Recently I’ve been working on a Office 365 Group Governance workstream engagement. With the following areas being covered:
- Creation of O365 Groups
- Soft Delete and Restore
- Group Naming Policy
- Expiration Policy
- Guest Access
- Group Policy and Information Protection
- Upgrading any previous tools.
One part in particular I was impressed with and wanted to quickly run through in today’s blog were the Access Reviews which sit inside Azure AD.
When using access reviews you are able to:
- Easily manage guest user access and handing over admin options to Group Owners.
- Increase visibility of access rights in your organization
- Recertify group memberships and application access
Licensing Requirement’s: Azure AD Premium P2 or Enterprise Mobility + Security E5.
Account Roles – Global Administrator or User Administrator
Enable Access Reviews
Firstly you will need to enable access reviews. Navigate to the Access Reviews section in the azure portal . Select the onboard option in the left hand pane.
Creating an Access Review.
I’m going to do a quick example of an access review in my test tenant. In the Access Reviews blade and the quick start tab the following option to create an access review is presented.
Populate the following Fields
- Review Name
- Start Date
- Frequency (How often these reviews are triggered)
- Duration in days (How many days each an occurrence of the access review series will run)
- End Date (Number of occurrences can be selected)
- Users to review
- Groups (Select groups to review)
Below I’ve created an real life scenario of reviewing ICT, HR & Finance office 365 groups on a monthly basis.
Additional settings such as upon completion you can enable the following:
- No change – Leave user’s access unchanged
- Remove access – Remove user’s access
- Approve access – Approve user’s access
- Take recommendations – Take the system’s recommendation on denying or approving the user’s continued access
Manage Access Reviews
When i’ve created the access review i’ve selected group owners are the reviewers. This means all owners of the groups selected will be emailed and a link will be sent over to manage the access review.
You can track the progress as the reviewers complete their reviews on the Overview page of the access review. No access rights are changed in the directory until the review is completed.
Updated Microsoft Link found here – https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review