Access reviews for External Guest users

Access reviews let’s an external users or an internal users to verify the access of a user. Access reviews honors a time frame set but the minimum time that the reviews will be automatically ran is 1 day.

The other situation when access reviews are ran is when a user requests access to a service in example elevation of rights with PIM or getting access with Access package and Entitlement management.

External collaboration settings

When settings up collaboration settings with External users you can manage them thru Azure AD portal.

From there you can all allow guests to have limited access to directory objects.

Azure Active Directory (Azure AD) allows you to restrict what external guest users can see in their organization in Azure AD. Guest users are set to a limited permission level by default in Azure AD, while the default for member users is the full set of user permissions. This is a new guest user permission level in your Azure AD organization’s external collaboration settings for even more restricted access, so your guest access levels are:

Permission levelAccess levelValue
Same as member usersGuests have the same access to Azure AD resources as member usersa0b1b346-4d3e-4e8b-98f8-753987be4970
Limited access (default)Guests can see membership of all non-hidden groups10dae51f-b6af-4016-8d66-8c2a99b929b3
Restricted access (new)Guests can’t see membership of any groups2af84b1e-32c8-42b7-82bc-daa82404023b

When guest access is restricted, guests can view only their own user profile. Permission to view other users isn’t allowed even if the guest is searching by User Principal Name or objectId. Restricted access also restricts guest users from seeing the membership of groups they’re in.

Under “Email one-time passcode to guest” you can find choices shown below.

Azure AD means a user having tenant and user account in that tenant. Microsoft account means that the email that the invite is sent to or created for has Microsoft Account enabled. These accounts have be used for federated access to your tenant.

But when the account is neither of above you can use OTP to verify the users.

Below you see the access flow for the external otp enabled users.

Email one-time passcode overview diagram
Starting October 2021, the email one-time passcode feature will be turned on for all existing tenants and enabled by default for new tenants. If you don’t want to allow this feature to turn on automatically, you can disable it. See Disable email one-time passcode below.

See below how it look when it’s not enabled but once you enable it PowerShell is the only way to disable this feature. Not exactly sure why you would but you can if needed.

Email one-time passcode toggle enabled

User experience after enabling OTP

User will login.

Receive an email.

And login with the passcode.

Guest users and Access reviews

A valid Azure AD Premium P2, Enterprise Mobility + Security E5 paid, or trial license is required to use Azure AD access reviews.

You can find the external users that don’t have any group assignments or other resources with this script.

Then you can create an Access review only for all guest users or to a specific M365 Group.

You can get notifications from the reviews with email.

And make a schedule for them and like said in the beginning the minimum duration is 1 day.

Once 1 day has passed you will get an email notification with users that will be revoked is you do nothing.

And finally you will set what happens when the review process is done.

Action to apply on denied guest users.

The default option removes denied user’s membership from the resource and is the behavior for non-guest users. The second option will block guest users that are denied access from signing-in after the review ends. If the guest users that are blocked are not re-granted access within 30 days, they will be removed from the tenant

Final words

Sending otp passcodes to external users and reviewing and revoking their access are excellent additions to securing collaboration with Azure AD.

You should really enable both and but them to use. Access reviews requires a certain licensing level but I really think that it will be more useful than expensive. And you can always give it a try with trial version and see if it fits your organizations needs or no.

but alas to the next time!

Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *