AZ-305: Microsoft Azure Solutions Architect Expert
Design for authentication and authorization
Design for access reviews
Access Reviews help you maintain a secure environment by ensuring that only the users who genuinely need access to your resources retain it. Over time, role assignments or memberships may persist even when they are no longer necessary, potentially creating security risks. Access Reviews address this challenge by periodically verifying, retaining, and revoking access as needed.
Access Reviews follow a four-step cyclic process:
Notification:
Resource owners receive email notifications that list all current role assignments within a specified scope. This communication ensures that both application owners and users are informed about their access status.
Review:
During the review phase, designated resource owners assess each role assignment to determine if continued access is warranted.Retention:
After reviewing, resource owners decide which access assignments will be maintained for users who still require it.Purge:
Finally, stale or redundant assignments are removed automatically. A report is generated for administrators, ensuring that any unnecessary access is revoked promptly.
Note
Access Reviews require a premium P2 license to utilize the full set of features.
Best Practices for Access Reviews
Implementing Access Reviews effectively requires a clear strategy and careful planning. Below are some key best practices to consider:
Understand the Purpose:
Access Reviews are essential for protecting, monitoring, and auditing resource access. They help you decide which users should continue to have access and for how long.Decide the Reviewers:
Identify whether the reviews will be conducted by resource owners, delegated reviewers, or security teams.
Implement a Self-Attestation Process:
Consider allowing users to confirm their ongoing need for access. If a user self-attests, their access is retained; if not, their permissions may be revoked.Determine Resource Types for Review:
Focus on reviewing access to highly confidential or mission-critical resources to maximize security.Set Up a Detailed Review Plan:
Develop a clear plan that specifies the list of reviewers, target resources, review frequency, and a remediation strategy in case discrepancies are identified.
To summarize the best practices visually, consider the table below:
| Key Aspect | Consideration | Recommendation |
|---|---|---|
| Purpose | Protect and audit access | Review periodically to reduce risk |
| Reviewer Selection | Resource owners, delegated reviewers, or security teams | Choose based on role expertise |
| Self-Attestation Process | User ability to confirm continued access | Enable for improved user responsibility |
| Resource Focus | Critical, confidential, or sensitive resources | Prioritize high-risk resources |
| Review Planning | Frequency, detailed schedule, and remediation strategy | Establish clear guidelines and automation |
Configuring Access Reviews in the Azure Portal
The Azure portal offers a streamlined approach to configuring and managing Access Reviews through Identity Governance. Follow these steps to set up an Access Review:
Start a New Review:
In the Azure portal's Identity Governance section, click on "Add a new access review." Choose the type of review based on your needs, such as reviewing a group membership (e.g., Teams plus groups) or a set of applications.
Select the Scope:
For instance, if you are reviewing an application, select the relevant app—such as the Azure VPN app—and define whether the review applies to guest users or all users. Configure the review to be either single-stage or multi-stage, as per your approval process requirements.
Assign Reviewers:
Choose who will perform the review. Options include designated users, self-attestation by the user, or managers (if available in Azure AD). For example, you can select individual reviewers to validate each role assignment.
Define Review Recurrence and Duration:
Set the review to recur on a schedule that suits your organization’s needs (weekly, monthly, quarterly, semi-annually, or annually) and specify the duration in days. Configure the start and end dates in a manner similar to scheduling a meeting in Outlook.Configure Completion Settings:
Enable auto-apply to enforce reviewer decisions automatically. Choose from options such as leaving access unchanged, removing access, or approving access if no response is received. Additionally, use decision maker helpers that can notify you if a user has not signed in within a specified timeframe (e.g., 30 days). Advanced options also allow you to add justifications, set up email notifications, and configure reminders.
Review Details and Create:
Provide a name and description for the review (for example, "VPN review" if evaluating the VPN app). Once you confirm all settings, create the review. Automated emails will be sent to the reviewers at the specified frequency, enabling them to determine which users should maintain access.
Monitor the Access Review:
After the review is created, monitor its progress in the Identity Governance section of the Azure portal.
Reminder
Regularly monitoring and adjusting your Access Reviews ensures that your organization maintains a secure and efficient access management policy.
This guide has explained how to set up and manage Access Reviews in Azure. By following these steps and best practices, you can ensure that only authorized users maintain access to your critical resources while automating and simplifying the access management process.
Additionally, this course covers Managed Identities, an essential component of secure resource access management in Azure. For further details, explore Azure Managed Identities Documentation.
Watch Video
Watch video content