As announced on June 7, 2023, Microsoft Entra ID Governance is now generally available, and with it a set of new capabilities to empower businesses in their pursuit of streamlined access management. This includes machine learning (ML) powered access review recommendations and user inactivity access review scoping. These additions leverage advanced technologies to enhance access reviews, granting reviewers intelligent recommendations and simplifying security management by regularly reviewing and removing inactive accounts.
Let's explore how these featuresassist organizations in making informed decisions and safeguarding critical resources.
Machine Learning-based recommendations for reviewers
Access reviews play a crucial role in ensuring the right users have the appropriate access privileges within an organization. However, the decision-making process can be challenging and time-consuming for reviewers. This is where machine learning-based recommendations for reviewers come into play. Leveraging machine learning algorithms and the organization's reporting structure, this feature provides insightful recommendations to reviewers, enabling them to make well-informed decisions swiftly. Nevertheless, it’s worth emphasizing that while this recommendation is significant, it’s merely the first step towards unlocking the full potential of artificial intelligence (AI) and machine learning.
Scenario: You want reviewers to make the review process easier so that reviewers can make quicker and more accurate decisions
You want your reviewers to be efficient during your access certification campaigns. When creating the access review, you select ‘User-to-Group Affiliation’ as part of enabling reviewer decision helpers.
The user-to-group affiliation recommendation analyzes users' relative affiliation with other users in the group, while also considering the organization's reporting structure. By utilizing a machine-learning-based scoring mechanism, the system identifies users who are at a significant distance from other users in the group, indicating "low affiliation."
The reviewer now will see the recommendation in My Access when going through the access review. These insights help flag potential candidates for closer scrutiny before a decision is made to accept or deny access, thereby helping reviewers increase review efficiency, reduce attestation fatigue, and ensure the sensitive resources are secure.
The reviewer can now take immediate action. They have the option to accept the recommendations by clicking on “Accept Recommendations,” enabling swift, efficient decision-making. Alternatively, reviewers can manually review the recommendations and exercise their judgment to accept or deny access accordingly. This feature empowers reviewers to make well-informed decisions while reducing the time and effort required to complete an access review.
Managing inactive user accounts is a significant challenge for organizations, as dormant accounts can pose potential security risks. ID Governance tackles this challenge head-on with the introduction of inactive user scoping. This feature allows administrators to review and address stale accounts that haven’t been active for a specified period. By encompassing both interactive and non-interactive sign-in activities, inactive user scoping provides a comprehensive view of user activity. Administrators can set a specific duration, such as 30, 60 or 90 days, to determine inactive accounts. As part of the review process, stale accounts can automatically be removed.
Scenario: You want to set up a recurring review of inactive users in a critical group
You want to set up a recurrent review of the audit team group, who have not signed into any application in Azure AD (both interactively and non-interactively) in the last 30 days. For that you create a new access review, you choose the group, all users in the group and choose the new option for inactive users, with a threshold of 30 days.
Removing inactive user accounts improves an organization's security posture by reducing the attack surface and minimizing the risk of unauthorized access. By regularly reviewing and removing stale accounts, organizations can ensure that access privileges align with business requirements and maintain a lean, secure user environment.
Give it a try
We’re excited about these new capabilities, and we'd love for you to try them out! Current Microsoft Entra ID Premium customers have two ways to use the new capabilities: