Azure Active Directory Guest User Lifecycle Management (Access Reviews)!



Dear Azure Active Directory Friends,


Collaboration in today's world, with a wide variety of Microsoft cloud services, is here to stay. As with everything, advantages also come with disadvantages, for example when it comes to managing guest users in Azure Active Directory (Azure AD). Guest users can be created/invited in various services, such as SharePoint Online, Teams or Azure AD. After some time, the question arises which guest users still need access or access to our organization and which do not? I answer this question with an Access Review.


Before we start creating the Access Review, we need to talk about the prerequisites. In my example, the following requirements are present:

1. Azure AD Premium P2 (Was already present at the customer)

2. For this customer all guest users are in one group.

3. You must be a Global administrator or User administrator


Let's start now by navigating to the Azure Active Directory and clicking on External Identities under "Manage".



On the left side menu, navigate to "Lifecycle management" and click Access reviews.



Click on "New access review".



In "Review" please select Teams+Groups and then select "Select Teams + Groups.




Click on "Select group(s)", a new blade will open, in the search box search for the group,
highlight that group and click "Select" at the bottom.



In "Select review scope" I select Guest users only, because in the selected group (in my example) there are only guest users. Click on Reviews.



Now select the reviewer from the "Select reviewers. I will select Group owner(s) (for this there must be an owner from this group), you can of course make another selection, according to your needs. If the owner does not respond to the access review, you can select "Fallback reviewers".



In order to work with group owner, the following must be configured. In the Azure AD portal open the Identity Governance page. In the left menu, under Access reviews, settings. On the Delegate who can create and manage access reviews page, set the (Preview) Group owners can create and manage for access reviews of groups they own setting to Yes.



Now you can determine the duration of the review. Depending on the number of days you select, not all options are available for "Review recurrence".For example, if you select 7 days, you cannot select weekly for "Review recurrence", etc. (I select 3 days and one time). Once your settings are made, click on "Next:Settings".



Now the individual settings can be made:

1. If you want to automatically remove access for denied users, set Auto apply results to resource to Enable.

2. Use the If reviewers don't respond list to specify what happens for users that are not reviewed by the reviewer within the review period.
- No change - Leave user's access unchanged
- Remove access - Remove user's access
- Approve access - Approve user's access
- Take recommendations - Take the system's recommendation on denying or approving the user's continued access

3. Use the Action to apply on denied guest users to specify what happens to guest users if they are denied.

Remove user’s membership from the resource will remove denied user’s access to the group or application being reviewed, they will still be able to sign-in to the tenant.

Block user from signing-in for 30 days, then remove user from the tenant will block the denied users from signing in to the tenant, regardless if they have access to other resources. If there was a mistake or if an admin decides to re-enable one’s access, they can do so within 30 days after the user has been disabled. If there is no action taken on the disabled users, they will be deleted from the tenant.

4. In the Enable review decision helpers choose whether you would like your reviewer to receive recommendations during the review process.

5. In the Advanced settings section you can choose the following
- Set Justification required to Enable to require the reviewer to supply a reason for approval.
- Set email notifications to Enable to have Azure AD send email notifications to reviewers when an access review starts, and to administrators when a review completes.
- Set Reminders to Enable to have Azure AD send reminders of access reviews in progress to all reviewers. Reviewers will receive the reminders halfway through the duration of the review, regardless of whether they have completed their review at that time.


At the end click on "Next: Review+Create".



Give your review a name and click "Create".



Now your Access Review will be listed.



The owner or owners of the group (in my case, me) have now received an email. (Sorry the last two printscreens are in German). The group owner can now start the review by clicking on "Start review".



It starts the browser, login must be made and then the group owner sees the details.



Now the group owner can decide which guest users can still have access to the organization.


I hope this article was helpful for you? Thank you for taking the time to read this article.


Best regards, Tom Wechsler

0 Replies