Tutorial / Cram Notes
An access review activity involves the re-evaluation of user access rights to ensure they are still necessary and appropriate. These reviews are typically scheduled to occur regularly and entail the following actions:
- Reviewing: Assessing user access and determining whether it’s still needed.
- Approving or Denying Access: Deciding whether a user should retain or lose access.
- Applying Decisions: Implementing the access decision, which might include revoking access.
Automated Access Review Responses
Automated responses make the review process less labor-intensive. Azure AD supports setting up auto-review policies that can automatically approve or deny access based on predefined criteria. Here are two common automated response scenarios:
1. No Sign-In Activity: If a user hasn’t signed into an application within a specified time frame, the access can be automatically revoked.
| Sign-In Period | User Access Status | Automated Action |
|---|---|---|
| Over 90 Days | Inactive | Revoke Access |
| 30 – 89 Days | Warning | Review Needed |
| Under 30 Days | Active | Maintain Access |
2. Expiration of Guest Access: Automatically reviewing guest users’ access after a certain period to determine if they still need access.
| Access Period | Guest Status | Automated Action |
|---|---|---|
| Over 180 Days | Expired | Revoke Access |
| Under 180 Days | Active | Maintain/Review Access |
Manual Access Review Responses
In a manual process, access reviews are conducted by selected reviewers who make decisions on users’ access rights. This is useful for more sensitive or complex permissions that require human judgment.
Example Scenario: Manual Review for Project Teams
| Team | User | Last Activity | Access Status | Manual Action Required |
|---|---|---|---|---|
| Project Alpha Team | User A | 10 Days Ago | Active | Re-affirm Access |
| Project Beta Team | User B | 200 Days Ago | Inactive | Request Justification or Remove |
| Project Gamma Team | User C | Never | Never Active | Remove Access |
Combining Automated and Manual Responses
For optimal efficiency and security, organizations might use a combination of automated and manual responses, utilizing automated actions for general maintenance and manual review for exceptional or nuanced cases.
Practical Steps for Responding to Access Review Activities
- Define Parameters: Decide what triggers an access review—be it time-based, event-based, or access-based.
- Set Up Review Frequency: Determine how often each resource should be reviewed (e.g., monthly, quarterly, yearly).
- Identify Reviewers: Assign appropriate reviewers for manual reviews based on their knowledge and authority.
- Implement Automated Reviews: Configure automated review policies for non-critical or routine checks to streamline the review process.
- Communicate with Users: Inform users about the review process and potential actions to mitigate frustration due to unexpected access changes.
- Review and Act: Conduct the reviews, and take the necessary actions—whether it is to maintain, adjust, or revoke access.
- Monitor and Report: Regularly monitor access review outcomes and provide reports to stakeholders for transparency and compliance purposes.
- Refine the Process: Based on the outcomes and feedback, refine the review process for effectiveness and efficiency.
Conclusion
Access reviews are a fundamental part of identity and access management in Microsoft 365 and Azure AD. Responding to access review activities promptly, with a combination of both automated and manual responses, enables organizations to maintain a robust security posture. By following best practices and using the tools provided by Microsoft, Identity and Access Administrators can ensure that users have appropriate access to resources, complying with necessary regulations and policies.
Practice Test with Explanation
True or False: Access reviews can only be conducted manually in Azure AD.
- A) True
- B) False
Answer: B) False
Explanation: Access reviews in Azure AD can be conducted both manually and automatically. Administrators can set up recurring access reviews that automate the process based on a defined schedule.
An Azure AD access review can be configured to automatically collect access review controls upon completion.
- A) True
- B) False
Answer: A) True
Explanation: Azure AD access reviews can be setup to automatically apply review decisions, such as approve or revoke access, upon the completion of the review.
Who can be assigned to perform access reviews in Azure AD?
- A) Only Global Administrators
- B) Only users within the same directory as the resource
- C) Any user or group assigned as a reviewer, including guest users
- D) Reviewers must be part of a compliance team in the organization
Answer: C) Any user or group assigned as a reviewer, including guest users
Explanation: Azure AD allows assigning any user or group, including guest users, as reviewers for an access review, provided they have been given permission to participate in the review process.
To create an access review for Azure AD roles, which feature should be used within Azure AD?
- A) Azure AD Conditional Access
- B) Azure AD Privileged Identity Management (PIM)
- C) Azure AD B2C
- D) Microsoft Intune
Answer: B) Azure AD Privileged Identity Management (PIM)
Explanation: Azure AD Privileged Identity Management (PIM) is used for managing, controlling, and monitoring access within Azure AD, Office 365, and other Microsoft services, including the creation of access reviews for Azure AD roles.
Multiple select: What can trigger automatic access review in Azure AD?
- A) A user’s role change
- B) A predefined schedule
- C) A user joining a group
- D) User’s employment status change in the HR system
Answer: A) A user’s role change, B) A predefined schedule
Explanation: Azure AD access reviews can be triggered automatically based on a predefined schedule or based on dynamic events such as a user’s role change.
True or False: All decisions in Azure AD access reviews must be applied manually.
- A) True
- B) False
Answer: B) False
Explanation: Azure AD access review decisions can either be applied manually or automatically, depending on how the access review is configured.
When should reviewers determine whether to approve or deny continued access as part of the access review process?
- A) Before the start of the review period
- B) During the review period
- C) After the review period has ended
- D) At any time, as long as it is done consistently
Answer: B) During the review period
Explanation: Reviewers are expected to assess and make their approval or revocation decisions during the review period set for the access review process.
True or False: Access reviews in Azure AD can only be scheduled annually.
- A) True
- B) False
Answer: B) False
Explanation: Azure AD access reviews can be scheduled to occur on different frequencies, such as monthly, quarterly, biannually, or annually, depending on the organization’s requirements.
What Azure AD feature can be used to gain insights and reporting on access review decisions?
- A) Azure AD Audit Logs
- B) Azure AD Sign-in Logs
- C) Azure AD Identity Protection
- D) Azure Monitor
Answer: A) Azure AD Audit Logs
Explanation: Azure AD Audit Logs provide reporting and insights into access review decisions, including who made each decision and when it was made.
Which policy should be in place to provide guidance on how to perform access reviews?
- A) An incident response policy
- B) A role-based access control (RBAC) policy
- C) An Access Review Policy
- D) A data governance policy
Answer: C) An Access Review Policy
Explanation: An Access Review Policy provides guidance to reviewers and administrators on how to conduct access reviews, including aspects like frequency, scope, and decision-making criteria.
True or False: Users can be automatically reminded to complete their access review tasks in Azure AD.
- A) True
- B) False
Answer: A) True
Explanation: Azure AD has a feature to automatically send reminders to users to complete their access review tasks before the end of the review period.
Is it possible to require a reviewer’s justification for their decision in an Azure AD access review?
- A) Yes, and it can be enforced for all decisions
- B) Yes, but only for approval decisions
- C) No, justifications are optional for all decisions
- D) No, justifications are not supported in access reviews
Answer: A) Yes, and it can be enforced for all decisions
Explanation: Azure AD access reviews can be configured to require reviewers to provide a justification for their decisions, which can be enforced for both approval and revocation decisions.
Interview Questions
What is the Access Reviews API?
The Access Reviews API is a feature of Azure Active Directory (Azure AD) that enables automated responses to access review activity.
How can you access the Access Reviews API?
The Access Reviews API can be accessed through the Microsoft Graph API.
What is a response action in Azure AD access reviews?
A response action is a pre-defined action that can be taken based on the results of an access review, such as removing access, modifying permissions, or revoking access.
How can response actions be automated in Azure AD access reviews?
Response actions can be automated by configuring access review settings, such as the access review type, frequency, and duration.
What are some benefits of automating access review responses in Azure AD?
Some benefits of automating access review responses include increased security, improved efficiency, and compliance with industry standards and regulations.
What is the AccessReviewsV2 root resource in Azure AD?
The AccessReviewsV2 root resource is the top-level resource for accessing access reviews in Azure AD.
How can you use the AccessReviewsV2 root resource to view access reviews in Azure AD?
You can use the AccessReviewsV2 root resource to view access reviews by making API requests using the Microsoft Graph API.
What are some examples of automated responses to access reviews in Azure AD?
Examples of automated responses to access reviews include removing access, modifying permissions, or revoking access.
How can you monitor the progress of automated access review responses in Azure AD?
Automated access review responses can be monitored by reviewing access review activity reports in Azure AD.
What are some best practices for automating access review responses in Azure AD?
Best practices for automating access review responses in Azure AD include setting up automated workflows, regularly reviewing access review activity reports, and adjusting responses as needed based on feedback from reviewers and changes to access management policies.
Can anyone explain the difference between automated and manual responses in access review activities?
What’s the best practice for balancing automated and manual responses in access reviews?
I appreciate this blog post!
Automated responses sound risky. What if it takes away important access due to a misconfiguration?
As a security admin, I find automated responses very efficient in reducing the workload.
How can we ensure that automated responses do not override manual decisions?
Excellent post on SC-300 exam topics!
Is it possible to integrate automated responses with other security tools?