Improving access control with three new Azure AD public previews

First published on CloudBlogs on Oct, 05 2017
Howdy folks, It was great to get to meet so many of you at Ignite last week! Thanks a ton for stopping by the booth and making time to attend our sessions. If you were at Ignite or follow our blog, you know we announced a ton of new Azure AD capabilities last week. As a follow-up, we're going to do a few posts that cover the new capabilities we turned on in more detail. First up, let's take a look at some of the new access control features we've just put into public preview. As customers increasingly adopt Azure AD, we've received a ton of request for features that help make sure the right people have access to the right resources, and that give enterprises control of and visibility into this access. In response to that feedback, we're pushing three new and exciting features in Azure AD to public preview:

1. Extending Azure AD Privileged Identity Management to include Azure RBAC roles.
2. Automated, periodic access reviews
3. Automated Terms of Use administration and reporting

Here's a quick tour of each of these new public previews.

 

Privileged Identity Management - extended to managing in Azure

Azure AD Privileged Identity Management (PIM) is already generally available for managing Azure AD roles , which are used to administer Azure AD and other Microsoft online services. The top request we've seen in the feedback forum for Azure AD PIM is to bring just-in-time role activation, access reviews, and reports to Azure resources. We know these upgrades will help organizations address the challenges of large-scale IaaS administration, so we've added them and are now making them available in public preview. This new preview shows up in the Azure portal as part of the Azure AD PIM UI alongside the recent approval workflows preview. With this Azure AD PIM preview for Azure RBAC, you can now:

• Ensure the right users are assigned to Azure subscriptions, by starting an access review of any role in the subscription and asking a resource owner or the users themselves to confirm they still need access
• Control exposure of business-critical Azure assets by making users, either individually or via a group, eligible to activate a role to manage resources
• Limit how long a user can be activated in a role, and set an expiration date for a user's or group's role membership
• Get reports about users and groups with role assignments in Azure subscriptions, resource groups and resources, who activated their roles, and what users did in Azure while activated
• Let users take charge of their own role activity and requiring them to provide a justification or requiring that they authenticate with multi-factor authentication prior to when they need to activate a role

For example, you can make a user, including a guest user, eligible for an Azure resource group's role. Once you've done that, that user can activate the role when they need to make a change to the resource, and you can see a report of the changes the user made in Azure while they were activated. If you're already using Azure AD PIM, you'll see "Azure resources" in the Manage section.

If you're not already using PIM, take a look at the instructions to enable Privileged Identity Management for your directory to get started. Read more about this exciting new preview at PIM for Azure resources (Preview) . Note: Azure PIM is an Azure AD Premium 2 feature.

 

Access reviews for attestation

The second new feature in preview is access reviews of users in groups and assigned access to applications. We've already included access reviews for admins in directory roles in Azure AD PIM, and now we're expanding how access reviews can be used for groups and application access. There are quite a few ways to control application access in Azure AD. A lot of organizations use groups in AD or Azure AD to control access. Users can also request application access . And now, the new Office 365 groups feature allows more users across your organization to create their own groups and pick who they want in those groups. (We've added a preview of automatic expiration of Office 365 groups to ensure the number of groups doesn't get overwhelming). Of course, over time, group memberships and application access assignments can get stale – people change jobs or no longer need access to a particular application. Maybe a guest who was given access isn't affiliated with their original organization any longer. This staleness can cause a problem for protecting business-sensitive assets or applications subject to compliance. To avoid access getting out of hand, organizations can now schedule access reviews to make sure only the users they want to have access to their assets and applications are able to access those things. An access review asks users to recertify (or "attest") to access rights to an app or membership in a group. You can ask users to review their own rights or select reviewers to review everyone in a group or everyone assigned access to an app. You can also ask the group owners to review. And finally, for those organizations that have other processes in place to manage employee access, you can scope the review to include only guest members or guests who have access.

Reviewers will receive an email so they can see the reviews in the access panel. Azure AD includes access highlights and recommendations that help reduce how long it takes for a review to be completed.

The results are aggregated and then, based on those results, the admin can choose when to make changes and remove the denied users' access.

This particular preview includes access reviews for:

• Members of Office 365 groups
• Members of security groups and DLs, including groups originating from on-premises AD
• Users who have application access, including users who are members of groups assigned to enterprise applications

And we'll be adding more features and scenarios in the future! For even more information on access reviews, you can check out the access review overview and turn on the preview for your tenant at https://aka.ms/azureadaccessreviews . Note: Access reviews are an Azure AD Premium 2 feature

 

Terms of use

Our third preview being announced today is a terms of use access control we've added to Conditional Access. With terms of use, you can require a user to view and consent to your organization's terms of use before they're able access to an application. ​The terms can be any document relevant to your organization's business or legal policies. Just start by uploading a PDF of that document to Azure AD, then, through conditional access policies, target the terms to be visible to groups of users or specific applications. If a user is in scope of this control, they'll only receive access to the application if they've agreed to the terms presented.

You can see in the Azure AD audit reports who consented to each terms of use and when they consented. You can also configure multiple conditional access policies, using different policies for different applications or groups of users. For example, you might want to have everyone who access to a privacy-sensitive application use multi-factor authentication to sign in and to agree to the terms of use for that application.

Read more about this feature at Azure Active Directory Terms of Use (Preview) . Note: Terms of Use is an Azure AD Premium 1 feature

 

Try them out!

I hope you'll try out these new features and let us know what you think. If you're interested in taking these new features for a test drive and you don't have EMS yet, get a free trial of Enterprise Mobility + Security E5 . Please keep sharing your ideas on the Azure AD feedback forum . We want to hear from you!

 

Best Regards,

Alex Simons (Twitter: @Alex_A_Simons )

Director of Program Management

Microsoft Identity Division