Entra Access Reviews. What are they and why might I need them?
I have a confession. I’m going to tell you something now that I have only told a couple of people, and they shall remain nameless for their own protection. I suspect if anyone with control should read this; things may change, but this change would be a good one.
I am in a Team that I shouldn’t be in.
There. I have said it. I am in a Team that I shouldn’t be in. Now, this isn’t quite as bad as it sounds, honest. I was originally a legitimate member of the team, the team isn’t actually used very often at all, I am still at the same grade so it will be unclear my role has changed (To be fair, the last post was a month ago and it was about checking whether people still used it… as I just went to have a look, but I have the team hidden anyway) and I was never privy to any sort of sensitive information.
Why am I sharing this with you? Well, there is a feature of Microsoft Entra ID that I think could be much more widely used than it is. Yes, there is a bit of administration involved but hey, welcome to security!
Does my scenario sound familiar? Or at least possible, in your environment? I suspect for many, it is. If you have an Entra ID P2 subscription, then read on. Even if you don’t, please read on anyway. If you're interested in getting qualified in this topic, our Microsoft Identity and Access Administrator (SC-300) course
covers this area.
What are Entra ID access reviews?
Access reviews are an awesome feature that allow you, on a cadence that you choose, to review whether a user should be in a specific group, have an Entra or Azure resource role, or have a connected app or access package assigned to them. Genius.
Suppose you have a Microsoft 365 group associated with a Team and the users of that group are subject to occasional change, or perhaps you are not confident how error-free your leavers process is. You can create an access review to be triggered automatically say, every six months, and the group membership can be reviewed.
This is designed so that yes, an administrator may carry out the reviews, but even better, we can take this out of IT and allow the owner of the group or the manager of the user to simply confirm whether each member should still have membership of that group. There is even an option for users to review their own access. Every reviewer requires a license so this isn’t ideal in all scenarios but also, based on the confession I made earlier, would you really trust your users to do this? I wouldn’t trust me!
Consider the situation of having an apprentice in the organisation and they can carry out different roles in Entra as they move around different departments. Obviously in your IT department this wouldn’t happen (ahem!) but in some, the process of removing the roles when they move on may not be as slick as it could be. Access reviews could change that.
The reviewer will receive an email telling them what they need to review, and they can even carry out the review from a link in the email, (or an alternative interface depending on what the review is for) and specify whether the access should be retained or not. In the event the reviewer isn’t sure whether the access should still be allowed, then Entra can make recommendations as to the action that should be taken. At the moment this looks at whether the user has logged in within the last month….and will cause them to be removed if they haven’t!
Even though we can create access reviews for several different objects as mentioned above, they generally work in the same way. The frequency of the review can be weekly, monthly, quarterly, semi-annually, annually, or even as a one-off. They might use slightly different interfaces, but the settings for them are the same. Reviews for Groups, Apps, and Access packages can all be managed through an access panel, which does throw the idea out there that these really don’t have to be reviewed by admins with the ability to access the Entra Console.The myaccess.microsoft.com access panel is perfectly good enough and if you have not used the access panels at all yet, they do have quite a nice clear user-friendly interface.
So, if you suspect there may be people in your organisation who do still have access to something that maybe they shouldn’t, consider access reviews to manage this centrally and add the belt and braces to your identity administration.
Note: General access reviews do only require Entra P2 licenses but creating a review on inactive users and with user-to-group affiliation recommendations requires a Microsoft Entra ID Governance license.