Managing Azure AD access reviews

Azure AD access reviews are a feature of Azure AD Premium P2. It enables Microsoft 365 administrators to ensure that users within the tenant have the appropriate level of access. Users are able to participate in this process themselves, or alternatively, their supervisor can review and access the users' current level of access. Once a review is completed, changes can be made and access can be revoked from users, as deemed appropriate.

Performing an access review

To create and execute an access review, you need to follow these steps:

1. Log in to the Azure portal as either a Global Administrator or a User Administrator.
2. Open the Identity Governance page and click Access reviews.
3. Choose the option to create a New access review:
   

   Figure 2.38 – Access reviews

4. In this example, we will create an access review that has been configured to run only once, and which targets the members of the Sales Users group (alternatively, you could configure a recurring schedule for the review):

   Important note

   If you assign more than one group, an additional and separate access review will be created for each group that you add.

   

   Figure 2.39 – Create an access review

5. Under Reviewers, you have the following choices:
   

   Figure 2.40 – Reviewer options

6. Once you've selected your reviewers, you can configure any program that you wish to check these users against for access:
   

   Figure 2.41 – Programs

7. You can also select what actions you wish to take once the review has been completed:
   

   Figure 2.42 – Further settings

8. Once you are happy with your access review settings, click Start to trigger it. It will appear in the list shown in the following screenshot:
   

   Figure 2.43 – New access review ready to be started

9. Once an access review is completed, the results can be viewed by Global Administrators, User Administrators, Security Administrators, or anyone who has been granted the Security Reader role.
10. An email will be sent to all reviewers after the review is started.

    Important note

    It is also possible to create access reviews by using APIs with Microsoft Graph. Please check the references section at the end of this chapter for further information.