How to manage permissions using access reviews in Microsoft Entra ID

What are Microsoft Entra ID access reviews?

Microsoft Entra ID access reviews help organizations maintain control over user access to resources. By regularly reviewing who has access to applications, groups, and roles, organizations can ensure compliance with security policies and reduce the risk of unauthorized access. This capability allows administrators to schedule periodic reviews or conduct ad-hoc assessments, enabling insights into user access patterns and facilitating informed decisions about permission management.

What are the prerequisites for creating access reviews in Microsoft Entra ID?

To create access reviews in Microsoft Entra ID, you need the following:

• The Microsoft Entra ID Governance add-on or the Microsoft Entra Suite subscription for your tenant.
• A user account with the Global administrator, User administrator, or Identity Governance administrator role to create access reviews for groups or applications. Note: Owners of Microsoft 365 groups and security groups can create and review access reviews for their respective groups.

How do access reviews in Microsoft Entra ID work?

Microsoft Entra ID access reviews operate by allowing administrators to define the scope of the review, select reviewers, and set review frequencies to manage the permissions of their Microsoft Entra ID users, groups, teams, and applications. The processes are:

• Creating a review policy: Admins or resource owners can initiate an access review by selecting the group, app, or role to be reviewed. They can define the review scope and criteria, such as who will review the permission, such as owners, managers, users, or themselves.
• The review process: Depending on the setup, reviews are conducted by group owners, resource owners, or managers. Reviewers can also be manually assigned. The review cycle can be set as a recurring event in any frequency, such as once every month, every six months, or every year.
• Actionable suggestions: Based on criteria like user activity, the Microsoft Entra ID portal may suggest whether to retain or revoke access. Reviewers can choose to accept these suggestions or override them.
• Execution: Once the review is complete, decisions (i.e, approve or deny) are applied. If access is revoked, the user will lose access to the specified resources.
• Auditing and reporting: After a review cycle, detailed reports of the access review results are generated for compliance and auditing purposes.

How to create access reviews in Microsoft Entra ID

You can configure Microsoft Entra ID access reviews by following the steps mentioned below:

1. Sign in to Microsoft Entra admin center with a user account that has at least the User Administrator role assigned to it.
2. Navigate to Identity Governance > Access reviews, and select New access review.
3. Select if you want to review access to Teams + Groups or Applications in the Select what to review dropdown. Depending on your selection, you can select which entities you want to review and click Next: Reviews.
   
4. You can opt for either a multi-stage review, which can be split into two or three separate stages, where different groups of reviewers evaluate the same access in each round, or leave the field unchecked and choose a single-stage review, where all reviewers evaluate access permissions together at once. (Note: In the screenshots, we have opted for multi-stage review.)
5. In the Select reviewers drop-down, select the type of reviewers you want to assign. Depending on your selection, you can select your reviewers or assign fallback reviewers whose decision will be considered in the absence of the primary reviewer.
6. You can assign the Stage duration (in days), after which the reviewees will be moved to the next action or stage configured for them.
7. The Review recurrence field allows you to set a recurring period for your access reviews.
8. Select the date from which the access review schedule begins using the Start date field.
9. You can choose which objects will be reviewed further using the Reviewees going to the next stage dropdown.
10. Click Next: Settings to configure additional settings, or click the Review + Create tab, fill out your Review name and Description, and click Create to finish creating your access review.
    

What are the additional settings for access reviews in Microsoft Entra ID?

You can improve and optimize the review process by tweaking the additional options found in the Settings tab. The options available are:

• Auto apply results to resource: Automatically remove access for denied users after the review expires.
• If reviewers don’t respond: A fallback option to handle users who have not been reviewed. There are four options: No change, Remove access, Approve access, and Take recommendations (this option approves or denies access according to the suggestions offered by Microsoft Entra ID during the review process)
• At end of review, send notifications to: Add other users and groups who should be sent notifications when the review process is complete.
• No sign-in within 30 days: Recommends approving access for users who’ve signed in within 30 days of the review and deny for those who did not.
• User-to-Group Affiliation: Recommends denying access for users who do not have similar characteristics with other users within the group.
• Justification required: Make it mandatory for reviewers to provide an explanation for their approval or denial.
• Email notifications: Send emails to reviewers when the review process starts and to review owners when the review is completed.
• Reminders: Send email reminders to reviewers during the review process.
• Additional content for reviewer email: Type in content that your reviewers will receive in their email notifications.
  

Enhancing your Microsoft Entra ID administration with M365 Manager Plus

ManageEngine M365 Manager Plus is a comprehensive administration and security solution for Microsoft 365 used for reporting, managing, monitoring, auditing, and creating alerts for critical activities in your Microsoft 365 environments. You can easily manage users, groups, contacts, mailboxes, teams, and sites in bulk and automate these processes, all without any PowerShell scripting.

Here are more benefits to using M365 Manager Plus to manage and monitor your Microsoft 365 environment:

• Gain a thorough understanding of not just your Microsoft Entra ID environment but also Exchange Online, SharePoint Online, OneDrive for Business, and other Microsoft 365 services with detailed reports and intuitive visualizations.
• Filter your reports just once and save them as custom reports that you can access in just a few clicks.
• Export reports generated in M365 Manager Plus in CSV and other presentable formats, such as HTML, PDF, and XLSX.
• Delegate granular permissions to technicians without elevating their Microsoft 365 privileges, and create custom roles with any combination of reporting, management, and auditing tasks.
• Keep tabs on even the most granular user activities in your Microsoft Entra ID and Microsoft 365 environments.
• Configure alert profiles in M365 Manager Plus to notify you of specific activities that take place outside of business hours or occur at unusual frequencies.
• Monitor the health and performance of Microsoft 365 features and endpoints around the clock.