Hope you all are doing good !!!
In our last articles we have discussed on, how to configure Privileged Identity Management (PIM). Today In this article, we will discuss about Azure AD Access Review in PIM.
If you have missed our previous articles on Azure Identity And Access Management (IAM), please check it in following links.
Azure Active Directory Access Review:
As per the requirement, organization has to assign roles to different users for different purpose. Sometime it increased the risk of data security. To reduce the risk associated with important role assignments, organization should configure Access Review and regularly review access.
Benefits of Azure AD Access Reviews :
Access Review in Azure AD has following benefits. It helps,
To verify, if new employees has sufficient access to be more productive.
To ensuring the removal of accesses, when company employee or guest user leave the company.
To avoid provide excessive access rights and streamline the access rights.
Resource owner to regularly review who has access to their resources.
Use Of Access Reviews In Azure AD :
Configuring Access Review gives, outstanding benefits to organizations in following scenarios.
Too many users in privileged roles
When automation is infeasible
When a group is used for a new purpose
Business critical data access
To maintain a policy's exception list
Ask group owners to confirm they still need guests in their groups
Have reviews recur periodically
Required License :
- Enterprise Mobility + Security (EMS ) E5
- Azure AD Premium 2
- Free Trial
Access Reviews for different purpose :
Depending on what we want to review, we can create our access review in following place.
- Azure AD access reviews
- Azure AD enterprise apps (in preview)
- Azure AD PIM
Create Access Reviews In Azure AD PIM :
In this article we will create an access review in Azure AD PIM. We can create access reviews in Azure AD PIM to review privileged roles ( Azure AD Roles, Azure Resource Roles). Let’s go through the following steps to create and configure a Access Review and review the contributor role assignment, which we have created in our last article Privileged Identity Management (PIM)
Step 1 – Sign in to Azure portal with a user that is a member of the Privileged role administrator role > open Azure AD Privileged Identity Management > Select Azure Resources as today we will create the Review Access for Azure Resource Role. The procedure is same to create a Review Access for Azure AD Role.
Step 2 – Select required resource (here it is my subscription ) from list of Resource.
As shown in the following figure we can see role activation activity for last 7 days.
Step 3 – Under Manage, select Access reviews. As shown in the following figure, currently there is no access review configured yet.
Step 4 – Click New to create a new access review. Provide Name and Description of the Access Review. The name and description are shown to the reviewers.
Step 5 – Set the Start date. By default, an access review occurs once, starts the same time it’s created, and it ends in one month. we can change the start and end dates to have an access review start in the future and last however many days you want.
Step 6 – To make the access review recurring, change the Frequency setting from One time to Weekly, Monthly, Quarterly, Annually, or Semi-annually. Use the Duration slider or text box to define how many days each review of the recurring series will be open for input from reviewers. In our case, I have configured Weekly and 3 time in a day.
Step 7 – Use the End setting to specify how to end the recurring access review series. There are 3 options for this field as shown in the following figure. Never, End By and Occurrences. If we set Occurrences then we need to provide the number of times value. If we set End By then need to specify the End date. Here I have configured an End date. Then set users Scope.
Step 8 – As shown in the above figure, One more important field is the selection of Role for which we are creating this access review. Here I have configured for Contributor role because in our last practical, we have assigned user for Contributor role.
Step 9 – We need to configure the Reviewers field. In our case I have selected a user, who can review the access. option is there to configure Assign self as reviewer.
Step 10 – In Upon completion settings, we need to configure following two settings.
- Auto apply results to resource to Enable : If we want to manually apply the results when the review completes, set the switch to Disable other wise set it to Enable.
- Should reviewer not respond : It provides a list of options. The list to specify what happens for users that are not reviewed by the reviewer within the review period. options are No change, Remove access, Approve access, Take recommendations.
Step 11 – In Advanced settings we can configure as per our requirements. All of our setting shown in the following figure.
Step 12 – Now we can click Start button to finish the configuration of our Access Review. As we can see in Review Access from Task section, our access review is configured successfully.
Step 13 – Let’s check the details of the review. As shown in the following figure, we can see that it reviewed for 2 user with this Contributor role assignment. As we have configured, to react manually to the role assignment Upon completion. To check in the access review report, let’s Approve one user and Deny one user as shown in the following figure.
Step 14 – Select Access Reviews under Manage section and click on the newly created access review to see the overview of the review report as shown in the following figure.
Step 15 – Now we have report, which shown one user has approved and the other one has denied as per our requirement as shown in the following figures.
Step 16 – The Setting section of the access review allows, to modify the configuration of Access Review as shown in the following figure.
Manage Access Reviews :
There are a number of options for managing that review. Find the following lists of action we can do with a Access Review.
I hope, this article gives you idea to configure Access Review for role in PIM. As I am exploring the Azure Identity and Access Management (IAM). Please let me know if I missed anything important or if my understanding is not up to mark.
Keep reading, share your thoughts, experiences. Feel free to contact us to discuss more.
Thanks for reading 🙂 .