Working with access reviews– Planning and Implementing Secure Access
Access reviews are tools that help organizations track the resource access life cycle. Some of the features of access reviews include the following:
- Performing ad hoc or scheduled reviews to evaluate who has access to resources (such as applications, teams, or groups)
- Tracking reviews
- Delegating reviews to other individuals, including end users who can self-attest that they still need access
- Automate review outcomes, such as removing users from groups or teams
- Access reviews operate in a cycle, as shown in Figure 8.18:
Figure 8.18 – The access reviews cycle
As you’ve already seen, access reviews can be built into an access package. They can also be used as standalone tools.
Let’s take a look at how we can plan an access review.
Planning access reviews
When planning out your access review strategy, you need to decide what it is you’re going to review – such as Microsoft 365 Groups, Teams, or applications.
Exam tip
There are some caveats when selecting groups to review: you can’t choose dynamic groups or role-assignable groups as targets of an access review.
Depending on the type of review (teams, groups, or applications), you’ll need to also understand who the reviewers will be.
For groups, the potential options are as follows:
- Group owner(s)
- Selected user(s) or group(s)
- Users review their own access
- Managers of users
Applications have similar options for reviewing:
- Selected user(s) or group(s)
- Users review their own access
- Managers of users
You can choose to configure single or multi-stage reviews to help ensure individuals with the appropriate level of responsibility or authority are signing off on an access decision.
Another important factor when designing an access review strategy is specifying the recurrence. Your organization may have security or regulatory compliance requirements, or other business needs that necessitate how often reviews should occur. You can specify a recurrence of One time, Weekly, Monthly, Quarterly, Semi-annually, or Annually, as well as start dates and ending parameters (Never, End on a specific date, or End after a number of occurrences).
Finally, you need to plan for how you will handle exceptions, default actions, and notifications:
Figure 8.19 – New access review settings
With those settings in mind, let’s create an access review!