This will be end of Section 2 and the ending will done with Access Reviews.
Table of Contents
What are Access Reviews?
Access reviews enable organizations to efficiently manage group memberships, access to enterprise applications, and role assignments. User’s access can be reviewed on a regular basis to make sure only the right people have continued access.
Benefits?
- As new employees join, how do you ensure they have the access they need to be productive?
- As people move teams or leave the company, how do you make sure that their old access is removed?
- Excessive access rights can lead to compromises.
- Excessive access right may also lead audit findings as they indicate a lack of control over access.
- You have to proactively engage with resource owners to ensure they regularly review who has access to their resources.
Prerequisites
Using this feature requires an Azure AD Premium P2 license.
To create access reviews for Azure resources, you must be assigned to the Owner or the User Access Administrator role for the Azure resources. To create access reviews for Azure AD roles, you must be assigned to the Global Administrator or the Privileged Role Administrator role.
Access Reviews in PIM
You have a menu for Access reviews inside PIM, click to create new.
Roles for PIM
| Azure AD role | Specified reviewers Self-review | Azure AD PIM | Azure portal |
| Azure resource role | Specified reviewers Self-review | Azure AD PIM | Azure portal |
Create an access review
You will see the following. When the review will start and when it will end but also how many days inside that windows it will run or the number of occurrences it has to have.
for the scope SPN’s are a good addition but still in preview, so they won’t be in the test
Then You have select role this Access Review will give.
You can also select Assignment type and the option are All active and Eligible assignments, Eligible assignments only or Active assignments only.
Then You have to select the reviewers and these are the options.
And Upon completion You can auto-apply the results to resources or disable. Also select what happens if the Reviewer specified don’t respond.
Advanced settings
In the advanced settings You can define to.
Show recommendation: If enabled, system recommends reviewers to deny users who have not signed-in within 30 days. Recommendation accounts for both interactive and non-interactive sign-ins.
Require reason on approval: Require the reviewer to supply a reason for approval
Mail notifications: Azure AD to send emails to reviewers when an access review starts, and to the review owner when a review completes
Reminders: Azure AD will send reminder emails for Access Reviews in progress to all reviewers at the midpoint of the review period
Running Access review
Once created You will see it initializing.
And soon Active.
When You open the review, You will see statistics for the review. In my example I have 2 users in the Application Developer role that have to reviewed.
Results page
When You open Result You will see the users and see their Audit Details.
You can also add Reviewers or Remind them to review.
Reviewers experience
When You login to PIM and click Review Access.
You will see Azure AD roles and resources. And the review that was assigned to You.
In there You can only Deny without a reason but when You enter a reason You can Allow access.
Once the user is accepted You will see the reason in the audit logs.
And the deny also for the other user.
And in the summary You can see Deny and Approve
That was Access reviews for PIM Roles. If You want to read more on Access reviews but from Azure B2B angle, here You go.
Things to remember
Using this feature requires an Azure AD Premium P2 license.
To create access reviews for Azure resources, you must be assigned to the Owner or the User Access Administrator role for the Azure resources. To create access reviews for Azure AD roles, you must be assigned to the Global Administrator or the Privileged Role Administrator role.
RSS - Posts