What are Azure AD access reviews?
Azure Active Directory (Azure AD) access reviews enable organizations to efficiently manage group memberships, access to enterprise applications, and role assignments. User's access can be reviewed on a regular basis to make sure only the right people have continued access.
Here's a video that provides a quick overview of access reviews:
Why are access reviews important?
Azure AD enables you to collaborate with users from inside your organization and with external users. Users can join groups, invite guests, connect to cloud apps, and work remotely from their work or personal devices. The convenience of using self-service has led to a need for better access management capabilities.
- As new employees join, how do you ensure they have the access they need to be productive?
- As people move teams or leave the company, how do you make sure that their old access is removed?
- Excessive access rights can lead to compromises.
- Excessive access right may also lead audit findings as they indicate a lack of control over access.
- You have to proactively engage with resource owners to ensure they regularly review who has access to their resources.
When should you use access reviews?
- Too many users in privileged roles: It's a good idea to check how many users have administrative access, how many of them are Global Administrators, and if there are any invited guests or partners that have not been removed after being assigned to do an administrative task. You can recertify the role assignment users in Azure AD roles such as Global Administrators, or Azure resources roles such as User Access Administrator in the Azure AD Privileged Identity Management (PIM) experience.
- When automation is not possible: You can create rules for dynamic membership on security groups or Microsoft 365 Groups, but what if the HR data is not in Azure AD or if users still need access after leaving the group to train their replacement? You can then create a review on that group to ensure those who still need access should have continued access.
- When a group is used for a new purpose: If you have a group that is going to be synced to Azure AD, or if you plan to enable the application Salesforce for everyone in the Sales team group, it would be useful to ask the group owner to review the group membership prior to the group being used in a different risk content.
- Business critical data access: for certain resources, it might be required to ask people outside of IT to regularly sign out and give a justification on why they need access for auditing purposes.
- To maintain a policy's exception list: In an ideal world, all users would follow the access policies to secure access to your organization's resources. However, sometimes there are business cases that require you to make exceptions. As the IT admin, you can manage this task, avoid oversight of policy exceptions, and provide auditors with proof that these exceptions are reviewed regularly.
- Ask group owners to confirm they still need guests in their groups: Employee access might be automated with some on premises Identity and Access Management (IAM), but not invited guests. If a group gives guests access to business sensitive content, then it's the group owner's responsibility to confirm the guests still have a legitimate business need for access.
- Have reviews recur periodically: You can set up recurring access reviews of users at set frequencies such as weekly, monthly, quarterly or annually, and the reviewers will be notified at the start of each review. Reviewers can approve or deny access with a friendly interface and with the help of smart recommendations.
If you are ready to try Access reviews take a look at Create an access review of groups or applications
Where do you create reviews?
Depending on what you want to review, you will create your access review in Azure AD access reviews, Azure AD enterprise apps (in preview), or Azure AD PIM.
|Access rights of users||Reviewers can be||Review created in||Reviewer experience|
|Security group membersOffice group members||Specified reviewersGroup ownersSelf-review||Azure AD access reviewsAzure AD groups||Access panel|
|Assigned to a connected app||Specified reviewersSelf-review||Azure AD access reviewsAzure AD enterprise apps (in preview)||Access panel|
|Azure AD role||Specified reviewersSelf-review||Azure AD PIM||Azure portal|
|Azure resource role||Specified reviewersSelf-review||Azure AD PIM||Azure portal|
Using this feature requires an Azure AD Premium P2 license. To find the right license for your requirements, see Comparing generally available features of the Free, Office 365 Apps, and Premium editions.
How many licenses must you have?
Your directory needs at least as many Azure AD Premium P2 licenses as the number of employees who will be performing the following tasks:
- Member users who are assigned as reviewers
- Member users who perform a self-review
- Member users as group owners who perform an access review
- Member users as application owners who perform an access review
For guest users, licensing needs will depend on the licensing model you’re using. However, the below guest users’ activities are considered Azure AD Premium P2 usage:
- Guest users who are assigned as reviewers
- Guest users who perform a self-review
- Guest users as group owners who perform an access review
- Guest users as application owners who perform an access review
Azure AD Premium P2 licenses are not required for users with the Global Administrator or User Administrator roles who set up access reviews, configure settings, or apply the decisions from the reviews.
Azure AD guest user access is based on a monthly active users (MAU) billing model, which replaces the 1:5 ratio billing model. For more information, see Azure AD External Identities pricing.
For more information about licenses, see Assign or remove licenses using the Azure Active Directory portal.
Example license scenarios
Here are some example license scenarios to help you determine the number of licenses you must have.
|Scenario||Calculation||Number of licenses|
|An administrator creates an access review of Group A with 75 users and 1 group owner, and assigns the group owner as the reviewer.||1 license for the group owner as reviewer||1|
|An administrator creates an access review of Group B with 500 users and 3 group owners, and assigns the 3 group owners as reviewers.||3 licenses for each group owner as reviewers||3|
|An administrator creates an access review of Group B with 500 users. Makes it a self-review.||500 licenses for each user as self-reviewers||500|
|An administrator creates an access review of Group C with 50 member users and 25 guest users. Makes it a self-review.||50 licenses for each user as self-reviewers.*||50|
|An administrator creates an access review of Group D with 6 member users and 108 guest users. Makes it a self-review.||6 licenses for each user as self-reviewers. Guest users are billed on a monthly active user (MAU) basis. No additional licenses are required. *||6|
* Azure AD External Identities (guest user) pricing is based on monthly active users (MAU), which is the count of unique users with authentication activity within a calendar month. This model replaces the 1:5 ratio billing model, which allowed up to five guest users for each Azure AD Premium license in your tenant. When your tenant is linked to a subscription and you use External Identities features to collaborate with guest users, you'll be automatically billed using the MAU-based billing model. For more information, see Billing model for Azure AD External Identities.