Identity Governance regulates access control in Azure AD

Right Rights

Access Review Automation

The lifecycle of a set of authorizations assigned to a user for an asset is rounded off by reviewing the further need for it and extending access or revoking the set accordingly. Normally, it does not make sense to assign assets without a time limit or a review. All too often, the needs or roles of users in the organization can change without their authorizations being rolled back. In the end, long-term employees accumulate resources and authorizations that they never give back and that no one ever reviews.

This problem becomes more serious in the cloud, where users don't necessarily have to be in the office to access resources and are not seen regularly. Even in collaboration with external partners and suppliers who have been authorized to use data for projects, the project managers and contact persons for the external parties are unlikely to tidy up.

Microsoft has developed access reviews for AAD that close the gap between reauthentication of authorizations and access to resources by enabling resource owners or IT administrators to request confirmation for all users in the scope of campaigns. Campaigns can be run once on demand or at regular intervals (e.g., monthly, quarterly, or annually). When a campaign is launched, affected end users are notified and need to confirm within a specified time that they still require access. Their confirmation – or active rejection – of further access is logged and results in the corresponding change in access.

The access reviews feature has different attestation methods. End users are either asked to take action themselves, or application owners or a group of delegates decide on a list of authorized users. In either case, each individual user must be approved or rejected. For end users for whom no response is available – either because the end user does not respond or the delegate cannot express an opinion – the system can, if so desired, automatically extend access at the end of the campaign, automatically deny access, or take action itself on the basis of login and usage data.

Configuration starts in the Identity Governance section of the AAD Portal below Access reviews | New access review :

  • Review name gives you a place to assign a meaningful name: State the resources to be reviewed and the frequency of review in the name – all of which helps with administrative tasks later on.
  • Description gives you more space for detailed information related to the application and what happens in the review.
  • Start date defines when the campaign starts and reviewers need to be notified.
  • Frequency lets you set the frequency of the review; the default setting is One time . If you plan to review the resources in question on a regular basis, this is the drop-down menu to change this value.
  • Duration (in days) lets you define how much time you want to give the reviewers to confirm access. To prevent holidays and absences interfering with this process, you will want to allow four weeks before closing the door on people who have not confirmed.
  • End indicates the end of the review if you selected a frequency rather than One time .
  • Users lets you choose which user base you want to review either by referencing AAD groups or the concrete application assignment.
  • Scope defines whether you want to check all access equally, or whether you specifically want to target external collaboration partners.
  • Reviewers lets you determine the colleagues who will be able to perform the review: either specific, selected reviewers or the individual end users themselves, who then certify their future need for access (self-attestation).
  • Upon completion settings sets how the system acts when individual users fail to respond if you opt for automatic changes. You can deny access, continue allowing access, or enforce system recommendations, which are based on historical usage data: If the user has not recently used the resource, they will be locked out.

Keeping Track

To track where users have permissions, you can choose User assignments reports in the Identity Governance section to run queries. This overview shows authorizations for individual users – the Access reviews function is intended for multiple users.

In the overview, click on the magnifying glass, Select users , and choose the user of interest. The system finds all the resources for which the target user has access, with a breakdown showing the access packages to which the resource belongs and how long access is allowed according to the linked policy (Figure 4).

Figure 4: The results of an access review campaign. This report helps you clean up authorizations and automatically block access.


Even this first version of the Identity Governance package for the Microsoft Cloud shows some useful features. Wherever users mainly access resources from the cloud or when collaboration with partners in the cloud is a priority, Identity Governance is a viable alternative to existing on-premises solutions that need to be made cloud-ready. The self-service functions are tailored to the various resources that can be integrated into AAD. At the moment, Identity Governance cannot yet hold a candle to mature systems, but the question is: Does it have to? In the near future, when many things will exclusively rely on the cloud, a paradigm shift or site-by-site operation could make sense.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>


		<div class=