Safeguard Your Network With Azure Active Directory Reviews

If you don’t know about or haven’t ever used Azure Active Directory reviews, you should. These reviews are a cyber security tool to ensure that only those who’ve been given access to your network can get on it – and those without access are kept out.

Your internal IT team or your managed service provider (MSP) should complete Azure Active Directory reviews on a regular basis as part of your overall cyber security plan.

What Is Azure Active Directory (AD)?

Active Directory (AD) controls the management of group memberships: access to your applications such as Teams, SharePoint, Yammer and more, as well as role assignments. With Azure AD, collaboration with users from both inside and outside your  organization is easy. Users can join groups, invite guests, connect to cloud apps and work remotely from their work or personal devices.

Why Are These Reviews So Important?

AD allows your team to share and collaborate easily with people both inside and outside your organization. These reviews are the  best way to ensure each user has access to everything they need — and nothing they don’t. Consider the many operational changes that could impact which areas of the network a user should have access to:

• You hire a new employee or an existing employee changes positions or roles.
• Someone leaves the company.
• An outside resource you once  needed for a project is no longer actively working on it.
• A group or department is taking on a new purpose or task.

Periodic reviews assure that the appropriate changes to your Active Directory permissions have been made as a result of these and other changes. And — if they haven’t been — it allows you to correct the issue before it leads to a data compromise.

AD Roles Impact Access Reviewers

Reviews are gathered from group leaders and administrators to determine which users should have permissions for their areas. Azure Active Directory has more than 80 built-in roles. Some of them are:

• AD global administrator, who has access and all administrative permissions in Azure AD to assign roles to other users and can reset the password for any user. The user who signs up for the Azure AD tenant is the default global administrator.
• AD user administrator, who manages all users, groups and support tickets and can also reset passwords for other user admins, helpdesk administrators and users.
• AD billing administrator, who manages purchases, subscriptions and support tickets.
• AD application administrator, who creates and manages app registrations and enterprise applications.
• AD compliance administrator, who manages compliance configurations and reports.
• AD Teams administrator, who manages the Teams service and configurations.

The full list of Azure AD roles can be found at: administrator role permissions in Azure Active Directory. Active Directory also allows for group level and guest permissions and restrictions. 

Limit Admin Permissions

One sign that the time has arrived for an Azure Active Directory review is when there is a high number of users with admin roles. The threshold for what is too many will vary from business to business, but it should be a small percentage of your overall team. If it looks like there are too many users who have admin privileges, find out:

• How many are global admins?
• How many are user admins?
• How many are guests?

Rid the company of those who no longer need access or should not have had it in the first place just as you would former employees of your business.

When to Conduct an Azure AD Access Review

You can trigger an access review at any time within Azure AD for part or all of your users and roles whether it be for a single group, a team or for each member to verify that they need access to the areas they currently have (a self review). You could also trigger all group administrators to review the users and guests within their groups. You might also want to run AD access reviews to verify:

• Group access rights.
• Privileged role access.
• New groups/new admins.
• Business-critical data access.
• Policy exceptions.
• Security group members.
• Office group members.
• Teams channels.
• Self-review.
• Guest user access rights.
• Default user access rights.
• Azure resource role.
• Compliance (group owners confirm they still need guests in their groups and owners).
• Automated reviews that recur periodically (weekly, monthly, quarterly, yearly).

What Is the AD Review Process?

Start a review by visiting the “Identity Governance” page in the Azure portal.

• Click Access reviews in the left menu.
• Click New access review.
• Select the resource you want to review.

Realize there is a great deal of granularity in determining the scope and object of each review. 

Once the review has set these parameters, an email should be sent to the appropriate reviewers (based on Active Directory roles and group/area ownership) according to the schedule you set for the review recurrence.

For example, if you are the owner of a Teams group, you would receive an email each quarter with a list of all the members of your Teams group prompting them to deny access to anyone no longer needing it. 

If no reply is received, all members remain approved, but when you reply with certain users marked as no longer needing access, their permissions for your group will be removed.

Use Your MSP to Get Expert Help With Azure Active Directory Reviews

Azure Active Directory is a complex tool for which you might need some help.  While it can be a bit complicated to set up, AD reviews are a critical component to your business security. When people only have access to areas they need and access data is maintained, it leaves less room for mistakes or malicious behavior to compromise your network.  

As your managed service provider, Aeko Technologies can help  set up your Azure AD reviews and train your team on how to make the most of them. Contact us or book a meeting for a quick consultation.