Azure Active Directory Access Reviews
Question: How do we monitor who has owner or admin rights to Teams, Channels, SharePoint Sites and Office 365 groups? How do we create auditing reports and show compliance when monitoring these resources?
Answer: Azure access reviews.
Why Are Azure Access Reviews Important?
Microsoft Azure Active Directory (AAD) provides the ability to collaborate internally within your organization and with users from other organizations. With the help of AAD access reviews, users can join groups, invite guests and connect to cloud apps all while working remotely from corporate issued or personal computers, benefiting from a natural email workflow. With help from a cloud managed service provider, your business can run more efficiently internally or from a remote location with Azure Active Directory.
When Can Azure Access Reviews Be Used?
Azure access reviews can be used for the following:
- Privileged role access
- New groups/new admins
- Business-critical data access
- Guest user access
- Maintain policy exception list
- Compliance (group owners confirm they still need guests in their groups and owners)
- Automated reviews that recur periodically (weekly, monthly, quarterly, yearly)
Where Can Azure Access Reviews Be Created?
Azure access reviews can be created under the “Identity Governance” page in the Azure portal.
(This does require an Azure AD Premium P2 license for the user creating the reviews.)
To create access reviews, complete the following steps:
- In the left menu, click “Access reviews”
- Click “New access review”
- Select which resource you would like to review
If you selected “Teams + Groups” in Step 1, you have two options to select from:
- All Microsoft 365 groups with guest users
Select this option if you would like to create recurring reviews on all your guest users across all your Microsoft Teams and Microsoft 365 groups in your organization. One thing to note is that dynamic groups and role-assignable groups are not included.
- Select groups to exclude
This option gives you the choice to exclude individual groups of users.
Selecting “Teams + Groups” allows you to specify a finite set of teams and/or groups to review. After selecting this option, you will see a list of groups to the right of your screen to pick from.
From here you are able to get more granular with user access and admin rights and also specify what happens once a review has been completed. The latter is very handy in the instance a user has not yet seen the review. Those reviews that go unseen have no impact on the status of reviews that have been seen by other individual users and can be marked accordingly:
- No change: Leave user’s access unchanged
- Remove access: Remove user’s access
- Approve access: Approve user’s access
- Take recommendations: Take the system’s recommendation on denying or approving the user’s continued access
NOTE: Selecting the option “Remove access” will remove a denied guest user’s access to the group or application being reviewed. The guest user will still be able to sign-in to the tenant and will not lose any other access.
What Can Be Created for Azure Access Reviews
- Access rights of users
- Security group members
- Office group members
- Group owners
- Teams
- Teams channels
- Guest access
- Self-review
- Azure AD groups
- Assigned to a connected app
- Azure AD role
- Azure resource role
No licenses are needed for users with “global administrator” or “user administrator” roles that set up access reviews, configure settings or apply the decisions from the reviews.Once reviews are set, the “reviewers” will receive emails based on the schedule for the review and that same information will be requested from the owner/admin of the group, site or team. It is recommended to advise the owners of this process using the below outlined example.
Sample Azure Access Review
Teams /Teams / SharePoint site/ O365 Group Owner Governance
You have been identified as an owner of a Teams / SharePoint site/ O365 Group. Over the next few days, you may receive emails that will require your attention and action. One email may be for Teams / SharePoint site/ O365 Group inactivity and the other will be to review the owners and members of the sites you are identified as being an owner.
What you need to know/do:
- As an owner of a Teams / SharePoint site/ O365 Group, you may receive an email stating that the site has gone “stale.” This means that no content or activity has been detected in the last six months. If you receive this email, you need to take action to keep the site active. If no action is taken, the site will be deleted after 90 days.
- If you receive the “stale site” email, click the button “Renew Group.” From the “Access Panel” you can see information about the group such as the description, when it was last renewed, when it will expire and the ability to renew the group. Click the “Renew Group” button to renew the group.
Sample
- As an owner of a Teams / SharePoint site/ O365 Group, you WILL receive quarterly emails to review site membership access. You will need to review your sites’ members and deny access as necessary.
- When you receive the quarterly access review email, please perform the following:
- Click on the “Start Review” link to start the access review process.
- In the “site review” site, select the users you want to remove and then press “Deny” to remove their membership and access to the site. Although there is a button for “Approval”, no action is required for approval.
Azure Access Reviews: Brief Overview
Azure Access Directory enables you to collaborate with users from inside your organization and with external users. This automated option allows for better access-management capabilities. Azure access reviews can be used for myriad reasons: when there are too many users in privileged roles, when a specific group needs to be utilized for a new purpose, to access business-critical data or when reviews need to be set up to recur periodically. License requirements may occur for certain tasks, at which point, an Azure AD Premium P2 license is necessary.
SkyTerra Can Help
A Microsoft Cloud Solution Provider (CSP) is far more than just a reseller of Microsoft Cloud products. A CSP needs to demonstrate technical expertise in Azure cloud solutions. When you purchase cloud services from a CSP, you are not just getting the product, but also the expertise and reliable support you will need to ensure that product is best serving your business.
Contact us today to learn more about what having Azure Active Directory can do to help you grow your business.