Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Access Reviews for guests in all Teams and Microsoft 365 Groups is now in public preview
Published Jan 13 2021 09:00 AM 46K Views

Howdy folks!

 

Today we’re excited to share that you can now enable Azure AD access reviews for your guest users across all Microsoft Teams and Microsoft 365 Groups in your organization. And as new Teams and Groups are created, access reviews will automatically be enabled for those that have guest users in them. Since we announced access reviews a few years ago, it has become a very popular identity governance feature with our customers.  Especially with an increase in external collaboration, many of you are using access reviews to ensure that access to sensitive resources that is no longer needed by your guest users is cleaned up regularly. Being able to do access reviews for guest users across all Teams and Groups as these resources are created is one of the most requested features in our feedback forum. This feature is now available in public preview for all of our customers who have an Azure AD Premium 2 subscription.

 

Getting started.

 

Setting up an access review for guest users across all Teams and Groups in your tenant simply requires you to create an access review with the setting of all Microsoft 365 groups with guest users.

 

 

1.PNG

 

 

You can then schedule the reviews to occur at a certain frequency such as quarterly. You can also choose to either have the guest users review their own access or task the review to the owner of the Team/Microsoft 365 group.

 

 

2.PNG

 

 

 

3.png

 

 

After the review is created, your reviewers will receive an email with a link to our friendly end-user portal, MyAccess, to complete their reviews. To make the job even simpler for reviewers, they will see recommendations to approve or deny users based on the last sign-in date of the user being reviewed.

 

 

4.png

 

 

 

To try this out in your own environment, sign in to the Azure portal and go to the Azure Active Directory > Identity governance section. If you don’t have Azure AD Premium 2, you can start a trial free for 30 days.

 

To learn more about Access Reviews, check out our documentation.

 

As always, we’d love to hear from you. Please let us know what you think in the comments below or on the Azure AD feedback forum.

 

Alex Simons

 

 

 

Learn more about Microsoft identity:

 

14 Comments
Brass Contributor

Great to see this is in preview, really useful. 

Copper Contributor

Lovely, thanks for sharing!

Brass Contributor

Great feature.
Will the auto enablement also be available for regular users? If yes, can a policy be specified per classification of the Team? 
This allows a team with confidential data to be reviewed more often, than teams with public data for example.

Copper Contributor

Access 

Copper Contributor

Great job!

May I ask what is the exact license requirement (how many AAD P2 licenses do I need)? Let's take an example: A company with the 10 AAD users (company's employees) and 20 AAD guest users. Do I need to cover somehow the guest users or they are covered by employee license?

Brass Contributor

Here's the license requirements:

 

What are access reviews? - Azure Active Directory | Microsoft Docs

 

Main point is whoever is performing a review (or self review) must be licensed. 

 

Hope that helps. 

 

Paul

Copper Contributor

Alex, will we see additional reviewer decision helpers in the near future? I am looking for something like

  • Who has invited the guest?
  • Was the guest user created as part of en ELM process?

This all is about context about a guest.

 

Peter 

Brass Contributor

How is this different from the roadmap item Microsoft Teams: Simple Periodic review for guest users?

Will that "teams simple" be based on access reviews (but something you can do via teams admin center)? Or is it totally same thing? That roadmap item is not yet in the message center. 

 

 

 

Iron Contributor

Alex In your screenshot detailing what happens upon completion I notice that there is an option for 'Action to apply on denied guest users' but it is greyed out on your screen shot.

 

I cannot see that option under the option for Access reviews for all Guest in Teams and Microsoft 365 Groups. Does this mean that this Access review for all guests in groups/teams will only remove denied guests from the groups/teams but leave their B2B account enabled?

 

Are you planning to add the 'Action to apply on denied guest users' option in Access reviews for all Guest in Teams and Microsoft 365 Groups at a later date? If so any idea when.

 

Without this final step we are still reliant on PowerShell or Graph Api to identify unused Guest B23B accounts and then delete their B2B accounts from Azure AD or add the guests users to a security group and run an Access review on a specific group which does offer the 'Action to apply on denied guest users' option.

 

 

Iron Contributor

Is this the same feature as Microsoft Teams: Scheduled access reviews for Guest users Roadmap Feature ID: 70778 ?

Iron Contributor

There are also:

Microsoft Teams: Simple Periodic review for guest users Feature ID: 70674 April 2021

Azure Active Directory: B2B guest access reviews for Microsoft Teams and Microsoft 365 groups Feature ID: 72252 April 2021

 

Are they related to the described feature?

Copper Contributor

Hi Alex,

 

We are currently testing this at a customer and we have some questions regarding the denied users.

 

To us it looks like a denied user is denied on all teams. So if a user is denied on team 1 because the access is no longer required, the user is denied access to all other teams the user has access to, simply because the user account is locked. Is that by design?

Copper Contributor

Is there a answer to the questions of Irene_Lappalainen225 or KM KTNN? I'm also interested.

Iron Contributor
Version history
Last update:
‎Jan 12 2021 12:35 PM
Updated by: