Tutorial / Cram Notes
Access reviews are designed to manage group memberships, access to enterprise applications, and role assignments. They enable organizations to efficiently manage group memberships, access to applications, and role assignments for users.
Prerequisites for Configuring Access Reviews
To configure access reviews, you must have one of the following licenses:
- Azure AD Premium P2
- Enterprise Mobility + Security E5
In addition, you must have the necessary permissions, such as Global Administrator or User Administrator, to create and manage access reviews.
Setting Up Access Reviews
To set up access reviews, you’ll go through a series of steps in the Azure portal:
- Navigate to Azure Active Directory: In the Azure portal, go to Azure Active Directory in the left navigation pane.
- Access Reviews: Click on ‘Identity Governance’ and then on ‘Access Reviews’.
- Create Access Review: Click on ‘New access review’ to start configuring a new access review.
- Define Scope: Decide whether to review users in groups or applications or users assigned to roles. You will need to select the specific group, application, or role to review.
-
Configure Settings: You can specify the following settings:
- Start date and frequency: Set when the review should start and how often it should repeat (e.g., monthly, quarterly).
- Duration: Define how long the review period will be.
- Reviewers: Assign individuals or groups as reviewers. You can have the members review their own access or designate specific reviewers.
- Review type: Decide if the review is for guest users only or for all members.
- Advanced Settings: You may apply additional settings, such as auto-apply decisions on past-due reviews or require a reason for approvals or rejections.
- Apply Decisions: Configure how decisions made during the access review are applied. You can have decisions automatically applied at the end of the review period or require an administrator to apply them manually.
- Notifications and Reminders: Set up email notifications and reminders for the reviewers.
- Review the Settings: Review all the configurations to ensure that they match your requirements.
- Start the Review: Once you’re satisfied with the configurations, start the review process.
Monitoring and Managing Access Reviews
After setting up an access review, it’s important to monitor its progress and manage its outcomes. You should ensure that:
- Reviewers are completing their tasks on time.
- Action is taken upon review completion, such as removing access where appropriate.
- Review results are documented for audit purposes.
Example: Periodic Review of External Users
In an organization that collaborates with external partners, it’s essential to periodically review their access. An example configuration might be:
- Scope: Azure AD group containing external users.
- Frequency: Quarterly.
- Duration: 2 weeks.
- Reviewers: Group owners.
- Advanced Settings: Require a reason for approval; auto-apply with adjustments.
- Notifications: Initial, halfway reminder, and final reminder.
By conducting these reviews regularly, organizations can ensure that access is granted appropriately and that any changes in external user status are reflected in their access rights.
Conclusion
Configuring access reviews is a critical competency for Azure security, which is why it is included in the AZ-500 Microsoft Azure Security Technologies exam. By setting up access reviews properly, you ensure that only authorized users have access to your Azure resources, reducing the risk of unauthorized access and potential security breaches.
In the context of the AZ-500 exam, understanding how to configure, manage, and monitor access reviews is a key skill that will help you ensure that your Azure environment is secure and compliant with your organization’s access policies.
Practice Test with Explanation
True or False: In Azure, you can only configure access reviews for Azure AD roles and not for Azure resources.
- A) True
- B) False
Answer: B) False
Explanation: Access reviews can be configured not only for Azure AD roles but also for access to Azure resources. You can review access to Azure resources that are assigned via Azure role-based access control (RBAC).
Which Azure service is primarily used to configure access reviews for applications, groups, and Azure AD roles?
- A) Azure Monitor
- B) Azure Policy
- C) Azure Active Directory
- D) Azure Access Review
Answer: C) Azure Active Directory
Explanation: Access reviews in Azure are configured through Azure Active Directory’s Access Review feature, which allows you to review and audit membership of groups and access to applications and roles.
True or False: When configuring an access review, you can set it to recur on a regular basis.
- A) True
- B) False
Answer: A) True
Explanation: Access reviews can be configured to recur on a daily, weekly, monthly, quarterly, semi-annually, or annual basis, ensuring regular compliance checks.
Who can be assigned as reviewers for access reviews in Azure AD?
- A) Group owners only
- B) Selected users only
- C) Group members
- D) All of the above
Answer: D) All of the above
Explanation: Reviewers can be the group owners, selected individuals, or members of the group being reviewed. Azure AD provides flexibility in selecting who can perform the reviews.
What happens if an access review decision is not completed by the end of the review period?
- A) Access is automatically revoked
- B) Access is automatically approved
- C) The review period is extended automatically
- D) The access remains unchanged but marked as “Not Reviewed”
Answer: D) The access remains unchanged but marked as “Not Reviewed”
Explanation: If a decision is not made during the review period, the access is not automatically changed; instead, it remains as it was and is marked as “Not Reviewed.”
True or False: An access review can be configured to auto-apply review results on completion.
- A) True
- B) False
Answer: A) True
Explanation: Upon completion of an access review, review results can be auto-applied to automatically remove or maintain access based on the review decisions.
What can you use to trigger an automatic access review after a specific event, such as a user changing departments?
- A) Azure Logic Apps
- B) Azure Event Grid
- C) Azure Automation
- D) Azure AD Conditional Access
Answer: B) Azure Event Grid
Explanation: Azure Event Grid can be used to trigger automated actions, like an access review, when specific events or changes occur, such as department changes.
Which of the following can be reviewed using the access review feature in Azure AD?
- A) User assignments to Azure AD roles
- B) Access to Azure resources via RBAC
- C) External user access to applications
- D) All of the above
Answer: D) All of the above
Explanation: The access review feature in Azure AD can review user assignments to Azure AD roles, access to Azure resources via RBAC, and external user access to applications.
True or False: Only Azure AD Premium P2 licenses are required for initiating access reviews in Azure AD.
- A) True
- B) False
Answer: A) True
Explanation: Access reviews are a feature of Azure AD Premium P2, and licenses are required for those initiating the access reviews.
For which of the following can you not configure access reviews?
- A) Microsoft 365 groups
- B) Azure AD roles
- C) Linux VM local accounts
- D) Application roles
Answer: C) Linux VM local accounts
Explanation: Access reviews can be configured for Microsoft 365 groups, Azure AD roles, and application roles, but not for local accounts on infrastructure components like Linux VMs.
True or False: Access reviews in Azure AD support guest users as well as internal users.
- A) True
- B) False
Answer: A) True
Explanation: Access reviews can be configured for both internal users and guest users, allowing you to govern access for users from external organizations.
When setting up an access review, which of the following configurations is not possible?
- A) One-time review
- B) Weekly review
- C) Review with a duration of two years
- D) Bi-annual review
Answer: C) Review with a duration of two years
Explanation: Access reviews can be set up as a one-time occurrence, to recur weekly, or to occur bi-annually, but there is no native configuration that allows for a single review to last a duration of two years. Recurrence patterns have predefined maximum durations.
Interview Questions
What is Access Reviews in Azure Active Directory?
Access Reviews in Azure Active Directory is a feature that enables organizations to review and manage user access to critical resources.
What types of resources can be reviewed using Access Reviews?
Access Reviews can be used to review user access to a range of resources, including groups, applications, and SharePoint sites.
What are the benefits of using Access Reviews in Azure Active Directory?
The benefits of using Access Reviews in Azure Active Directory include improved security, better resource management, increased visibility, and compliance with industry regulations and standards.
How can you configure Access Reviews in Azure Active Directory?
To configure Access Reviews in Azure Active Directory, you need to log in to the Azure portal, select Azure Active Directory from the left-hand menu, and then select “Access reviews” and click “New review” to create a new access review.
What is the process for starting a security review in Azure Active Directory?
The process for starting a security review in Azure Active Directory involves selecting “Security” from the Azure AD portal, selecting “Start review,” and configuring the settings for the review.
What is the purpose of entitlement management in Azure Active Directory?
The purpose of entitlement management in Azure Active Directory is to enable organizations to manage user access to resources more effectively and securely.
How can you create an access review for a group in Azure Active Directory?
To create an access review for a group in Azure Active Directory, you need to select “Access reviews” from the Azure AD portal, select “New review,” and choose the group you want to review.
What are some of the factors to consider when configuring an access review in Azure Active Directory?
When configuring an access review in Azure Active Directory, it is important to consider factors such as the frequency of the review, the reviewers, and the type of access to be reviewed.
What is the purpose of a review decision in Azure Active Directory?
The purpose of a review decision in Azure Active Directory is to determine whether a user’s access to a resource should be approved or denied.
How can Azure AD Privileged Identity Management be used in conjunction with Access Reviews?
Azure AD Privileged Identity Management can be used in conjunction with Access Reviews to enable organizations to review and manage privileged user access to resources, helping to improve security and compliance.
This blog post on configuring access reviews was really helpful. Thanks!
Does anyone have experience with configuring access reviews specifically for a hybrid environment?
What are the best practices for ensuring compliance when configuring access reviews?
Can someone help explain how to configure access reviews for guest users?
Thanks for the detailed blog post!
I didn’t find the information on role-based access control very comprehensive.
How do access reviews work with privileged access management (PAM)?
Can access reviews be automated in any way?