With Azure AD Access Reviews, you can periodically review whether users should continue to have membership in an Azure AD group. It is a requirement that the group be sourced in Azure AD, so UW Groups are not compatible with this feature. Office 365 groups (commonly with names that begin with og_ at the UW) or Azure AD security groups are in scope for this capability.
This capability helps ensure which users should retain membership in a group, helping to reduce the possibility that access to resources is retained past when they should be. The periodicity of the access review determines the maximum amount of time someone who has “left” would retain access.
At the highest scope, you select either:
- Azure AD Application assignment
- Teams membership, Office 365 group membership, or Azure AD security group membership
Beneath that, you can choose to review:
- Guest users only
- All users
The following are configuration choices in an Access Review:
- Group owners
- Users themselves (each member reviews themself)
- Designated reviewers
- Multi-stage review* (must designate above reviewer options for each stage, plus a stage duration, plus whether later stage reviewers can see prior stage decisions)
- Recurrence periodicity:
- Annually, semi-annually, or quarterly
- Monthly or weekly
- Duration (how long reviewers have to respond):
- in days
- Specific date
- After X occurrences
- Auto apply results to resource: True/False (i.e. remove unapproved users or not?)
- If reviewers don’t respond:
- No change
- Remove access
- Take recommendations
- Send end of review results to:
- Justification required (by reviewers): True/False
- Email notifications (to reviewers): True/False
- Email reminders (to reviewers): True/False (this is only if no action has been taken prior to duration end)
- Additional content for review email: “Your text here”
The most common configuration is:
- Reviewers: group owners
- Periodicity: quarterly
- Duration: 14 days
- End: Never
- Auto apply: True
- If reviewers don’t respond: Remove access
- Send end of review results to: <no one>
- Justification: True
- Email notification: True
- Email reminders: True
When the access review kicks off, they will receive an email from email@example.com, with a subject line of “Action required: Review access to the <groupName> group by <date>. It will include a link to start the review at myaccess.microsoft.com, and include links to documentation about how to perform an access review (https://learn.microsoft.com/en-us/azure/active-directory/governance/perform-access-review) and more about Azure AD access reviews (https://learn.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview), so all the information needed will be in each email notification. If additional content was specified, that will be in this email–so custom directions may be passed to the reviewers. Note that if PIM activiation is also configured for this group, the review will include information about whether the user(s) in the group have activated/used the group in the past 30 days. If justification is set to true, the reviewer is expected to include a reason for approving.
Should no one act on the review for the duration of the review period, then the review will take the action configured, which for the common configuration noted above would be to remove access. For groups with less sensitivity, and reviewers who many not be as conscientious, you may wish to choose the ‘take recommendations’ option, which generally removes access for those who didn’t make any use of the group membership.
Common patterns and how to leverage Access Reviews
The combination of an Azure AD sourced group, PIM activation, and Azure AD Access Review provide a strong access control combination to help ensure only the right people have access at the right time. However, it is possible to use a UW group with PIM, if an Azure AD Access Review is not required.
This combination takes more effort to setup, requiring UW-IT involvement, so we do ask that customers limit requests for this capability to scenarios which justify the extra effort. PIM and Access Reviews do require the user to have UW Microsoft Advanced Service Level to satisfy Microsoft licensing requirements. To request an Access Review or the combination noted, please open a request to UW-IT (firstname.lastname@example.org) with a subject line of “Microsoft Infrastructure: Access Review”, with the details of your scenario.