AD Tenant

Let us now configure Azure AD Access Reviews. In the Azure Active Directory, go to Identity Governance and within this frame select Access Reviews

Now there are few important fields that you need to make decision on –

  1. Start Date and Frequency – Select if you need Access Reviews to be one time activity or you want to run at a frequency such as – Weekly, Monthly, Quarterly, Semi-Annually or Annually
  2. Scope – Select if you need to review all members or only guest users. Useful feature
  3. Group – Select AAD Group. Please note Access Reviews is not global config but each AAD Group gets its config of Access Reviews
  4. Reviewers – This is key from licensing perspective. Select if you need AAD Group owner, Members (self-review) or set of fixed users to review. I have selected Group owner as reviewer in this demo
  5. If reviewers don’t respond – You could take action like Remove access from Group, No action or Take recommendation, Take recommendation here is from Azure AD that based on login pattern recommends to retain or remove user.

Once Access Review starts, each AAD Group owner (in my case) or review gets email to perform the access reviews. You would notice that Azure provides recommendations based on Logon and not based on if actual resource that Group is assigned had any access from the user.

About The Author

Related posts

Leave a Reply

Your email address will not be published. Required fields are marked *