Introducing Azure AD access reviews for service principals

Published Jun 10 2021 09:00 AM 12.3K Views

Howdy folks!

 

With the growing trend of more applications and services moving to the cloud, there’s an increasing need to improve the governance of identities used by these workloads. Today, we’re announcing the public preview of access reviews for service principals in Azure AD. Many of you are already using Azure AD access reviews for governing the access of your user accounts and have expressed the desire for extending this capability to your service principals and applications.

 

With this public preview, you can require a review of service principals and applications that are assigned to privileged directory roles in Azure AD. In addition, you can also create reviews of roles in your Azure subscriptions to which a service principal is assigned. This ensures a periodic check to make sure that service principals are only assigned to roles they need and helps you improve the security posture of your environment.

 

Setting up an access review for service principals in your tenant or Azure subscriptions is easy -select “service principals” during the access review creation experience, and the rest is the same as any other access review!

 

To set up this new Azure AD capability in the Azure portal:

  • Navigate to Identity Governance.
  • Choose Azure AD roles or Azure resources followed by the resource name.
  • Locate the Access Reviews blade to create a new access review.
  • Set the Scope to Service Principals.

 

Create an Access Review.png

 



The selected reviewers will receive an email directing them to review access from the Azure portal.

 

SPN.png

 

You can also use MS Graph APIs and ARM (Azure Resource Manager) APIs to create this access review for Azure AD roles and Azure resource roles, respectively. To learn more about this feature, visit our documentation on reviewing Azure AD roles and assigning Azure resource roles.

 

As we work on the expanding the set of identity capabilities for workloads, we will use this preview to collect customer feedback for identifying the optimal way of making these capabilities commercially available.   

 

 

Learn more about Microsoft identity:

 

2 Comments

You should definitely expand this to cover "sensitive" API permissions in addition to AAD roles.

Occasional Contributor

Great to have this feature available 

%3CLINGO-SUB%20id%3D%22lingo-sub-1942488%22%20slang%3D%22en-US%22%3EIntroducing%20Azure%20AD%20access%20reviews%20for%20service%20principals%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1942488%22%20slang%3D%22en-US%22%3E%3CP%3EHowdy%20folks!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWith%20the%20growing%20trend%20of%20more%20applications%20and%20services%20moving%20to%20the%20cloud%2C%20there%E2%80%99s%20an%20increasing%20need%20to%20improve%20the%20governance%20of%20identities%20used%20by%20these%20workloads.%20Today%2C%20we%E2%80%99re%20announcing%20the%20public%20preview%20of%20access%20reviews%20for%20service%20principals%20in%20Azure%20AD.%20Many%20of%20you%20are%20already%20using%20Azure%20AD%20access%20reviews%20for%20governing%20the%20access%20of%20your%20user%20accounts%20and%20have%20expressed%20the%20desire%20for%20extending%20this%20capability%20to%20your%20service%20principals%20and%20applications.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWith%20this%20public%20preview%2C%20you%20can%20require%20a%20review%20of%20service%20principals%20and%20applications%20that%20are%20assigned%20to%20privileged%20directory%20roles%20in%20Azure%20AD.%20In%20addition%2C%20you%20can%20also%20create%20reviews%20of%20roles%20in%20your%20Azure%20subscriptions%20to%20which%20a%20service%20principal%20is%20assigned.%20This%20ensures%20a%20periodic%20check%20to%20make%20sure%20that%20service%20principals%20are%20only%20assigned%20to%20roles%20they%20need%20and%20helps%20you%20improve%20the%20security%20posture%20of%20your%20environment.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESetting%20up%20an%20access%20review%20for%20service%20principals%20in%20your%20tenant%20or%26nbsp%3BAzure%20subscriptions%26nbsp%3Bis%20easy%20-select%26nbsp%3B%E2%80%9Cservice%20principals%E2%80%9D%20during%20the%20access%20review%20creation%20experience%2C%20and%20the%20rest%20is%20the%20same%20as%20any%20other%20access%20review!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20set%20up%20this%20new%20Azure%20AD%20capability%20in%20the%20Azure%20portal%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ENavigate%20to%20Identity%20Governance.%3C%2FLI%3E%0A%3CLI%3EChoose%20Azure%20AD%20roles%20or%20Azure%20resources%20followed%20by%20the%20resource%20name.%3C%2FLI%3E%0A%3CLI%3ELocate%20the%20Access%20Reviews%20blade%20to%20create%20a%20new%20access%20review.%3C%2FLI%3E%0A%3CLI%3ESet%20the%20%3CSTRONG%3EScope%20%3C%2FSTRONG%3Eto%20%3CSTRONG%3EService%20Principals.%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Create%20an%20Access%20Review.png%22%20style%3D%22width%3A%20555px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F287185iBE9CE9ECB0A6BB5B%2Fimage-dimensions%2F555x555%3Fv%3Dv2%22%20width%3D%22555%22%20height%3D%22555%22%20role%3D%22button%22%20title%3D%22Create%20an%20Access%20Review.png%22%20alt%3D%22Create%20an%20Access%20Review.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3EThe%20selected%20reviewers%20will%20receive%20an%20email%20directing%20them%20to%20review%20access%20from%20the%20Azure%20portal.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22SPN.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F287927iB9C1A495EA99FEA8%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22SPN.png%22%20alt%3D%22SPN.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20also%20use%20MS%20Graph%20APIs%20and%20ARM%20(Azure%20Resource%20Manager)%20APIs%20to%20create%20this%20access%20review%20for%20Azure%20AD%20roles%20and%20Azure%20resource%20roles%2C%20respectively.%20To%20learn%20more%20about%20this%20feature%2C%20visit%20our%20documentation%20on%20reviewing%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fprivileged-identity-management%2Fpim-how-to-start-security-review%3Ftoc%3D%2Fazure%2Factive-directory%2Fgovernance%2Ftoc.json%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20AD%20roles%3C%2FA%3E%20and%20assigning%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fprivileged-identity-management%2Fpim-resource-roles-start-access-review%3Ftoc%3D%2Fazure%2Factive-directory%2Fgovernance%2Ftoc.json%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20resource%20roles%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20we%20work%20on%20the%20expanding%20the%20set%20of%20identity%20capabilities%20for%20workloads%2C%20we%20will%20use%20this%20preview%20to%20collect%20customer%20feedback%20for%20identifying%20the%20optimal%20way%20of%20making%20these%20capabilities%20commercially%20available.%20%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3E%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3ELearn%20more%20about%20Microsoft%20identity%3A%3C%2FEM%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CEM%3EReturn%20to%20the%20%3C%2FEM%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-active-directory-identity%2Fbg-p%2FIdentity%22%20target%3D%22_blank%22%3E%3CEM%3EAzure%20Active%20Directory%20Identity%20blog%20home%3C%2FEM%3E%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CEM%3EJoin%20the%20conversation%20on%20%3C%2FEM%3E%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2Fazuread%2Fstatus%2F1278418103903363074%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CEM%3ETwitter%3C%2FEM%3E%3C%2FA%3E%3CEM%3E%20and%20%3C%2FEM%3E%3CA%20href%3D%22https%3A%2F%2Fwww.linkedin.com%2Fshowcase%2Fmicrosoft-security%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CEM%3ELinkedIn%3C%2FEM%3E%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CEM%3EShare%20product%20suggestions%20on%20the%20%3C%2FEM%3E%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fforums%2F169401-azure-active-directory%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CEM%3EAzure%20Feedback%20Forum%3C%2FEM%3E%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CEM%3E%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1942488%22%20slang%3D%22en-US%22%3E%3CP%3EAccess%20reviews%20for%20service%20principals%20in%20Azure%20AD%20is%20now%20in%20public%20preview!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Create%20an%20Access%20Review.png%22%20style%3D%22width%3A%20464px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F287232i9CCDC6D48D0A2510%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Create%20an%20Access%20Review.png%22%20alt%3D%22Create%20an%20Access%20Review.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1942488%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EProduct%20Announcements%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2438047%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20Azure%20AD%20access%20reviews%20for%20service%20principals%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2438047%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20should%20definitely%20expand%20this%20to%20cover%20%22sensitive%22%20API%20permissions%20in%20addition%20to%20AAD%20roles.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2439766%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20Azure%20AD%20access%20reviews%20for%20service%20principals%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2439766%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20to%20have%20this%20feature%20available%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Jun 10 2021 02:26 PM
Updated by: