Identity Governance (part 3 of 6)
To read part 1, please click here
To read part 2, please click here
To read part 4, please click here
To read part 5, please click here
To read part 6, please click here
Azure AD Access Reviews
It readily helps the organizations to efficiently manage group memberships, access to enterprise applications as well as privileged role assignments, while also allowing to perform following tasks for Microsoft 365 Security and Compliance admins and User Accounts admins:
- Guest user access can be evaluated by simply reviewing their access to applications and memberships while the insights provided helps the reviewers to efficiently decide if the guest's access should be continued or not.
- Employee access to applications as well as group memberships can be evaluated with access reviews.
- Relevant access review controls into programs can be collected to track reviews for compliance or risk-sensitive applications.
- The role assignment of administrative users who are assigned to Azure AD roles like Global Administrator or Azure subscription roles can also be evaluated. This capability is included in Azure AD Privileged Identity Management.
When to use Access Reviews?
- Too many users in privileged roles- You should regularly check the number users with administrative access, how many of them are Global Administrators, and if anyone of them are invited guests or partners that have not been removed after been assigned to do an administrative task. The recertification of the role assignment users can be done in Azure AD like Global Administrators, or Azure resources roles such as User Access Administrator in the Azure AD Privileged Identity Management (PIM) experience.
- When automation is infeasible- Although rules for dynamic memberships can be created on security groups or Office 365 Groups, but, if the HR data is not present in Azure AD or if the users still need access even after leaving the group to train their replacement, then, you can create a review on that group to ensure that those who still need access should have continued access.
- When a group is used for a new purpose- If there is a group that needed to be synced to Azure AD or if you want to enable the application Salesforce for everyone in the Sales team group, then, you should ask the group owner to review the group membership before the group being used in a different risk content.
- Business critical data access- You might have to ask the people outside of IT to regularly sign out and provide a justification on requiring an access for auditing purposes for certain resources.
- To maintain a policy's exception list- Ideally, all users should follow the access policies to secure access to your organization's resources, but sometimes you have to make exceptions for certain business cases. You can easily manage this task as an IT admin by avoiding oversight of policy exceptions, and providing the auditors with proof that these exceptions are being reviewed regularly.
- Ask group owners to confirm they still need guests in their groups- Employee access may be automated for some on-premises IAMs but not for invited guests. However, if a group grants access to some business sensitive content, then it's the responsibility of the owner to confirm that the guests still have a legitimate business need for access.
- Have reviews recur periodically- Recurring access reviews of the users can done at set frequencies like weekly, monthly, quarterly, or annually, and the reviewers will be notified at the start of each review. Reviewers can obviously approve or deny access with a friendly interface and with the help of smart recommendations.
Where to create access reviews
According to your need in a review, you can create your access review in one of the following:
- Azure AD access reviews
- Azure AD enterprise apps
- Azure AD Privileged Identity Management
To read part 1, please click here
To read part 2, please click here
To read part 4, please click here
To read part 5, please click here
To read part 6, please click here
Thank you for sharing wonderful information with us to get some idea about that content.
ReplyDeleteBest AWS Training Online
Aws Devops Training Online