Enable automatic Access Reviews for Guest users in Teams and Microsoft 365 Groups
Azure AD access reviews feature is now in public preview for the Teams and Microsoft 365 Groups. In this blog post an overview of the new public preview feature.
With the Access Reviews for guest functionality, it is possible to check-up automatic guest users in the groups. As a new Teams and Microsoft 365 group is created access review will automatically be enabled for all the groups with B2B guest users in them. With this no manual group selection for the AzureAD groups is needed.
During the current pandemic, more and more users will be used online features and Microsoft Teams is one of the most used collaboration toolings inside the Microsoft solutions. With the current situation the list of guest users in the tenant is increasing without most of the time any control or only regularly. One of the biggest challenges with guest/external accounts in Azure AD is to build a governance process to keep your directory clean. With the new Automatic Access Reviews for Guest users it is possible to keep control.
In this specific case, it is possible to use Azure AD Access reviews for the guest users check. Especially with an increase in external collaboration, it is a useful feature to check-up always external guest users included in the groups.
Before the start – requirements
For the usage of the public preview the following prerequisites are needed:
- Azure AD Premium P2 license
See this section for more information on licensing.
What are Azure AD access reviews?
Azure Active Directory (Azure AD) access reviews enable organizations to efficiently manage group memberships, access to enterprise applications and role assignments. With user access reviews it is possible to review regularly to make sure only the right people have continued access to the product.
Note: Currently the feature is in public preview. Source
Enable automatic Access Reviews for Guest users
For the enablement of Access Reviews for guest we need to create a new access review scoped on Teams + Groups and All Microsoft 365 groups with guest users. First go to the AzureAD portal and go to Identity Governance.
- Go to AzureAD portal
- Open the Identity Governance portal
- Open Access Reviews
- Create an Access Review
Now we need to select the Teams + Groups selection. This gives the Access Reviews functionality for all the Teams+Groups user memberships.
In this specific case we will be using the new guest feature. For enabling the Microsoft 365 groups with guest users, select under step 2 the setting; (preview) All Microsoft 365 Groups with guest users. Now all the Microsoft 365 groups with guest users will be checked automatically.
For the reviews feature multiple options are possible. The reviewers are the users/ or groups owners for the access review checkup. For Office365 groups the easiest way without any manual action is to configure the reviewers based on the group owners.
Select Group Owners.
Now all the group owners are included as reviewers. With this all the new groups are automatically part of the Access Reviews feature without any manual task.
Now the recurrence of review is needed. It is possible to configure the reviews based on a weekly, monthly, quarterly, semi-annually, or annually recurrence. You then specify a Duration, which defines how long a review will be open for input from reviewers. The maximum duration that you can set for a monthly review is 27 days.
For the access reviews multiple settings are available. The completion settings can be auto applying. When automatically remove access for denied users is needed, change the auto-apply results to resource setting to Enable. If you want to manually apply the results when the review completes, set the switch to Disable.
The setting: if reviews don’t respond gives the action what happens for users that are not reviewed inside the review period. This feature is only scoped for users who have not been reviews. This setting does not impact users who have been reviewed by the reviewers manually. The following options are available:
- No change – Leave user’s access unchanged
- Remove access – Remove user’s access
- Approve access – Approve user’s access
- Take recommendations – Take the system’s recommendation on denying or approving the user’s continued access
Enable review decision helpers is a feature to give information to the reviewer based on the recommendations during the review process.
In the Advanced settings multiple configurations are possible.
- Justification required is needed if a reason for approval is needed from the application.
- email notification is a setting for sending notifications to reviewers when an access review starts, and to the admin users when a review is completed.
- Set Reminders to Enable to have Azure AD send reminders of access reviews in progress to reviewers who have not completed their review.
The content of the email is automatically generated with details, review name, resource name, due date and more. It is possible to include custom instructions or contact information. For custom content use the Additional content for review email section.
After the review is created, the reviewers will receive an email with a link to the MyAccess end-user portal. The mail contains the teams name, tenant name and review period time.
From the portal, it is possible to directly deny guest users.
The page gives multiple details:
- Name: Name of the guest user
- Recommendation: Recommendation for the specific guest user
- Decision: Showed the created decision
- Review by: Showed the reviewed by user when the review is created
When clicking deny, the user will be removed from the AzureAD group. The recommendation from Microsoft is based on the last signed in more than 30 days ago status. If a user is denied access, they aren’t removed immediately.
For applying all the system recommendations. Click from the Myaccess portal; Accept recommendations
From the AzureAD Identity Governance the Access Reviews are visible. When opening the created policy, you can find the status: Groups reviews(1) this counts the reviewed groups and total groups with external users included. Review history (2) contains all the completed Access Reviews.
From the admin portal, it is possible to open the details for the groups. For checking the status; open the group name from the policy overview page.