Optimize your Cloud Identity Governance with AAD Access Review

Corona put many companies in a situation where they needed to enable work from home. As a result, the need for an information-sharing platform increased, and many companies used Microsoft Teams.

Microsoft makes it very easy for companies. All you have to do is create a tenant, book licenses, create identities, and you’re ready to use Teams.

Since Microsoft Teams facilitates collaboration with external identities, this feature is also in vogue. However, any Teams owner can invite guests unless you regulate it. A guest identity is created in Azure AD for each guest. If you do not restrict who is allowed to create new teams, and therefore any team owner can become a guest, there is a high risk that more new guest identities will be made in your tenant.

Many companies have introduced the Teams LifeCycle quite early on. This governs who can create new teams and who may invite new guest identities.

However, what is often not considered: 

  • Who is responsible for the identities of the guests?
  • How do we ensure that a guest’s identity still needs access?
  • How can we automate the end-of-life cycle to keep the overhead low?

And that’s where Access Review comes in.

Access Review ist Teil von Azure Active Directory – Identity Governance.

The goal is to simplify identity lifecycle management by automating processes that check whether an identity needs continued access or can be removed. The prerequisite for using Access Review is an Azure AD Premium P2 license. In addition, a user with the Global Admin, User Admin, or Identity Governance Admin role is required to create an Access Reviews.

Here is the direct link to the Identity Governance Portal:https://portal.azure.com/#blade/Microsoft_AAD_ERM/DashboardBlade/GettingStarted

Create a new access review

The New access review series can be created using the New access check menu item.

It is possible to run the check based on teams, groups, or applications. In this example, we choose groups.

Next, we can select the scope of the review.

All M365 groups with guests or specific groups.

At this point, we pause for a moment and think about the use cases.

Use cases

There are a few points to consider when configuring the scope of the exam.

As the name suggests, only identities with a group affiliation are evaluated.

Can we ensure that the identity of each guest has a group membership?

It may well be that his external is invited to a team as a guest. For example, the project is finished for a project period, and the team is closed. The guest identity remains behind, which no longer has a group membership.

To secure this case, we need a group that contains all guest identities.

Azure AD Dynamic Group for Guest Identities

To create a new dynamic Azure AD group, we go to Azure Active Directory -> Groups -> New Group (New Group – Microsoft Azure).

We create a new security group, assign a name and description, and select that we want to create a dynamic user group.

To ensure that only guest identities get into this group, we configure the following query: (user.userType -contains “Guest”)

This way, we ensure that no internal identities fall into this group. This is because they have the userType “Member.”

After the group is created, it takes a while for the guests to become part of it.

Back to Access Review

After creating the dynamic security group, we can select it in the “New access verification” path. It is also possible to set that only inactive identities are checked. In our case, we want to check all guest identities regularly. 

Since we want to keep the effort for the IT department low, we decide to have the guest user perform a check himself. We give him seven days to respond and run the query quarterly.

The changes are made automatically if you configure the “Automatically apply the result to resource” option. If the guest user does not respond, the access is revoked. After the access is revoked, the user is locked for 30 days and then deleted from the client.

To this end, we could automate another query that sends all blocked accounts for review each month.

In addition, we indicate that justification is required, and the user is notified by email and receives reminders.

After we have made all the settings, we can name the policy. Then, when you click “Create,” the policy will be saved and active immediately (if we set the start date to today). 

View for guest users

On the day of the rating, guest users will receive a message by email.

After logging in, the user is asked if he still needs access.

If the guest indicates “No,” he will be blocked and removed from the tenant after the evaluation expires. The same will happen if he does not respond to this message.

Leave a Reply

Your email address will not be published.