Let us begin with role of Azure AD plays in building Enterprise grade services, where it is being used and complexities that comes along with managing multiple workloads within Azure AD.
What is Azure Active Directory?
Azure AD is a Identity and Application management system within Azure that hosts number of platforms – e.g. Office 365 (Exchange, SharePoint), Azure Cloud services, Yammer, Skype / Teams, Power BI and number of other enterprise custom built Apps. Azure AD provides modern authentication protocols for Apps to work with it such as – SAML, Open ID, OAuth etc.
Complexities that large enterprises face with Azure AD and how Access Reviews can help?
Simple requirement of each application is to use the Azure AD Users who need to have access Applications and Azure AD Groups so that assigning permissions is standardized. In face, use of Azure AD Groups is recommended way to assign permissions to Applications or to more importantly Azure cloud services.
With years of usage of Azure AD, in large enterprises, there can be millions of Groups that remain on Azure AD & it becomes difficult to know if these groups are being used. More importantly, members of the groups go unnoticed when employees switch roles and it may so happen that a user is member of multiple Groups and therefore have access to more Applications than expected.
Let see example below –
Azure AD Group Best Practices
- Clear Naming Standard – Each Group should have clear naming standard. For services like Exchange – Group name need to be user or business friendly but for other Groups such as for Azure Cloud – create a naming standard for each service such as Groups for management groups, Subscription, Resource Groups used by Admins, Security teams, Ops teams etc.
- One to one mapping – Each Group must have clear and one to one mapping for the Application or service where it is being used. If same set of users need access to multiple services, create separate groups. You never know when you have need to have different user sets.
- Assign AAD Group owner – This is prerequisite for Azure AD Access Reviews if you have large number of Groups and you want to assign attestation / review responsibility to individual department owners
Azure AD Access Reviews
Now we know the complexity of managing Azure AD. Let us know look at some facts about Access Reviews –
- Access Review is helpful if you need to ask Group owners to validate if members of the group need to have access
- Access Reviews can be automated with reminders sent prior to attestation date to review else default action such as to remove members can be taken
- Access Reviews can be done at Groups, Enterprise App and at Azure AD Privileged Identity Management (PIM) level. This article series will focus on Azure AD Groups
- Access Reviews requires P2 licenses assigned to reviewers. If self-review is enabled (more in the demo explanation) then each member of the Group need to have P2 license assigned. User account or automation that sets access review rules need not have P2 licenses mapped.
- Access Reviews can be enabled for self-review as well, which means users can attest themselves if they need to be part of the Azure AD group or not. This is useful setting but has impact on P2 licenses that are needed but using self-review alone is not secure. There needs to be owner assigned who is accountable to attest the users.
Microsoft Reference Link – https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview