Tutorial / Cram Notes
Access reviews in Azure AD allow organizations to review group memberships, access to enterprise applications, and role assignments. Administrators can specify reviewers who are responsible for ensuring that users still require their assigned access. The primary benefits include improved security and compliance, as well as a reduction in the risk of data breaches due to outdated access privileges.
Planning Access Reviews
Before implementing access reviews, it is essential to devise a clear and structured plan. Here are the steps involved in the planning stage:
-
Identify the Scope:
- Determine which resources, groups, or applications require regular access reviews.
- Identify sensitive or high-impact resources that may require more frequent reviews.
-
Define the Frequency:
Decide on how often the access reviews should occur (e.g., monthly, quarterly, annually).
-
Assign Reviewers:
Choose who will perform the reviews. This could be the resource owner, group owner, or a specific individual within the organization.
-
Set Policies and Guidelines:
Create clear guidelines for reviewers on how to evaluate access needs and what actions to take for approval or denial.
-
Determine Outcomes:
Define what should happen when access is approved, denied, or not reviewed (e.g., auto-approval, auto-denial, or escalation to an administrator).
Implementing Access Reviews
With a plan in hand, you can move on to the implementation phase in Azure AD:
-
Navigate to Azure AD Identity Governance:
– Log in to the Azure portal and go to the Identity Governance section. -
Create a New Access Review:
– Click on ‘Access Reviews’ and then select ‘New access review’. -
Configure the Access Review Settings:
– Name the access review and describe its purpose.
– Choose the start date, frequency, and duration of the review cycle.
– Configure who the review is for (specific group, application, or Azure AD role) and who will be conducting the review. -
Advanced Settings:
– Use advanced settings to automate decisions if no response is received.
– Set up notifications and reminders for the reviewers. -
Monitor and Report:
– Once the access review is in progress, monitor its completion rate.
– Generate reports at the end of reviews to audit and document the decisions. -
Remediation Actions:
– Take the appropriate actions based on review outcomes, such as removing or maintaining access. -
Review and Adjust:
– After each access review cycle, analyze the process for efficacy and make necessary adjustments.
Example Scenario
For example, consider a scenario where you have a Microsoft 365 group named “Project X” that contains both internal and external users. This group has access to a SharePoint site with sensitive project information. To ensure that only those who need access continue to have it, you schedule a quarterly access review. The group owner is assigned as the reviewer and receives a reminder one week before the review starts. If the owner doesn’t respond, access is maintained, but the owner is flagged for follow-up.
In another instance, you may have an Azure AD role, such as “Global Administrator,” which has significant privileges. A bi-annual review can be scheduled with a decision to revoke access if a response isn’t provided in order to maintain high security for such critical roles.
By planning and executing access reviews carefully, organizations can greatly enhance their security posture and ensure compliance. This level of understanding and hands-on experience with Azure AD access reviews is beneficial for candidates preparing for the MS-100 Microsoft 365 Identity and Services exam as it demonstrates proficiency in identity governance within the broader Microsoft 365 ecosystem.
Practice Test with Explanation
True or False: You can only perform access reviews on groups that are security-enabled.
- A) True
- B) False
Answer: B) False
Explanation: Access reviews can be performed on all types of groups, including Office 365 groups, security groups, and even applications.
Which of the following can be reviewed with Azure AD Access Reviews?
- A) User roles
- B) Group memberships
- C) Access to applications
- D) All of the above
Answer: D) All of the above
Explanation: Access reviews can be used to review and manage user roles, group memberships, and access to applications.
True or False: Guest users cannot be reviewed through Azure AD Access Reviews.
- A) True
- B) False
Answer: B) False
Explanation: Guest users can be reviewed using Azure AD Access Reviews to ensure that external users have appropriate access.
After completing an access review, all recommended actions must be applied manually by an administrator.
- A) True
- B) False
Answer: B) False
Explanation: There is an option to automatically apply review decisions at the end of the review period or to enforce recommendations.
Who can initiate access reviews in Azure AD?
- A) Global administrators
- B) User administrators
- C) Access package managers
- D) All of the above
Answer: D) All of the above
Explanation: Global administrators, User administrators, and Access package managers can initiate access reviews in Azure AD.
True or False: An Access Review Policy is required before an access review can be created.
- A) True
- B) False
Answer: B) False
Explanation: An Access Review Policy is not a prerequisite for creating an access review but is used to define how reviews are conducted.
What automated decisions can be made following an access review?
- A) Approve access
- B) Deny access
- C) Remove users
- D) All of the above
Answer: D) All of the above
Explanation: Automated decisions after an access review can approve access, deny access, or remove users based on the configurations made.
Which of the following actions can be enforced by Azure AD entitlement management after an access review decision?
- A) Revoking access
- B) Granting additional permissions
- C) Sending notifications to users
- D) A and C
Answer: D) A and C
Explanation: Azure AD entitlement management can enforce revoking access to users and sending notifications after an access review decision. It doesn’t grant additional permissions automatically.
True or False: Access reviews are a feature only available to Azure AD Premium P2 customers.
- A) True
- B) False
Answer: A) True
Explanation: Access reviews are a feature included in Azure AD Premium P2, which is a premium license tier of Azure AD.
Which feature must be enabled to use the access reviews for guest users in Azure AD?
- A) Azure AD Basic
- B) Azure AD Privileged Identity Management
- C) Azure AD B2B
- D) Azure Multi-Factor Authentication
Answer: B) Azure AD Privileged Identity Management
Explanation: Access reviews, particularly for guest users, is a feature that requires Azure AD Privileged Identity Management, which is part of Azure AD Premium P
How often can access reviews be scheduled to recur?
- A) Weekly
- B) Monthly
- C) Quarterly
- D) All of the above
Answer: D) All of the above
Explanation: Access reviews can be scheduled to recur on a weekly, monthly, or quarterly basis as needed for governance.
True or False: Reviewers must have an Azure AD Premium license to participate in an access review.
- A) True
- B) False
Answer: B) False
Explanation: Reviewers do not need an Azure AD Premium license themselves to participate in an access review. Only the organization initiating the access review needs the appropriate licensing.
Interview Questions
What is Azure AD Identity Governance?
Azure AD Identity Governance is a suite of features within Azure Active Directory that helps organizations manage and protect their digital identities.
What is an access review in Azure AD?
Access review is a feature of Azure AD Identity Governance that enables you to review and manage access to resources in your organization.
What is a user access review?
A user access review is a type of access review in which an administrator can review and approve or revoke user access to specific resources.
What is a guest access review?
A guest access review is a type of access review that enables an organization to review and manage guest user access to resources.
What are the benefits of access reviews?
The benefits of access reviews include increased security, improved compliance, and reduced administrative overhead.
How can you create an access review in Azure AD?
You can create an access review in Azure AD using the Azure portal or Azure AD PowerShell.
What types of resources can you review with access reviews?
You can review access to various resources, such as Azure AD applications, Microsoft 365 groups, SharePoint sites, and OneDrive accounts.
How can you customize an access review?
You can customize an access review by setting the review frequency, scope, reviewers, and reminders.
How can you automate access reviews in Azure AD?
You can automate access reviews in Azure AD by using Microsoft Graph API, PowerShell, or Azure AD Connect.
What is the difference between a recurring and an on-demand access review?
A recurring access review is conducted on a regular schedule, while an on-demand access review is performed as needed.
How can you view the results of an access review?
You can view the results of an access review in the Azure portal or by using Microsoft Graph API.
What is the difference between a reviewer and an owner in an access review?
A reviewer is a person responsible for approving or revoking access, while an owner is a person responsible for managing the resource being reviewed.
What is a recommendation in an access review?
A recommendation is a suggestion made by Azure AD to help an administrator decide whether to approve or revoke a user’s access.
How can you use access reviews to manage compliance?
Access reviews can help you identify and manage users who have access to sensitive or regulated data, helping you meet compliance requirements.
What is the benefit of using access reviews for guest user access?
Access reviews can help organizations manage and monitor guest user access, reducing the risk of unauthorized access to sensitive data.
This article on implementing access reviews in Azure AD is really informative. Thanks for sharing!
I’m having trouble configuring access reviews for my organization. Any tips?
Access reviews are a great feature for maintaining security. How often do you recommend running them?
I’m a bit confused about how to set up recurring access reviews. Any advice?
The step-by-step process described here is very helpful. Appreciate the effort!
Do you need Azure AD Premium to use access reviews?
Just followed the steps described and it worked perfectly. Thanks!
This guide is good, but it lacks information on automated notifications. Can anyone help?