Last Update: Nov 19, 2024 | Published: Nov 18, 2021
In this article, I’m going to show you how to audit security in Microsoft 365 with Access Reviews in Azure Active Directory (AAD). I’ll show you how to set up and run Access Reviews from the Azure management portal and using the Microsoft Graph and PowerShell.
Azure Active Directory enables core collaboration with users both inside and outside the organization. Users can join groups, teams, invite guests, connect to specific cloud applications, use work or personal devices, and work anywhere. It is straightforward to allow anyone to be part of the organization and work within the Microsoft 365 tenant. However, the downside to this is the assignment of correct permissions and managing them when they need revoking or modifying.
Luckily Microsoft 365, and specifically Azure Active Directory, provides the ability to review assigned permissions. The best part of this is that it is not down to the IT Administrators to confirm the access is correct; it can be done directly by the specified user or a manager of the resource’s owner. The feature is called “Access Reviews” and it is part of the overall “Identity Governance” features of Microsoft 365.
Access reviews require the Azure Active Directory Premium Plan 2 license, though not for everyone. The directory needs at least as many Azure Active Directory Premium Plan 2 licenses as the number of employees set as reviewers, performing self-reviews, are a group owner performing an access review, or are application owners conducting an access review.
When assigning guests as reviewers, having them complete a self-review for themselves, or conducting an access review for groups or applications owned, they require Azure Active Directory Premium Plan 2 licenses. For users assigned to the Global Administrator or User Administrator roles, licenses do not need assigning.
To begin an Access review, you must be assigned one of the following roles:
To get started, navigate to the Access review management portal, which you find within any Microsoft 365 administrative center, but within the Azure administrative portal.
Within “Access reviews,” click the “Access reviews” link. You may need to wait a few seconds or longer while it tries to load any existing reviews.
Once any existing access reviews load, you can then click “New access review.” The first task is to define the type of access review from the dropdown options.
The “Teams and Groups” option focuses on security groups and Microsoft 365 groups and teams membership. The “Application” option targets the assigned users for the specified applications, including guest users.
Within the “Teams and Groups” option, you can select either “All Microsoft 365 groups with guest users” or “Select Teams and groups.”
The “All Microsoft 365 groups with guest users” option allows the creation of periodic reviews on all guest users across all your Microsoft Teams and Microsoft 365 groups in your organization. The “Select teams and groups” option allows a finite set of teams or groups to perform reviews. Using the “Select teams and groups” option, you choose the groups to review directly from Azure Active Directory. Lastly, you specify to check guest users or all users.
With the groups or applications selected, now you determine who will perform the access review.
Within the access review, we selected “Leadership,” which has three core owners within the tenant. If required, you can choose the “Group Owners“; however, the selected other group is a distribution group that does not have an owner. In that case, you can specify who will perform the access review.
After selecting the chosen reviews, you then set the duration for completion and reoccurrence of the evaluation. The recommendation for this comes down to the existing processes you have in place. However, I suggest that quarterly access reviews.
The goal of the access review is to adjust as required the existing permissions. The final part of the access review setup is to choose whether to automatically apply the adjustments, modify if no one responds, or notify a different user that the access review period has ended.
Once created, the new access review ware listed within the “Access reviews” page.
The reviews assigned to the access review receive an email notifying them of the access review once the status of the review is set to “Active.”
Clicking the “Start review” link within the email takes the reviewer to the “https://myaccess.microsoft.com” site, where they can then approve or deny access for users as needed.
The review selects the chosen account and determines if the account still requires access and either approves or denies the access. The reviewer may also click the “Accept recommendations” button, setting the accounts to the recommended action displayed next to each account.
Each account must be reviewed and assigned a status. Multiple reviewers can assist, allowing others to make decisions for specific accounts as needed. When choosing to approve or deny, justification details are required, allowing the review to explain their decision. As with all Microsoft 365 and Azure features, any actions and decisions get logged for historical review and auditing.
The Access review can be modified as required to add more reviewers, adjust the dates, the reoccurrence schedule, and remove items such as the need for justification.
Access reviews are not just for checking memberships of groups or permissions for applications. Though fundamentally that is why they exist, you can use them for group and permission management. For example, if you use conditional access policies with inclusion or exclusion groups, access reviews are ideal for managing the users within those groups. You may also be controlling specifics around legacy authentication or license assignment, all of which are ideal candidates for periodic access reviews.
The most common need is to control external users or guests within the Microsoft 365 Tenant and Azure Active Directory.
If you want to review the same security groups chosen previously for external guests, you can modify the existing access review or create a new one. The only change required is to select the “Guest users only” option instead of all users or specific users.
The subsequent adjustment determines the guest users that get set to “deny” by the reviewer.
Once the access review is active, the reviewer, as before, receives an email to start the review process. When entering the access review, this time around, only the external guests are visible for review.
The completion process is the same for all access reviews, no matter if reviewing internal or external users.
Lastly, to ensure access review meets the organizational security requirement, you can create reports. The report creation page is available within the “Access reviews” navigation.
The report can take some time to generate but once available, it can be downloaded and stored as part of your organizational audit reports.
As you can see, access review plays a big part in security management within Microsoft 365 and Azure Active Directory. Issuing regular access reviews to specific teams, users, or group owners will ensure security is controlled and managed better and by those that know the reasons for using it that way. To learn more about Access reviews, you can read more details within the Microsoft documentation.
When managing Access reviews, the most common way is to utilize the administration interface provided within Azure. The wizard interface is fantastic and does a great job of stepping you through what is required and when. However, sometimes these interfaces update, move settings around, or even remove them. To mitigate this, Microsoft also provides PowerShell commands for nearly all features within Microsoft 365, including Access reviews.
The Microsoft Graph PowerShell SDK is a core set of commands made available for many of the administration functions for Microsoft 365. These commands directly call the Microsoft Graph API, which connects all services within Microsoft 365 together.
There is a core set of commands available specifically for access reviews within the Graph PowerShell SDK.
New-MgAccessReview
Get-MgAccessReview
Stop-MgAccessReview
Remove-MgAccessReview
Update-MgAccessReview
More commands cover Access review decisions, instances, reviewers, and Reminders. Each command requires specific properties and expects certain formats for the required properties.
To get started, you must first install and import the required PowerShell module. You use the standard PowerShell “Install-Module” and “Import-Module” commands.
Install-Module Microsoft.Graph Select-MgProfile -Name "beta" Import-Module Microsoft.Graph
Next, you need to connect to the Graph using the required scopes (permissions) to manage access reviews. The required permissions are:
AccessReview.Read.All
Allows the app to read the information on access reviews, reviewers, decisions, and settings that you have access to.
AccessReview.ReadWrite.All
Allows the app to read, update and perform the action on access reviews, reviewers, decisions, and settings that you have access to.
AccessReview.ReadWrite.Membership
Allows the app to read, update and perform the action on access reviews, reviewers, decisions, and settings that you have access to.
When connecting using the permissions, use the command “Connect-MgGraph” with the required scopes.
$scopes = @( "Group.Read.All" "User.Read.All" "AccessReview.Read.All" "AccessReview.ReadWrite.All" "AccessReview.ReadWrite.Membership" ) Connect-MgGraph -Scopes $scopes
Complete the credential validation as required, then consent to the permissions.
To test the connection works, execute the “Get-MgBusinessFlowTemplate” command. It should complete successfully and return the access review templates available within Microsoft 365.
Now we have a connection, we can construct the commands we need to review existing access reviews and create new ones.
Access reviews are directly associated with business flow templates. To retrieve an existing access review, you must either know the direct identifier for the access review or find it by using the business flow template-id and then using the access review id to retrieve it.
After executing the command “Get-MgBusinessFlowTemplate,” you can copy the required template-id and use that within a filter property of the “Get-MgAccessReview” command.
# Filtering Access Reviews by Template ID $accessreview = Get-MgAccessReview -Filter "businessFlowTemplateId eq '6e4f3d20-c5c3-407f-9695-8460952bcc68'" # Retrieving by Access Review ID $accessreview = Get-MgAccessReview -AccessReviewId ce685ead-402c-4ca9-b135-8324b012acff
Using the retrieved “$accessreview” variable, you can now view all the properties that make up the access review.
$accessreview | Select-Object *
$accessreview | Select-Object -ExpandProperty Settings | Format-List
You can easily traverse the properties, expanding as needed to view the specific property values and formats.
To update an existing access review, you must first retrieve it using the standard approaches. The Graph PowerShell provides the “Update-MgAccessReview” command for the very purpose.
To help understand the format of the required properties, we can use the “Invoke-MgGraphRequest” command with a direct Microsoft Graph call to the specific access review.
Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/beta/accessReviews/644de7e2-0156-49f4-a1dc-a0a67e6c6f78"
You can also execute the same query within the Graph Explorer tool, which returns an easy-to-read JSON for each property returned.
Luckily the command doesn’t require everything to be JSON as the properties are part of the command. If you want to pass it all as a JSON object, you can use either the “AdditionalProperties” or “BodyParameter.”
Updating the existing access review settings modifying the properties: “AccessRecommendationsEnabled“, “ActivityDurationInDays“, “AutoReviewEnabled“, “JustificationRequiredOnApproval“, and “RecurrenceSettings” is done by populating the “Settings” parameter with an object containing the key value pairs.
$body = @{ "@odata.context" = "https://graph.microsoft.com/beta/$metadata#accessReviews/$entity" "settings" = @{ "mailNotificationsEnabled" = "true" "remindersEnabled" = "true" "justificationRequiredOnApproval" = "true" "autoReviewEnabled" = "true" "activityDurationInDays" = 30 "autoApplyReviewResultsEnabled" = "true" "accessRecommendationsEnabled" = "true" "recurrenceSettings" = @{ "recurrenceType" = "monthly" "recurrenceEndType" = "occurrences" "durationInDays" = 7 "recurrenceCount" = 21 } "autoReviewSettings" = @{ "notReviewedResult" = "Deny" } } "reviewedEntity" = @{ "id" = "f4b638c4-750f-49a1-bed7-a884448b3fb3" "displayName" = "Leadership" } } $accessreviewid = "ce685ead-402c-4ca9-b135-8324b012acff" Update-MgAccessReview -AccessReviewId $accessreviewid -Settings $body.settings
Creating a new access review requires specific properties such as string values and using object types. The “New-MgAccessReview” command supports the use of hashtables, string values, date-times, and strongly typed objects such as IMicrosoftGraphUserIdentity, IMicrosoftGraphAccessReviewDecision, IMicrosoftGraphAccessReview, IMicrosoftGraphIdentity, IMicrosoftGraphAccessReviewReviewer, and IMicrosoftGraphAccessReviewSettings.
The format of the JSON structure to use for creating access reviews is usable for both the “New-MgAccessReview” and the “Invoke-MgGraphRequest” commands.
$body = @{ "displayName" = "PowerShell Leadership Access Review" "startDateTime" = "2021-11-10T10:30:00.000Z" "endDateTime" = "2025-11-10T10:30:00.000Z" "reviewerType" = "delegated" "description" = "PowerShell Leadership Access Review" "businessFlowTemplateId" = "6e4f3d20-c5c3-407f-9695-8460952bcc68" "createdBy" = @{ "id" = "8d32fa65-361a-4aef-9716-60b44082eaab" "displayName" = "Microsoft CDX" "userPrincipalName" = "[email protected]" "mail" = "[email protected]" } "settings" = @{ "mailNotificationsEnabled" = "true" "remindersEnabled" = "true" "justificationRequiredOnApproval" = "true" "autoReviewEnabled" = "true" "activityDurationInDays" = 30 "autoApplyReviewResultsEnabled" = "true" "accessRecommendationsEnabled" = "true" "recurrenceSettings" = @{ "recurrenceType" = "quarterly" "recurrenceEndType" = "occurrences" "durationInDays" = 5 "recurrenceCount" = 14 } "autoReviewSettings" = @{ "notReviewedResult" = "Deny" } } "reviewedEntity" = @{ "id" = "419b8be8-c615-4191-81e2-bed087f284b9" "displayName" = "Executives" } }
Using the “New-MgAccessReview” values, you can construct the creation command.
$params = @{ BusinessFlowTemplateId = $body.businessFlowTemplateId Description = $body.description DisplayName = $body.displayName StartDateTime = $body.startDateTime EndDateTime = $body.endDateTime ReviewedEntity = $body.reviewedEntity ReviewerType = $body.reviewerType Settings = $body.settings } New-MgAccessReview @params
You can also create the access review using the “Invoke-MgGraphRequest” and pass in the entire “body” object.
Invoke-MgGraphRequest ` -Method POST ` -Uri "https://graph.microsoft.com/beta/accessReviews" ` -Body $body
Creating access reviews comes down to structuring the properties correctly and then using either option. The advantage to using PowerShell to manage them is being able to script once and then repeat as needed, either in the same or multiple Microsoft 365 tenants.