Handle Guest Access with Azure AD – Access Review

Corona put many companies in a position where they had to enable work from home. As a result, the need for a platform to share information increased, and many companies used Microsoft Teams for this reason.

Microsoft makes it very easy for companies. All it takes is to create a tenant, book licenses, create identities, and Teams can be used.

Since Microsoft Teams makes it easy to collaborate with external identities, this function is also trendy. However, unless you regulate it, every Teams owner can invite guests. For each guest, a guest identity is created in Azure AD. If it is not regulated who is allowed to create new teams and therefore, every team owner can become a guest, there is a high risk that an increased number of new guest identities will be created in the own tenant.

Many companies have implemented Teams-LifeCycle quite early. That regulates who can create new teams and perhaps who can invite new guest identities.

However, what is often not considered: 

  • Who is responsible for the guest identities?
  • How do we ensure that a guest’s identity still needs access?
  • How can we automate the end of the lifecycle to keep the effort low?

And this is where Access Review comes into play.

Access Review is part of Azure Active Directory – Identity Governance.

The goal is to simplify identity lifecycle management by automating processes that check whether an identity needs further access or can be removed. The prerequisite to using Access Review is an Azure AD Premium P2 license. Additionally, a user with the Global Admin, User Admin, or Identity Governance Admin role is required to create and perform Access Reviews.

Here is the direct link to the Identity Governance Portal: https://portal.azure.com/#blade/Microsoft_AAD_ERM/DashboardBlade/GettingStarted

Create new Access Review

The New Access Review series can be created via the menu item New access review.

It is possible to perform the review based on Teams & Groups, or Applications. In this example, we select Groups.

Next, we can select the Review Scope.

All M365 groups with guests or specific groups.

At this point, we take a short break and think about the use cases.

Use Cases

When configuring the review scope, we need to ensure a few points.

As the name suggests, only identities with a group membership are evaluated.

Can we make sure that every guest’s identity has a group membership?

It may well be that his external is invited as a guest to a team. For example, the project is over for a project period, and the team is closed. The guest identity remains, which then no longer has a group membership.

To secure this case, we need a group that contains all guest identities.

Azure AD Dynamic Group for Guest Identities

To create a new Azure AD dynamic group, we switch to Azure Active Directory -> Groups -> New Group (New Group – Microsoft Azure)

We create a new security group, assign a name and a description and select that we want to create a dynamic user group.

To ensure that only guest identities come into this group, we configure the following query: (user.userType -contains “Guest”)

In this way, we ensure that no internal identities fall into this group. Namely, they have the userType “Member.”

After creating the group, it takes a while until the guests are part of this group.

Back to Access Review

After creating the dynamic security group, we can select it in the “New Access review” path. In addition, it can be set that only inactive identities are checked. In our case, we want to check all guest identities regularly. 

Since we want to keep the effort of the IT department low, we choose that the guest user should review himself. We give him seven days to respond and conduct the query every quarter.

The changes are made automatically by configuring “Auto apply the result to resource.” If the guest user does not respond, access is revoked. After revoking access, the user is blocked for 30 days and then deleted from the tenant.

To do this, we could automate another query that sends all blocked accounts for review every month.

In addition, we specify that justification is required, and the user is notified by email and receives reminders.

After we have made all the settings, we can name the policy. Then, by clicking Create, the policy will be saved and active immediately (if we have configured the start date to today). 

Guest Users View

On the review day, the guest users will receive a message by email.

After logging in, the user is asked to select whether he still needs access.

If the guest specifies No, they will be blocked and removed from the tenant after the review has expired. The same happens if he does not respond to this message.

Leave a Reply

Your email address will not be published.