How-to Guides

How to Create and Manage Access Review in Microsoft Entra ID

Danny Murphy

A Microsoft Entra ID (formerly Azure Active Directory) user access review is a regular review of which end users have access to applications, groups, and roles, to ensure that companies remain compliant with security policies and to reduce the risk of any unauthorized access. This helps organizations to maintain control over user access to resources. Administrators can schedule periodic reviews or conduct ad-hoc assessments, to gain insights into user access patterns and assist with making informed decisions about permissions management.

How to Create Access Reviews

Microsoft Entra ID access reviews can be configured as follows:

  • Sign in to the Microsoft Entra admin center. This user account needs to have at least a User Administrator role assigned to it.
  • Navigate to Identity Governance, Access reviews, and select New access review.
  • Decide if you want to review access to Teams + Groups or Applications in the Select what to review dropdown list. Depending on your selection, you can select which entities you want to review and click Next: Reviews.

You can opt for either:

  • A multi-stage review. This is where it is split into two or three separate stages and different groups of reviewers evaluate the same access in each round.
    or
  • Leave the field unchecked and choose a single-stage review, where all reviewers evaluate access permissions together at once. (Note: the screenshots below show a multi-stage review.)
  • From the Select reviewers drop-down, select the type of reviewers you want to assign. Depending on your selection, you can either select your reviewers or assign fallback reviewers whose decision will be considered in the absence of the primary reviewer.
  • You can assign the Stage duration (in days), after which the reviewees will be moved to the next action or stage configured for them.
  • The Review recurrence field allows you to set a recurring period for your access reviews.
  • Use the Start date field to select the date from which the access review schedule begins
  • Use the Reviewees going to the next stage dropdown to choose which objects will be reviewed further
  • To configure additional settings, click Next: Settings, or to finish creating your access review, click the Review + Create tab, fill out your Review name and Description, and click Create.

How do Access reviews in Microsoft Entra ID work?

Microsoft Entra ID access reviews operate by letting administrators to define the scope of the review, select reviewers, and set the frequency of reviews to manage the permission settings of their Microsoft Entra ID users, groups, teams, and applications.

The processes are as follows:

  1. Creating a review policy: Administrators or resource owners can initiate an access review by selecting the group, app, or role to be reviewed. They can define the review scope and criteria, such as who will review the permission and this could be owners, managers, users, or themselves.
  2. The review process: Depending on how it’s set up, reviews are conducted by group owners, resource owners, or managers. Alternatively, reviewers can be manually assigned. The review cycle can be set as a recurring event in any frequency, such as once every month, every six months, or every year.
  3. Actionable suggestions: Based on criteria such as user activity, the Microsoft Entra ID portal may suggest whether to retain or revoke access. Reviewers can choose to accept these suggestions or override them.
  4. Execution: Once the review is complete, approve or deny decisions are applied. If access is revoked, the user will lose access to the specified resources.
  5. Auditing and reporting: After a review cycle, detailed reports of the access review results are generated for compliance and auditing purposes.

Additional Settings for Access Reviews

The review process can be improved and optimized by modifying the additional options found in the Settings tab. These options are:

Auto apply results to resource: Automatically remove access for denied users after the review expires.

If reviewers don’t respond: An alternative option to manage users who have not been reviewed. There are four options and these are:

  • ­No change
  • ­Remove access
  • ­Approve access
  • ­Take recommendations (this option approves or denies access according to the suggestions offered by Microsoft Entra ID during the review process)

At end of review, send notifications to: Add other users and groups who should be sent notifications when the review process is complete.

No sign-in within 30 days: This recommends approving access for users who have signed in within 30 days of the review and deny access for those who have not.

User-to-Group Affiliation: Recommends denying access for users who do not have similar characteristics with the other users within the group.

Justification required: Make it mandatory for reviewers to provide an explanation for their approval or denial.

Email notifications: Send emails to reviewers when the review process starts and to review owners when the review is completed.

Reminders: Send email reminders to reviewers during the review process.

Additional content for reviewer email: Add the content that your reviewers will receive in their email notifications.

Enhancing your Microsoft Entra ID Auditing with Lepide

The Lepide Microsoft Entra ID Auditor can help to enhance your visibility over changes in Microsoft Entra ID using a range of pre-defined reports. An example of one of these reports is the All Azure AD Changes Report and is shown below:

To run this report:

  • Select Lepide Auditor, Reports
  • From here, expand Azure AD
  • Select All Azure AD Changes
  • Specify a time frame or leave as today’s date
  • Select Generate Report

The report can be filtered, sorted and exported to CSV and PDF formats.

Exit mobile version