Advanced Security Management in Office 365 — Part 1
In a series of articles here on ENow’s blog over the past few months, we covered a wide variety of...
In the last few weeks we have been frantically recapping the dozens of announcements made at Ignite 2017. As usual, many of the features demoed at the conference will only show up in production after few weeks or even months, but some are already available in Preview. In this article, we will do a short overview of one such feature, namely Access Reviews for Office 365 groups and applications.
And yes, that’s groups with small g, as the feature covers not only the new, “modern” Office 365 Groups, but also “traditional” distribution groups and security groups. Let’s dig in.
Azure AD offers many self-service features, for example the ability for end users to provision groups, manage their membership, get access to applications or reset their password. While this self-service approach is great for smaller organizations or organizations that do not need to follow ITIL practices, as it elevates some of the IT overhead, sometimes it can also be a problem. For example, managing those self-provisioned groups is often problematic as the end users don’t know how to perform basic tasks or simply forget about the objects they provisioned, thus creating a lot of clutter in the address book.
The Access Reviews feature is one of the steps Microsoft is taking in order to address this problem. The feature allows organizations to trigger an easy to use re-evaluation process, in which designated users can give feedback whether they still need access to specific group or application.
To start playing with the feature, you need to access the relevant blade in the Azure portal.. If this is the first time you are using the feature, you will be asked to onboard in order to unlock its functionality. In other words, you will have to click the Onboard tab shown on the screenshot below in order to unlock all other tabs:
Once this part is completed, all controls should be enabled and additional information about the feature will be shown. By default, Access reviews are organized into Programs, which you will find listed under the relevant tab on the left. Programs are just containers for the actual review controls, they don’t serve any other purpose than to help you organize the reviews. You can select the Default Program, or just as easily create a new Program by clicking the Add program button and providing name and description.
Clicking a Program name will take you to the Overview page for said program, or if you prefer to get the full picture, you can click the Overview tab in the left pane to list all Programs and Controls. In my case, I have already created a new Program named “O365 Groups” and associated two controls (Access Reviews) with it, as shown below:
To create an actual Access Review, or Control, you simply need to navigate to the relevant Program and press the New access review button under the Controls tab. You will have to provide a Review name and a short Description. Alternatively, you can click the Controls tab in the “global” workspace and follow the same process, then associate the Access review with a particular program as part of the creation process.
The next step is selecting a Start date and End date for the review. By default, Access reviews run for 30 days, starting on the current date, but you can of course select custom values. While 30 days might seem excessive, in most cases you will need to account for planned or unplanned absences, holidays and so on.
The next step of the process is to select the type of Access review to perform, under the Users to review dropdown. For the Preview, the available choices are Members of a group or Assigned to an application. Next, you need to select the scope, namely whether you want to trigger the review for Everyone or Guest users only. For our first test, we will do a group membership re-evaluation, for every member of a group, which we designate by pressing the Select a group button:
As already mentioned in the introduction, the Access Reviews feature is not limited to modern Office 365 Groups, but can also be triggered for Security and Distribution groups. Once the group is selected, you will designate the people that will be performing the review, under Reviewers. In this example, the available options are: Group owners, Selected users or Members (self).
Lastly, you can select whether to enable Mail notifications, Reminders and to Require reason on approval. All these options are controlled via the toggles shown below:
After you press the Start button, the Access Review will be created and the approval process started. If you opted to enable notifications, the reviewer(s) will receive an “action required” email, notifying them about the review and surfacing some additional information. The level of details you will be able to see depend on your role in the process, for example Guest users will not be shown information about who started the review (right side):
To perform the actual review, you need to access the Azure AD Self-service portal. In the list of applications, you will see a link to the Access Reviews app. You will then be presented with a list of all active Access Reviews concerning your user account. This part of the process is virtually identical for internal and external users, as shown below:
Pressing the Begin review button will take you to the approval “stage”, where all pending reviews will be displayed. If you are a reviewer, the list will include all the members or guest users of the group or application for which the Access review is being performed. If you are not a reviewer, you will only see your own username listed. Again, the process is very similar between internal and external access approvals.
When reviewing group membership, you will be presented with the list of members and some additional information that should help you with the decision. A recommended action might be presented in some cases, for example if the user hasn’t logged in in the past 30 days. A progress indicator is shown on the top, while more detailed statistics can be found at the bottom of the page.
After you select the user(s) for which to perform the review, press the Review button. The dialog shown on the right will pop up, allowing you to Approve the access, Deny it or leave the decision for later. An optional reason might be provided, or required. For the sake of completeness, the screenshot below shows how the process looks like when you are reviewing your own access to a group, with justification required:
Note that the decision taken at this step does not have any immediate effect. The user or reviewer can change their decision until the Access review is stopped, either by reaching the deadline or manually by administrator. The results are only applied after the administrator presses the Apply button.
By default, Access reviews remain active for 30 days. Once the end date is reached, users are no longer able to provide their input. At any point, the administrator can check the progress by navigating to the relevant Program/Control or checking the global Overview page, as shown in the previous section. In addition, he can perform one of the following actions:
Stopping the Access Review is a one-way street – once stopped, you cannot reactivate it. Regardless of the method used to end the review, once it reaches its final phase another email notification will be triggered. At this point, the administrator can choose how to handle the results. Pressing the Apply button will update the group membership or application access list in accordance to the Access review results. Unfortunately, you cannot override individual results, you can only agree to apply all of them, or choose to ignore the results and not perform any action.
At any time, one can check the Audit logs to get additional information on the actions performed by any participant in the process. On the screenshot below, the Audit logs for a review are shown, including the additional level of detail you can get by clicking one of the individual log entries:
Be warned that pressing the Delete button does not trigger any warning and will immediately purge the Access review object. The corresponding audit log entries will then have to be fetched via the API, as the UI will no longer display the deleted Access review.
While the Access reviews feature is fairly straightforward to use, there are several things you should consider. First and probably most important is the fact that this feature requires an Azure AD Premium P2 license. The license is required for every user that interacts with this feature, including the individual group members if you have decided that they should review their own access! While this might not be a problem for organizations that already have Azure AD P2 or the EMS E5 SKUs purchased, the price ($9 per user per month) is too prohibitive if this is the only feature you want to use.
There are also some limitations to the feature. For example, dynamic groups or groups synced from on-premises AD are not supported with the Access review process. Nested group membership is also not supported. The one-to-one mapping between Access review controls and the resource (group or application) targeted for review is probably something Microsoft would want to address at some point, for example by providing a “bulk” option. Integration with features such as Actionable messages is another improvement that should be made in my opinion, as are granular delegation controls and the option to overwrite results before applying them from the UI.
That being said, the feature is still in its infancy and additional functionality will certainly be added in the future. For example, we know that Microsoft is planning to provide PowerShell and Graph API support for Access reviews, to expand the process to cover the full lifecycle of Guest users (not just access to groups/apps), provide scheduling capabilities and more. Some bugs observed in the current implementation, such as the fact that applications reviews don’t seem to recognize all “first-party” Azure AD apps, or the glitchy “Group owners” option for designating Reviewers, should be resolved once the feature reaches GA status.
The Azure AD Access reviews feature is an easy to use, user-centric feature that can help organizations to better manage access to Office 365 groups and applications. The feature is already available in Preview and for the most part works as advertised. However, I feel that the Azure AD Premium P2 license requirement can be prohibitive for many.
Microsoft has already announced plans to expand the feature to cover additional scenarios, such as the Guest user lifecycle, or Access reviews for Admin roles via the Privileged Identity Management feature (available in the Azure AD blade). Once can easily see the same process applied to other parts of the service, so you should keep an eye on this.
Want more visibility? With Mailscape 365, you'll gain visibility into your entire Hybrid/Cloud environment, giving you insight to what your end-user experience is like in real-time.
Vasil has been actively involved with Office 365 for over four years now. He spent over an year as Support Engineer for Microsoft Online Services with one of Microsoft's vendors, working with BPOS and Office 365 customers. Switching sides, he later held support positions with several multinational enterprises, before finally moving to a consultant role. This varied experience allows him to have an unique perspective on the ins and outs of the Office 365 suite. He has closely followed the evolution of Microsoft's cloud offerings, starting with BPOS, with expertise covering all stages of the Office 365 lifecycle. He holds a charter member certification for Office 365 (MCITP and MCSA), and has been awarded as Microsoft MVP for second year in a row.