SC-300 Microsoft Identity and Access Administrator – Access Reviews

1. Introduction to Access Reviews

So in this section of the course, we’re going to talk about Access Reviews. Now, Access Reviews is part of this automation and the way that you manage really large directories with really complex permission settings. So the concept of an Access Review is basically that you have a group, let’s say you have a group of people in a department who have access access to resources, and on a regular basis, you want to have them review their access to those resources and reconfirm that they still require access to those resources. So there is a sort of self selection process that can be part of this. And then there’s some rules around what happens if the person doesn’t reply to this Access Review request, what their manager gets to do, some reviews of this, et cetera.

So you have sort of a hierarchy of reviews or a workflow to get into Access Reviews. This is part of the Identity Governance domain. So if we scroll down here into Identity Governance again, where we got the entitlement management, we can see there’s this concept of Access Reviews. And so really, it is something that you have to set up in terms of the rules and the requirements for this Access Review program. Now, you don’t want this to be too much of a hassle for people, but we do have to recognize that sometimes security is a hassle. So this sign up for multi factor authentication and having to access your phone every time you log in there is a bit of a hassle element.

But it’s the hassle that increases security. And so when you’re creating these automated Access Reviews, you want to balance the hassle. It is for people to be asked to review the resources that they’ve been given access to and reconfirm that they still require access to. How frequently that needs to get done? Obviously, people are honest and they say, oh, I used to need this and now I don’t need it anymore. And you make it clear that it’s relatively easy to get the access back if they require it, especially using Access packages, then the Access Review isn’t so much of a hassle. Then you can space these things out to a cadence that makes the most sense.

2. Create Access Reviews

All right, so we’re in Identity Governance and we’re going to get into the Access Review section. We have very little choice. We’re just going to say New access Review. Now, right away we’re given this wizard type interface and we have the choice of reviewing teams and groups, which are external users memberships to group groups, or user assignments to individual applications. So for instance, if we did have users that had, let’s say, the Adobe Creative Cloud Assignment, then we could create this access review for those users. Specifically, I’m going to choose Teams and groups. Now, Teams and groups, it doesn’t specifically say it here, but this is only going to create a review for the external users, people who are outside of your organization.

So I could say all groups that have guest users can have their access reviewed. Or I can select specific groups. So I can say, let’s say the teachers and the students all need to have their access. And here on the bottom is where we get to choose whether it’s guest users only or whether we want even internal users to have to go through this process. Next up, we decide this is sort of the key decision. Who is going to be doing this review? If we open this drop down, we can see that for the group owners could potentially be the ones doing the review. So we created this review for students and teachers. If you recall in a previous video, we made the teachers the owner of the students group.

So if I chose group owner, then the teachers are going to basically be seeing if the students still need access to the students group. It is possible to have users review their own access. Now you might think that this is a bit unusual. Why would you ask somebody if you still need access? They would probably say yes. Well, we’re going to assume that people have the right intention and that if somebody has not accessed a resource in three months or six months or twelve months or some period of time, that they’re going to put their hand up and say, you know what, I don’t really need access to this anymore. And it’s going to be up to you, obviously, to explain that there’s a benefit to giving up access to things they don’t need as long as they can get that access back when they do need it.

So we’re going to say that users can review their own access. We also could have chosen a group or a selected set of users to do the review. Or we could rely on the fact if the Azure Active Directory has the management hierarchy defined, then we can rely on their actual managers. But we’re going to say users review their own access. Next up, we can say how long this review is going to take. So we can give them three days, five days, two weeks, however long you want to do this review. I’m going to make this a one time review. You do have the option of making it annually, semiannually quarterly, et cetera. I think obviously if you’re going to do it too frequently, that’s going to get annoying for people.

But remember, security really is a trade off between convenience and security. And so you’re going to have to give up some convenience to have increased security. But for this case, I’m just going to do one time and we can start this review today. On the settings screen. We have a number of settings. What do we want to happen once the review is complete? Well, we can basically auto apply the results. So if the student says, I no longer need access to Resource X, they’ll be removed from that automatically. What are we going to do if the student or the teacher doesn’t respond to our request for this access review? We can either remove them so we can basically force them to lose access and that might motivate them to get this done, or there’s a thing called take recommendations.

Microsoft Azure is going to make some recommendations or can make recommendations. And maybe for people who haven’t logged into Azure in a while, that losing access is probably the right way to go. Now maybe who needs to be notified of the changes, maybe myself needs to be notified. Now this is the take recommendation setting. Here the decision helpers. So right now there’s only one, and that is if the user themselves has not signed into Azure Active Directory in 30 days, then we’re going to recommend that they remove themselves from that group if they want to stay in the group. We’ll put a little text box on screen to justify that.

We will email them a notification to say, hey, we’re just starting the process and to the admins when the review completes. And we can even create reminders during the period that they still haven’t done the review. Finally, we give this a name so I can call this the Student Teacher Review and you can give some type of nice description. So those two groups, the student and the teacher groups, are going to have everyone review their own access. And there’ll be a one time process for the next three days if they decline access, if they say they don’t need it, that it will be removed, microsoft Azure will make recommendations if they haven’t logged in in 30 days, and then those recommendations will be followed if they don’t reply to the review.

And anyone who is a guest user is going to lose access if they deny access and all of the settings that we set. So now I can say create. And so now the access period is going to start. The students and teachers are going to receive an email telling them that it’s time for them to review their access. And they will get an interface that they can use to say they need access or they don’t need access and we will take up their recommendations or the request essentially at the end of the process. And so, as you can see, access review as part of a strategy of ensuring your large and complex organization, people are basically giving themselves the least amount of privileges that they require, which increases the security of your identity.

3. Perform an Access Review

Now, what happens once you initiate the review is that emails go out to these users telling them it’s time for the review. Now, I don’t have email accounts for all of these users, but you can also find the Access reviews by going to the Myapplications Microsoft. com site. Remember, we were doing this for, for assigning Adobe and Dropbox and things to users. Well, there’s also the ability to get my access. Actually, MyAccess Microsoft. com is there as well. Now this is where we would have gone to request access to an access package. We can see that’s still active. We can see the history of those requests. And on the last tab there’s the Access Reviews. So we have the student teacher review, which just started, is underway. It has three days to do the review.

If I click on it, do you still need access to the group students? I can say yes. And I said I have to give a reason I will need access until the end of the year to do my work. Some type of justification. In the context of students and teachers, it might not make a whole sense, but in the context of an organization they should still be able to ask this question. So, pretty straightforward, do you need access? Yes. Great. Access Review then is going to be shown to be done one of one. If that student is part of a lot of groups and those groups are also doing Access review, they’ll see them here. Remember, you will get that in email as well. Now, if we go back to the portal logged in as the global admin here, we can see that on the overview screen.

There are those two Access reviews open, which are for students and for teachers. Let’s refresh this here. Going to hit the refresh button. And if we go into the Access Review section, we’ll see that actually two Access reviews are created, one for teachers, one for students. Let’s look at the student one. And now we can see that there are three users in the student group that are being requested to access. Two of them have not done that job yet and one of them has. And so there are some outstanding work to be done in terms of students, part of the students group. Remember, after three days this will automatically close and any of those recommendations would be executed on automatically. So Access Reviews, we see them in action here. We could stop the review. If we think that this is a mistake or whatever, we can stop it. We can delete it just like that. We can see student One has approved, the recommendation was approved and they did the review. Student Two and Three have never logged in and so the recommended action is denied. So if I don’t do this review within three days, student Two and Student Three will be removed from the students group.

4. Access Review Licensing

So we should talk about the licensing requirements for Access reviews because surprisingly, it does require a lot of licenses. So it is an Azure Ad Premium P Two license. Remember, this is the more expensive of the licensing and anyone who is a reviewer, so it could be a manager and a group owner. Anyone who performs a self review there’s the group owners and the application owners require a P Two license. So to perform a review requires a P Two license for these external users. Depends on how you’ve set up your licensing. But if the external users are doing their own reviews or reviewing others, they’re going to need to do P Two licenses as well.

The global administrator who creates the Access Review or anyone who creates the Access Review does not require P Two license, only the people that are performing the reviews, even on themselves. Interesting fact here that monthly Active Users Billing model for guest users. So if people don’t actually log in, then they’re not charged. So this was a requirement of the exam to understand the licensing. And effectively, anyone who does the work, performs the reviews, needs to be licensed and not the people who create the reviews.