Step-by-Step Guide: Azure AD Access Reviews for Applications
Corporate applications may also hold critical operation data related to the company. By doing regular reviews, we can make sure only the relevant people have access to corporate applications. However, if we just use the native method, it will be mainly based on Enterprise app Sign-ins and audit log data. the only problem with this method is, it is so time-consuming. As it is all manual process, the result may not be that accurate either. But now with Azure AD Access reviews, we can do this by setting up a simple access review job. Here is why it is good rather than a typical audit.
Automated – It is all automated. You do not need to go through logs and do anything manually.
Actions – we can also attach predefined action to execute at the end of a successful access review job. If required, we also can manually decide what to do with the findings (approve or deny access)
Schedule – Access reviews jobs can be scheduled to run periodically. It helps to do it more frequently than the manual method.
Recommendation – Access review job itself provides recommendations based on findings. It helps reviewers to decide.
Delegations – Access reviews job allows delegation. We can assign someone else in the team to decide what to do with the findings. It helps to get more accurate results.
So, let's go ahead and see how it works. In my demo environment, I have linkedin application assigned to different groups and users. I like to know who has access to it and do permission changes if required.
1. To start, log in to Azure portal as Global Administrator
2. Then make sure Access reviews onboarding process is completed. More info about this can be found in one of my previous blog posts http://www.rebeladmin.com/2019/02/step-step-guide-review-privileged-accounts-using-azure-pim/
3. To create a new access review job, go to Access Reviews | Controls
4. Then click on + New Access Review
5. In the new page, Provide a name for the job and then decide the start and end dates for the job, also frequency.
6. Then, under Users to review select Assigned to an application. I also changed the scope to Everyone as I need to review all access.
7. Click on the Application to select the LinkedIn app for the review.
8. Then under Select Reviewers select the reviewer for the job.
9. Upon completion settings, we can let the system to apply actions automatically at the end of the review. In my demo, I am going to use the manual method.
10. Under Advanced settings, I am using all the default settings. It allows me to get email notifications, recommendations, and reminders.
11. When all the settings are in, click on Start
12. As expected, after some time, the reviewer gets an email to begin.
13. We can review the findings by clicking on the job and then go to Results
14. Then under the results, we can see the list of users who have access to an app.
15. Under the recommendation column we can see what the system recommends to do.
16. Once the review is completed, click on Download to download the review result.
Since I did not want to apply anything automatically upon completion, I have to go manually and change the memberships.
Isn't this way easier than a manual audit?
This marks the end of this blog post. If you have any questions feel free to contact me on firstname.lastname@example.org also follow me on twitter @rebeladm to get updates about new blog posts.