Hope you all are doing good !!!
If you have missed our previous articles on Azure Identity And Access Management (IAM), please check it in following links.
Next Article : Part 25 – Azure Active Directory – Identity Governance
Azure Active Directory Access Review :
By the help of Azure AD service, enterprises manage access to groups and applications in Azure AD and other Microsoft Online Services with a feature called Azure AD Access Reviews. We had another article on Azure AD Access Reviews for Privileged Identity Management (PIM), where we have described, the basics of Access Review in details. We can find following details in our previous Azure AD Access Review article.
- Benefits of Access Reviews
- Use Of Access Reviews In Azure AD
- Required License
- Access Reviews for different purpose
- Create Access Reviews In Azure AD PIM
In this article will go through, how a designated reviewer performs an access review for members of a group or users with access to an application.
Create Access Reviews Of Group and applications :
In this article we will create an access review in Azure AD PIM. We can create access reviews in Azure AD PIM to review privileged roles ( Azure AD Roles, Azure Resource Roles). Let’s go through the following steps to create and configure a Access Review and review the contributor role assignment, which we have created in our last article Privileged Identity Management (PIM)
Step 1 – Sign in to Azure portal with Global administrator or User administrator role > Azure Active Directory > Identity Governance > Select Access Reviews from Access Reviews section. As shown in the following figure, currently there is no access review configured yet. Let’s configure one access review for our MSTech Group.
Step 2 – Click +New Access Review to create a new access review. Provide Name and Description of the Access Review. The name and description are shown to the reviewers.
Step 3 – Set the Start date. By default, an access review occurs once, starts the same time it’s created, and it ends in one month. we can change the configuration as per our requirement.
Step 4 – To make the access review recurring, change the Frequency setting from One time to Weekly, Monthly, Quarterly, Annually, or Semi-annually. Use the Duration slider or text box to define how many days each review of the recurring series will be open for input from reviewers. In our case, I have configured Weekly and 3 time in a day.
Step 5 – Use the End setting to specify how to end the recurring access review series. There are 3 options for this field as shown in the following figure. Never, End By and Occurrences. If we set Occurrences then we need to provide the number of times value. If we set End By then need to specify the End date. Here I have configured an End date.
Step 6 – In the Users section, specify the Users to review, who are coming under this new access review. There are currently two option as shown in the following figure. Here we configured it to Members of a group. Again to make it more specific, configure Scope to either Guest user only or Everyone of the selected group. If we selected Assigned to an application then, we need to select the applications, for which we would like to review access.
Step 7 – In the Group section, select one or more groups that we would like to review their members. Here we have configured MSTech as our group as shown in the following figure.
Note : Selecting more than one group will create multiple access reviews. For example, selecting five groups will create five separate access reviews.
Step 8 – We need to configure the Reviewers field. In our case we have set to Selected user (Manas Moharana), who can review the access. The second option is to configure Assign self as reviewer.
Step 9 – In the Programs section, select the program we want to use. Each access review can be linked to a program. In this case, we have set to the Default Program.
Step 10 – In Upon completion settings, we need to configure following two settings.
- Auto apply results to resource to Disable : If we want to manually apply the results when the review completes, other wise set it to Enable.
- If reviewers don’t respond : It provides a list of options. The list to specify what happens for users that are not reviewed by the reviewer within the review period. options are No change, Remove access, Approve access, Take recommendations.
Step 11 – In Advanced settings we can configure as per our requirements. All of our setting shown in the following figure.
Step 12 – Now we can click Start button to finish the configuration of our Access Review. As we can see in Access Reviews under Access Reviews section, our MSTech Development access review is configured successfully.
Step 13 – Let’s go into the newly created access review ( MSTech Development) . In the overview page, we can see there are 5 user in the MSTech group, waiting for the review as shown in the following figure.
Step 14 – If we select Result under Manage section we can see the same result, that, all 5 user of MSTech group, waiting for the review as shown in the following figure.
Step 13 – As we have configured, As we have configured one reviewer, to review the access of the MSTech group. The review should get one email notification for he same. Let’s check the reviewer’s mail box. As we can see in the following figure, reviewer Manas Ranjan Moharana got one email notification and there is a Start Review button in the mail to start the review . Let’s click the Start review link to open the access review.If reviewer don’t have the email, then reviewer can find the pending access reviews by other workaround. Now let’s go with the Email.
Once the access review page opened in My Access Portal, we can see int the following figure the names of users who need to have their access reviewed. We can also see there are following different actions available for the reviewer to take.
- ? Don’t Know
- Accept recommendation
Step 14 – Let’s try with all of the available actions with different users. In the following figure, we can see the reviewer, Denying the access for user ‘Ram Babu’
Step 15 – In the above step, the reviewer have denied the access and in the following figure, the reviewer, Approving the access for user ‘Rasmi Moharana’
Step 16 – Here in this step, reviewer is not sure, whether to Approve or Deny the access. However the reviewer is selecting Don’t know option for the user before submitting.
Step 17 – In the following figure, we can see that, approver is Accepting recommendations for the user.
Now approver, has done with review and taken necessary action where ever required. It’s time to go back to azure portal to see the, current result and overview of the Access Review.
Step 18 – We have now log-in back to Azure portal and move to MSTech Development Access review’s Overview Page. In the following figure, we can see the statistics of all 5 users, after reviewer review the access.
Step 18 – Click on Result link under Manage section. As we can see all the following details of the user’s access review.
- Reviewed by
- Recommendation action
Audit Log Of Access Review:
To access the audit report, select Audit logs in the Current section of Access Review page. Sometimes it may take that long for audit activity data to show up in the portal after we have completed the task. An audit log has a default list view as shown in the following figure. In the following figure, we can see all our activities (Approve,deny..) recorded.
Stop Or Delete Access Review :
If we no longer required the Access Review and want to stop it before the scheduled end date then on the Overview page of Access Review, click the Stop button to stop the access review. When stop a review, reviewers will no longer be able to give responses. We can’t restart a review after it’s stopped. If we are not going to use the access review, we can delete it by clicking the Delete button.
I hope, this article gives you idea to configure Azure AD Access Review for Group and application. As I am exploring the Azure Identity and Access Management (IAM). Please let me know if I missed anything important or if my understanding is not up to mark.
Next Article : Part 25 – Azure Active Directory – Identity Governance
Keep reading, share your thoughts, experiences. Feel free to contact us to discuss more.