Checking Office 365 Group Membership with Azure AD Access Reviews

Office365 secure hero

External Guests for Office 365 Apps Make Reviews More Important

When tenants were self-contained and only people with tenant accounts could access information, it was easy to ignore group memberships. Now that Office 365 Groups, Planner, and Microsoft Teams support guest users, a more obvious need exists to review group memberships periodically. Letting people who have permissions to any resource keep their status just “because” is a bad idea. Permissions become stale when users have access they don’t need any more and stale permissions can lead to compromised information, an aspect of data governance that comes under increased focus due to regulations like the EU’s GDPR.

Finding Groups with Guests

To make sure that sensitive information is not exposed to people who do not need access, you can ask group owners to check the guest users in the groups that they manage and hope for the best. Alternatively, you can impose a more structured approach. In either case, you need to know what groups have guest members. To start the ball rolling, some PowerShell creates a report of groups that have guest users. For example:
Get-UnifiedGroup | Sort-Object GroupMemberCount -Descending | Format-Table -AutoSize DisplayName, GroupMemberCount, GroupExternalMemberCount, @{Name=”Tenant Users”; Expression = {$_.GroupMemberCount - $_.GroupExternalMemberCount}}

DisplayName                              GroupMemberCount GroupExternalMemberCount Tenant Users
-----------                              ---------------- ------------------------ ------------
Exchange's Grumpy Old Men                              62                       57            5
Office 365 Discussion                                  61                       55            6
Office 365 Experts                                     42                       41            1
Company Communications                                 28                        0           28
Teams that have external members show up in the report because their guests are in the group’s membership list. Knowing the groups that have external members, you can then ask each group owner to check that their guests should continue to have access. If you think the owners need more detail, this PowerShell code outputs a list of guests for each group:
$Groups = Get-UnifiedGroup -Filter {GroupExternalMemberCount -gt 0}

ForEach ($G in $Groups) 
  $Ext = Get-UnifiedGroupLinks -Identity $G.Identity -LinkType Members
  ForEach ($E in $Ext) {
     If ($E.Name -match "#EXT#")
        { Write-Host "Group " $G.DisplayName "includes guest user" $E.Name }
You can then enjoy the happiness of sending email to group owners to give them details about their guest users.

Azure AD Access Reviews for Groups

PowerShell is great at solving administrative problems for many parts of Office 365, but not everyone wants to build their own review system for group membership. Microsoft’s solution is Azure Active Directory Access Reviews, currently in preview. When released, the feature will be licensed as part of Azure Active Directory Premium P2 and bundled in the Enterprise Mobility and Security E5 suite. Access Reviews allow tenants to create policies to review access to groups and applications, including guest access. For Office 365 Groups, a policy can require members to review their own membership or have a “sponsor” (usually the group owner) do the job. In most cases, it is probably better to have an owner review membership. Reviews can be done for distribution and security groups, but because Office 365 Groups support external members, they are a more likely target.

Creating an Access Review

To create a new access review, go to Access Reviews in the Identity Governance section of the Azure portal and select New Access Review. You can now enter details of the review you want to create. Figure 1 shows what you might see for a group membership review. In this case, we opt to review guest users in a selected group with the review done by the group owner. By default, the review period is a month.
Access Review for Office 365 Group
Figure 1: Configuring an access review (image credit: Tony Redmond)
Notice that you can only select a single group to add to a review. I think this is a mistake as it seems obvious that you might want to apply the same access review to all groups in a tenant. However, Azure AD goes for granularity and forces the creation of a separate access review for each group. With the group selected, you can click Start to enforce the review.

Performing Reviews

If the option is selected, reviewers receive email notifications to prompt them into action. A link in the message brings them to the review screen (Figure 2), where they can approve, deny, or say “Don’t know” for each member. If the policy requires, they must enter a reason to support their decision.
Access Review for Group
Figure 2: Conducting a review (image credit: Tony Redmond)
By default, Azure AD sends a reminder half-way through the review period if the review is incomplete.

Actioning a Review

Reviewers can make recommendations during the review period. An administrator can also stop a review before the period elapses. At any time before or when a review finishes, the administrator can examine the review results (Figure 3).
Access Review by Admin
Figure 3: Reviewing the results of an access review (image credit: Tony Redmond)
Although they can see the recommendations, an administrator cannot change them. If they disagree with a reviewer, the administrator can disregard the review (delete it or never apply the recommendations). They can then go ahead and update group membership as they wish using the portal, Office 365 Admin Center, or PowerShell. Alternatively, the administrator can reset the review to effectively nullify the recommendations of the reviewer and force them to restart. To action the results of a review, the administrator goes back to the Overview screen and clicks Apply. It is only then that Azure AD updates group membership. Approved members stay as before, denied members lose membership, and deep thinking is done about those in the “Don’t know” category. You can create access reviews for dynamic groups or groups that belong to an on-premises organization. However, Azure AD cannot apply changes to these groups. Instead, you must update the query to change a dynamic group’s membership or go to the on-premises organization to make whatever changes are necessary there.

The Problem with Reviews

In general, Azure AD access reviews work as documented. However, any tenant that wants to use access reviews to control external access to Office 365 Groups or Microsoft Teams faces the challenge of having to create individual access reviews for each group that has guest members. My small tenant has 129 Office 365 Groups, 65 of which have guest members. The prospect of creating individual reviews for each group is not attractive. Access reviews is a preview feature and it is possible that Microsoft will include the ability to have a single review span multiple groups in the released version. If that happens, I can see real value in the feature, especially for tenants that make extensive use of external access to Groups and Teams. Follow Tony on Twitter @12Knocksinna. Related Article: