Azure AD Access Reviews - enforce Principle of Least Privilege
Azure Active Directory (Azure AD) access reviews enable organizations to efficiently manage group memberships, access to enterprise applications, and role assignments. User's access can be reviewed on a regular basis to make sure only the right people have continued access.
Microsoft documentation What are Azure AD access reviews?
Azure AD access reviews help to automate and enforce principle of least privilege in organization. As employees move between departments their privileges and group memberships need to be removed when no longer required for their new positions.
Scheduled recurring (Azure AD) access reviews help achieve this.
Below is an example how easy it is to setup and perform access review for Azure AD group.
We start with with Azure AD group that has two members as below
In Azure AD Groups select "Access Reviews" blade and click "New Access Review"
Provide required settings for example review guest users or all users.
select reviewers and set the review schedule
Specify if auto-apply review results and what do do if reviewers do not respond. Can also provide additional content for reviewers email.
Name and create access review
Once access review time comes reviewers will receive an email reminder to perform access review like below.
Click on link in the email brings reviewer to access review page with suggestions (when selected during access review creation) to approve/deny group membership. Reviewer can accept recommendations or explicitly approve/deny group membership. In this example approve one member.
And deny another member of the group
Can see access review status: decision has been made about 2 or 2 members
Once decision are made reviewer can let access review reach end of the review period or explicitly stop the review.
We can see that status of the stopped access review changed to "Complete"
Navigate to "Review History" under "Series" after the review duration ends or the review was stopped, and click on the instance of the review. Hit "Apply" button to apply results of the review.
Access review status changes to "Applying"
Once done - the status changes to "Results Applied"
Navigating to the group can see that the only one of two users (approved in the review) remains as group member. The denied user has been removed from the group.
If configured for access review specified users will receive access review notification emails like below