First published on CloudBlogs on Oct, 05 2017 Howdy folks, It was great to get to meet so many of you at Ignite last week! Thanks a ton for stopping by the booth and making time to attend our sessions. If you were at Ignite or follow our blog, you know we announced a ton of new Azure AD capabilities last week. As a follow-up, we're going to do a few posts that cover the new capabilities we turned on in more detail. First up, let's take a look at some of the new access control features we've just put into public preview. As customers increasingly adopt Azure AD, we've received a ton of request for features that help make sure the right people have access to the right resources, and that give enterprises control of and visibility into this access. In response to that feedback, we're pushing three new and exciting features in Azure AD to public preview:
Extending Azure AD Privileged Identity Management to include Azure RBAC roles.
Automated, periodic access reviews
Here's a quick tour of each of these new public previews.
Privileged Identity Management - extended to managing in Azure
Azure AD Privileged Identity Management (PIM) is already generally available for managing Azure AD roles , which are used to administer Azure AD and other Microsoft online services. The top request we've seen in the feedback forum for Azure AD PIM is to bring just-in-time role activation, access reviews, and reports to Azure resources. We know these upgrades will help organizations address the challenges of large-scale IaaS administration, so we've added them and are now making them available in public preview. This new preview shows up in the Azure portal as part of the Azure AD PIM UI alongside the recent approval workflows preview. With this Azure AD PIM preview for Azure RBAC, you can now:
Ensure the right users are assigned to Azure subscriptions, by starting an access review of any role in the subscription and asking a resource owner or the users themselves to confirm they still need access
Control exposure of business-critical Azure assets by making users, either individually or via a group, eligible to activate a role to manage resources
Limit how long a user can be activated in a role, and set an expiration date for a user's or group's role membership
Get reports about users and groups with role assignments in Azure subscriptions, resource groups and resources, who activated their roles, and what users did in Azure while activated
Let users take charge of their own role activity and requiring them to provide a justification or requiring that they authenticate with multi-factor authentication prior to when they need to activate a role
For example, you can make a user, including a guest user, eligible for an Azure resource group's role. Once you've done that, that user can activate the role when they need to make a change to the resource, and you can see a report of the changes the user made in Azure while they were activated. If you're already using Azure AD PIM, you'll see "Azure resources" in the Manage section.
The second new feature in preview is access reviews of users in groups and assigned access to applications. We've already included access reviews for admins in directory roles in Azure AD PIM, and now we're expanding how access reviews can be used for groups and application access. There are quite a few ways to control application access in Azure AD. A lot of organizations use groups in AD or Azure AD to control access. Users can also request application access . And now, the new Office 365 groups feature allows more users across your organization to create their own groups and pick who they want in those groups. (We've added a preview of automatic expiration of Office 365 groups to ensure the number of groups doesn't get overwhelming). Of course, over time, group memberships and application access assignments can get stale – people change jobs or no longer need access to a particular application. Maybe a guest who was given access isn't affiliated with their original organization any longer. This staleness can cause a problem for protecting business-sensitive assets or applications subject to compliance. To avoid access getting out of hand, organizations can now schedule access reviews to make sure only the users they want to have access to their assets and applications are able to access those things. An access review asks users to recertify (or "attest") to access rights to an app or membership in a group. You can ask users to review their own rights or select reviewers to review everyone in a group or everyone assigned access to an app. You can also ask the group owners to review. And finally, for those organizations that have other processes in place to manage employee access, you can scope the review to include only guest members or guests who have access.
Reviewers will receive an email so they can see the reviews in the access panel. Azure AD includes access highlights and recommendations that help reduce how long it takes for a review to be completed.
The results are aggregated and then, based on those results, the admin can choose when to make changes and remove the denied users' access.
This particular preview includes access reviews for:
Members of Office 365 groups
Members of security groups and DLs, including groups originating from on-premises AD
Users who have application access, including users who are members of groups assigned to enterprise applications