So, what is Access Review? It is an Azure solution that can assist in the reduction of access to guests in your tenant and access to applications for your users. This tool can assist you in doing automated reviews of access to certain Enterprise applications or on AD groups in your tenant. See this YouTube video for a detailed explanation
The downside of this tool is that it is only available when you have Azure AD P2 or EMS E5 license. You can use this link to activate Azure AD P2 trail or EMS E5 trail
The service is only available when you are part of the following roles
- Global Administrator
- User Administrator
- Security Administrator
- Security Reader
Onboarding your tenant
The first thing that needs to be done is to onboard your tenant to use this service. For this go to the Azure portal and search for Access Review or use this link: https://portal.azure.com/#blade/Microsoft_AAD_ERM/DashboardBlade/GettingStarted. Click on the “Onboard” menu item and click on “Onboard Now” to start the process of onboarding your tenant.
Your first Access Review
Now that you have enabled your access to Access Review you can make your first Access Review.
To keep it simple go to “Controls”, this blade gives an overview of all the Access Reviews that are going on or happened. Click on the “New access review” to start a new review. Fill out the group or application you want a review for, the reviewers and click on “Start”. The reviewers get an email to start the review.
Reviewing all guest users in your tenant
If you want to review all your guest users in your tenant, you must do some extra work. The Access Review needs an application or group to do the review on so we first need to create a security group with all our guest in it. You can create a dynamic security group for this with the following query “(user.userType -eq “Guest”)”
Now that you have this dynamic group you can create a new Access review with this group and the scope “Guest users only”. As reviewers, you can select specific users or if you added owners to the above group you can select “Group Owners”. There is also a possibility to let the user do the review for their own, I see this option more for the internal applications.
When you start this review the reviewers will get an invite to do the review, if you have a lot of users in your AD this can take a while before they get this email. The review is done thru the https://myapps.microsoft.com portal. They get an extra application “Access Review” here where they see the reviews that are available for them.