WELCOME TO CLOUD MATTER

Search
  • Roman Guoussev-Donskoi

Azure AD Access Reviews - enforce Principle of Least Privilege

Azure Active Directory (Azure AD) access reviews enable organizations to efficiently manage group memberships, access to enterprise applications, and role assignments. User's access can be reviewed on a regular basis to make sure only the right people have continued access.


Microsoft documentation What are Azure AD access reviews?


Azure AD access reviews help to automate and enforce principle of least privilege in organization. As employees move between departments their privileges and group memberships need to be removed when no longer required for their new positions.

Scheduled recurring (Azure AD) access reviews help achieve this.


Below is an example how easy it is to setup and perform access review for Azure AD group.


We start with with Azure AD group that has two members as below



In Azure AD Groups select "Access Reviews" blade and click "New Access Review"


Provide required settings for example review guest users or all users.


select reviewers and set the review schedule


Specify if auto-apply review results and what do do if reviewers do not respond. Can also provide additional content for reviewers email.

Name and create access review

Can see access review has been created


Once access review time comes reviewers will receive an email reminder to perform access review like below.




Click on link in the email brings reviewer to access review page with suggestions (when selected during access review creation) to approve/deny group membership. Reviewer can accept recommendations or explicitly approve/deny group membership. In this example approve one member.


And deny another member of the group

Can see access review status: decision has been made about 2 or 2 members

Once decision are made reviewer can let access review reach end of the review period or explicitly stop the review.


We can see that status of the stopped access review changed to "Complete"


Navigate to "Review History" under "Series" after the review duration ends or the review was stopped, and click on the instance of the review. Hit "Apply" button to apply results of the review.

Access review status changes to "Applying"

Once done - the status changes to "Results Applied"


Navigating to the group can see that the only one of two users (approved in the review) remains as group member. The denied user has been removed from the group.


If configured for access review specified users will receive access review notification emails like below



628 views0 comments

Recent Posts

See All

Databricks is an amazing platform for data engineering, data science and machine learning. One of the critical requirements of secure data processing is data audit - the ability to identity what data

SAS access to storage account is very convenient and easy and while Microsoft recommends that you use Azure AD credentials when possible as security best practice still SAS sometimes hard to avoid. Le

 

Subscribe

 

CONTACT

Your details were sent successfully!

Computers