Azure AD Access Review – Microsoft 365 Groups with Guest users
Key Features of Azure AD Identity Governance
- Access reviews allow organizations to regularly review and certify access to critical resources. Azure AD Identity Governance provides a simple and efficient way to conduct access reviews, enabling managers and stakeholders to quickly and easily review user access requests and revoke access to resources when necessary.
- Entitlement Management with Azure AD Identity Governance provides a centralized platform for managing access to applications and other resources. It allows organizations to define and enforce policies for granting and revoking access to resources based on user roles and entitlements.
- Privileged Identity Management accounts are often the target of cyberattacks. Azure AD Identity Governance provides a comprehensive set of tools for managing privileged accounts, including just-in-time access, privileged access approvals, and session monitoring.
- Azure AD Identity Protection provides advanced threat detection and protection capabilities to help organizations identify and respond to potential threats in real-time. It continuously monitors user activity and behavior and can alert administrators to suspicious activity or potential security breaches.
- Audit and Reporting in Azure AD Identity Governance provide detailed auditing and reporting capabilities to help organizations track and monitor user access and activity. It provides a complete audit trail of all user activity, enabling organizations to identify and remediate security issues quickly and effectively.
Benefits of Azure AD Identity Governance
- Improved Security: Azure AD Identity Governance helps organizations improve their security posture by providing advanced threat detection and protection capabilities. It enables organizations to identify and respond to potential threats in real time, helping to prevent security breaches and data loss.
- Compliance: Azure AD Identity Governance helps organizations meet regulatory compliance requirements by providing a centralized platform for managing resource access and enforcing policies. It enables organizations to conduct access reviews and enforce policies to ensure compliance with industry standards and regulations.
- Simplified Management: Azure AD Identity Governance provides a centralized platform for managing access to resources, making it easier for administrators to manage user access and entitlements. It enables organizations to automate access reviews and approvals, reducing the administrative burden on IT teams.
- Cost Savings: Azure AD Identity Governance is a cloud-based solution that eliminates the need for on-premises infrastructure and reduces IT costs. It also enables organizations to improve their security posture and reduce the risk of costly security breaches and data loss.
Deploying Microsoft Azure AD Identity Governance access reviews can help organizations regularly review and certify access to critical resources, enforce policies, and meet regulatory compliance requirements. Here are some key steps to plan and deploy an access reviews deployment:
- Identify Key Resources: Identify the key resources requiring access reviews. These could include applications, data repositories, or other sensitive or confidential resources. It’s important to involve stakeholders from across the organization to ensure that all critical resources are identified.
- Define Reviewers: Next, identify the reviewers conducting access reviews. Reviewers could include managers, compliance officers, or other stakeholders who understand the resource being reviewed and the user’s role in the organization.
- Create Review Policies: Define the access review policies used to conduct the reviews. Policies should include the frequency of reviews, the scope of the review, and the criteria for approving or denying access to resources. These policies should align with regulatory requirements and organizational best practices.
- Configure Azure AD Identity Governance: Configure Azure AD Identity Governance to automate the access reviews once the policies are defined. This can be done by creating access review campaigns defining the resources, the reviewers, and the review criteria.
- Conduct Access Reviews: With Azure AD Identity Governance configured, conduct access reviews according to the defined policies. Reviewers will receive notifications to complete their reviews and can access the review interface through the Azure AD portal. Reviews should be conducted promptly to ensure access to critical resources is regularly reviewed and certified.
- Review Results: After completing access reviews, review the results to identify discrepancies or potential security issues. Take appropriate action to revoke access and address any issues identified during the review process.
- Monitor and Improve: Azure AD Identity Governance provides detailed auditing and reporting capabilities, enabling organizations to monitor access reviews and identify areas for improvement. Continuously review access review policies, refine them based on feedback and regulatory changes, and monitor access reviews to ensure ongoing compliance.
By following these steps, you can successfully plan and deploy an Azure AD Identity Governance access reviews deployment, enabling them to regularly review and certify access to critical resources, enforce policies, and meet regulatory compliance requirements.
What is a guest object?
Azure AD guest objects represent guest users in Azure AD. A guest user is not an employee or member of the organization but has been invited to access resources within the organization’s Azure AD tenant.
When a guest user is invited to access resources in Azure AD, an Azure AD guest object is created to represent the guest user. This object contains information such as the guest user’s email address, display name, and organization to which the guest user belongs. The Azure AD guest object also includes a unique identifier to manage the guest user’s access to resources.
Azure AD guest objects can be managed using the Microsoft Graph API. Organizations can use these APIs to programmatically create, read, update, and delete Azure AD guest objects as needed. Additionally, Azure AD provides several features for managing guest users, such as conditional access policies, identity protection, and multi-factor authentication.
When a Team owner adds a guest user, an Azure AD B2B (Guest) account is created. This Azure AD guest account manages access permissions for the external guest to the Team and group resources.
However, when a Team owner removes a guest from their Team, the guest’s Azure AD B2B account remains because the guest may still be a member of other Teams. Therefore, over time you will end up with many redundant Azure AD B2B Guest accounts in your tenant.
Overall, Azure AD guest objects play a role in enabling organizations to collaborate with external users while maintaining control over access to resources.
While guest users can be a valuable resource for collaborating with external partners and contractors, they can pose potential security risks to an organization. Here are a few examples of security issues that can arise with guest users:
- Compromised guest account: If a guest user’s account is compromised, an attacker may gain access to sensitive information or resources within the organization. This can happen if the guest user’s email account is hacked or if they fall victim to a phishing attack.
- Insider threat: A guest user granted access to sensitive information or resources may pose an insider threat if they decide to abuse their privileges or accidentally expose sensitive information.
- Compliance and regulatory risks: If an organization fails to properly manage and monitor guest user accounts, it may run afoul of compliance and regulatory requirements, resulting in fines and other penalties.
- Shadow IT: Guest users may use their devices and applications when accessing organizational resources, creating a potential security risk. Organizations should establish policies and procedures for managing guest devices and applications, such as requiring anti-malware software and restricting access to specific applications.
- Credential theft: Guest user accounts may be targeted by attackers seeking to steal their credentials. Organizations should educate guest users on best practices for password management and consider implementing advanced security features such as passwordless authentication or conditional access policies.
- Data leakage: Guest users may inadvertently expose sensitive data by saving it to unsecured cloud storage services or sending it over unencrypted email. Organizations should provide guest users with guidelines on handling sensitive data and enforce data loss prevention (DLP) policies to prevent accidental exposure.
The Microsoft 365 Scope
The Microsoft 365 Scope for access review for guests is a feature that enables organizations to conduct access reviews for guest users who have been granted access to resources within their Microsoft 365 tenant. Access reviews are periodic evaluations of user access to determine whether access is still necessary and appropriate.
With the Microsoft 365 Scope for access review for guests, organizations can review guest user access to specific resources, such as SharePoint sites or Teams channels, and determine whether access should be continued, modified, or removed. This feature is available in the Azure AD Premium P2 and Microsoft 365 E5 licensing plans.
An organization can create an access review campaign in the Azure AD Access Review to conduct an access review for guest users. The access review campaign can be scoped to specific guest user groups or resources, and reviewers can be designated to evaluate access for each guest user.
Reviewers are presented with a list of guest users and their associated access rights during the access review. Reviewers can then indicate whether each guest user’s access should be continued, modified, or removed. Once the access review is complete, the organization can take action to implement the reviewer’s decisions, such as revoking access for guest users who no longer require it.
Overall, the Microsoft 365 Scope for guest access review is a valuable tool for managing guest user access to Microsoft 365 resources and ensuring that guest users are only granted access to the resources they need to perform their tasks.
Azure AD access reviews for guest users across Microsoft Teams and Microsoft 365 Groups focused on all Microsoft 365 groups with guest users. Using this method, you don’t have to create an access review for each group, but this will take care of all existing and new Microsoft 365 groups in your environment.
For example, when new Teams and Groups are created, access reviews will automatically be enabled for those with guest users.
Create an Access Review Campaign
Access to groups and applications for employees and guests changes over time. Administrators can use Azure AD to reduce the risk associated with stale access assignments to create access reviews for group members or application access.
Microsoft 365 and Security group owners can also use Azure AD to create access reviews for group members if the Global or User administrator enables the setting via the Access Reviews Settings pane.
The following scenario is a specific scenario for Microsoft 365 groups with guest users only.
- What to Review: Select Teams + Groups.
- The review scope: All Microsoft 365 groups with guest users.
- Group: Not needed in this scenario.
- Scope: Guest users only.
- Inactive users: Not needed in this scenario.
- Days inactive: Not needed in this scenario.
- Group – You can select a dynamic security group that contains a list of all the Guests in your company.
- Inactive users – When guests didn’t sign in either interactively / non-interactively.
- Select reviewers: The owner or group who decides on the access reviews.
- Duration: How long a review is open for input from reviewers.
- Review recurrence: The duration recurrence will be set to the aggregate of the period of days.
- Start date: choose your start date.
- End: choose your end date.
- Review recurrence – Repeat reviews at every chosen time. The duration of each recurrence will be set to the sum of the duration days you specified in each stage.
- Select reviewers Users review their own access. Each guest will self-review and decide if they still need access.
- Group owners: This option is only available when you review a team or group.
- A multi-stage review allows the administrator to define two or three sets of reviewers to complete a review one after another. In a single-stage review, all reviewers make a decision within the same period, and the last reviewer to make a decision wins. In a multi-stage review, two or three independent sets of reviewers decide within their own stage, and the next stage doesn’t happen until a decision is made in the previous stage. Multi-stage reviews can reduce the burden on later-stage reviewers, allow for escalation of reviewers, or have independent groups of reviewers agree on decisions.
- Auto-apply results to resource: Select this checkbox if you want access to denied users removed automatically after the review duration ends. If the option is disabled, you must manually apply the results when the review finishes.
- If reviewers don’t respond: Use this option to specify what happens for users not reviewed by any reviewer within the review period. This setting doesn’t affect users who were reviewed by a reviewer.
- Action to apply on denied guest users: Block sign-in for 30 days and then remove a user from the tenant – this automates deleting the guest user’s Azure AD B2B account.
- No sign-in within 30 days: Not needed in this example.
- Justification: Allow you to capture why the guest still needs access.
- Email notifications: It will send the email to the guests.
- Reminders: If they have not responded, it will send a reminder email to the guests.
- If reviewers don’t respond: Use this option to specify what happens for users not reviewed by any reviewer within the review period. This setting doesn’t affect users who were reviewed by a reviewer. The dropdown list shows the following options:
- No change: Leaves a user’s access unchanged.
- Remove access: Removes a user’s access.
- Approve access: Approves a user’s access.
- Take recommendations: It takes the system’s recommendation to deny or approve the user’s continued access.
- Action to apply on denied guest users: This option is only available if the access review is scoped to include only guest users to specify what happens to guest users if they’re denied either by a reviewer or by the If reviewers don’t respond set.
- Remove the user’s membership from the resource: This option removes a denied guest user’s access to the group or application being reviewed. They can still sign in to the tenant and won’t lose any other access.
- Block the user from signing in for 30 days, then remove a user from the tenant: This option blocks a denied guest user from signing in to the tenant, regardless of access to other resources. If this action was taken in error, admins could reenable the guest user’s access within 30 days after the guest user was disabled. If no action is taken on the disabled guest user after 30 days, they’re deleted from the tenant.
Review + Create
Last but not least, review the settings and create the access review.
The next steps will be to review access and complete the process.