Introduction
Azure Active Directory (Azure AD)’s access reviews are an essential part of identity governance. In order to prevent unauthorized access to sensitive data, organizations conduct access reviews to ensure that users and groups have the appropriate level of access to resources. This article will provide an overview of how Azure AD access reviews work, their role in identity governance, and their types available.
Aside from configuring access reviews, we will cover best practices for creating and managing access review campaigns, conducting access reviews, and using access review results to make informed decisions. With Azure AD access reviews, organizations can improve the way they manage identity governance and safeguard sensitive data.
Interested in knowing how access management works in Azure AD? Check out this article: How access management works in Azure AD
Also, if you are interested in learning the best practices for Identity governance in Azure AD, check out this article: Deep dive into best practices for identity governance in Azure AD
Overview of Access Reviews in Azure AD
What are access reviews and their role in identity governance?
In identity governance, access reviews ensure that users and groups have appropriate access to resources. They allow administrators to identify and remove unnecessary or inappropriate permissions by reviewing access permissions on a regular basis. When managing access permissions for a large number of users and groups, access reviews are especially important.
Benefits of conducting access reviews
Organizations can reduce data breaches and maintain compliance by conducting access reviews. Regularly reviewing access permissions can prevent data leaks and insider threats by ensuring users and groups have appropriate access to resources. Regulatory requirements, such as GDPR and HIPAA, can also be met through access reviews.
Types of access reviews available in Azure AD
There are three types of access reviews provided by Azure AD: Azure AD roles, Azure resource roles, and Microsoft 365 app roles. Administrators can review access to Azure AD roles, which provide access to administrative functions, using Azure AD role access reviews. Resource access roles in Azure, such as virtual machines and storage accounts, can be reviewed. Also, administrators can review access to Microsoft 365 apps, such as SharePoint and Teams, using Microsoft 365 app role access reviews.
Configuring Access Reviews in Azure AD
Steps to configure access reviews in Azure AD
To configure access reviews, follow these steps:
- Sign in to the Azure portal as a Global administrator.
- Navigate to Azure Active Directory > Identity Governance.
- Select Access reviews.
- Select + New review campaign.
- Choose the type of access review you want to perform (Azure AD role, Azure resource role, or Microsoft 365 app role).
- Configure the review settings, including the frequency of reviews, the scope of the review, and the reviewers who will perform the review.
- Save the review settings.
Configuring review settings (e.g., frequency, scope, reviewers)
It is important to consider the frequency of reviews, the scope of the reviews, and the reviewers who will perform the reviews when configuring Azure AD access reviews.
- Depending on the organization’s specific requirements and the resources being reviewed, the frequency of reviews will vary.
- Resources and users or groups included in the review will be determined by the scope.
- Additionally, the reviewers who will perform the review should be carefully selected so that they can make informed decisions about access permissions based on their expertise and knowledge.
Common conventions for configuring access reviews in Azure AD
When configuring access reviews in Azure AD, it is important to follow these common practices to ensure that the reviews are effective and efficient. Some best practices include:
- Start with a small scope and gradually expand it as needed.
- Use clear and concise review criteria to help reviewers make informed decisions.
- Regularly review and update review settings to ensure they remain relevant.
- Ensure that reviewers have the necessary expertise and knowledge to make informed decisions.
- Provide training and guidance to reviewers to help them understand the review process.
Creating and Managing Access Review Campaigns
Overview of access review campaigns
Access review campaigns are used to create and manage access reviews in Azure AD. A campaign consists of one or more access reviews that are conducted on a regular basis. Each access review within a campaign has its own review settings, such as the frequency of the review and the reviewers who will perform the review.
Steps to create an access review campaign in Azure AD
To create an access review campaign in Azure AD, follow these steps:
- Sign in to Azure portal and select Access reviews from the Identity Governance menu.
- Click + New review campaign.
- Choose the type of access review you want to perform (Azure AD role, Azure resource role, or Microsoft 365 app role).
- Configure the review settings, including the frequency of reviews, the scope of the review, and the reviewers who will perform the review.
- Click Create to create the campaign.
Best practices for creating and managing access review campaigns
When creating and managing access review campaigns in Azure AD, it is important to follow best practices to ensure that the campaigns are effective and efficient. Some best practices include:
- Start with a small scope and gradually expand it as needed.
- Use clear and concise review criteria to help reviewers make informed decisions.
- Regularly review and update review settings to ensure they remain relevant and schedule them when reviewers are available and can complete the review in a timely manner.
- Use automation to simplify the review process and reduce manual effort.
Reviewing Access for Users and Groups
How to perform access reviews in Azure AD
To perform an access review in Azure AD, follow these steps:
- Sign in to the Azure portal as a reviewer.
- Then, Navigate to Azure Active Directory > Identity Governance.
- Select Access reviews.
- Choose the review campaign you want to perform the review for.
- Review the access permissions for each user or group listed.
- Make a decision about each user or group’s access permissions.
- Submit the review.
Best practices for conducting access reviews
When conducting access reviews in Azure AD, it is important to follow best practices to ensure that the reviews are effective and efficient. Some best practices include:
- Review access permissions for each user or group individually to ensure that they have the appropriate level of access.
- Document the review process to ensure that it can be audited and reviewed in the future.
- Review and verify the results of the review to ensure that they are accurate and complete.
In summary
In Azure AD, access reviews are an important part of identity governance. By reviewing access permissions regularly, organizations ensure that users and groups have access to the appropriate resources. You can configure Azure AD to meet the specific needs of your organization by selecting from a variety of access review types and settings.
The access reviews should be configured and managed according to best practices, such as starting small and gradually expanding them as needed, using clear and concise review criteria, and regularly reviewing and updating review settings.
Conducting access reviews requires reviewing each user or group’s permissions individually and documenting the process. Once access permissions have been reviewed, informed decisions can be made about removing or adding privileges as needed, based on the results of the access review.
In Azure AD, organizations can improve their identity governance practices and better protect sensitive resources by following best practices for configuring, managing, and conducting access reviews.