This blog post is for all those organizations out there with stale, overprivileged accounts having standing access to Azure AD roles, that nobody knows about, far away from the HR systems and on/offboarding processes. This is often a huge problem and the elephant in the (security) room. Now, what can we do about it?
I assume you are already aware of Azure AD Privileged Identity Management, and the great features that it brings. In short: with PIM you can reduce the risk for your AD roles (and resources) by delivering just in time and just enough privileges to your users. You can eliminate standing access and require MFA, approval and/or justification before admin roles can be activated or resources can be managed. If you’re new to Privileged Identity Management, please read this post first.
Now, what we just discussed is just the technical part. Let’s talk about processes because giving out access is one thing, but one very important thing is often forgotten: what if the role is no longer needed? Who is taking care of that?
Enter: Access Reviews. This feature is part of Privileged Identity Management and Identity Governance (both Premium P2) and really helps you to automate this cumbersome process. And the keyword here is delegation.
Let’s see how it works. Head over to the Azure Portal and go to the Privileged Identity Management console. Select Azure AD roles from the menu. Under the Manage section, select Access reviews and click New to create our first access review for Azure AD directory roles. Smartlink.
For this demo, we are going to create an access review for Exchange administrators.
- Give your review a proper name and description.
- Pick the date for your review.
- Select the frequency. For now, we select On time, but you can make this a recurring event.
- We also select an end date for the review, in this case 7 days.
- Select the user scope, in this case: All users and groups.
Next, we need to specify some more parameters.
- Select the role that you want to review.
- Select the assigment type. You can pick between active or eligible assigments, or select both.
- In this case we select self-review, but you can also select manager, or specific users.
- User’s access that was denied will be removed from the resource after the review completes if you set this to Enable.
- Configure what should happen when the reviewer does not respond. We will take recommendations, meaning that users that not have been signed in frequently will be denied.
Optionally, you can configure advanced settings to show recommendations, require context, or set up reminders and mail notifications. I will leave this at the default values.
The last step is to click Start. Since we have picked today as our start day, the review will be immediately active. The reviewer can expect an email any moment now.
Since we picked self-review, each user with an active or eligible assignment for Exchange administrator will receive an email to review their access.
Allan is no longer part of the project and does no longer need the Exchange role, so he denies his request.
This is also visible for the administrator who created the access review, and after the review is done, the results are applied automatically.
Now, if you are not using Privileged Identity Management yet, there is an easy way to create Access reviews for your current admin roles.
If you don’t have P2 licenses, you can easily activate a 30 day trial for 100 licenses.
From the Privileged Identity Management portal, go to Azure AD roles, and click Discovery and Insights. From there, you can review the standing access for highly privileged roles, and create an access review with one single click.
This will create a self-review that will run one time for 30 days. This review will apply results automatically, but users that not respond will keep their access.
Wrap things up
Lots of organizations are struggling with Azure AD roles and stale/standing access. Sometimes, this has been slumbering for some years now, where the tenant is at high risk. Now, I’m aware that not all organizations have the P2 license, but I want to encourage you to give that another thought, at least for your admins or priority users out there. Remember that you can also try this out for 30 days for 100 users for free.
I have written several posts on this subject, so if you want to learn more, please reach out to those.
Role Assignable Groups and Privileged Identity Management. – JanBakker.tech
Privileged Identity Management Discovery and insights – JanBakker.tech
Azure Active Directory Identity Governance – Privileged Identity Management – JanBakker.tech