WEBVTT 0:00:03.060000 --> 0:00:10.080000 In this video, we're going to take a look at the Azure AD Access Review. 0:00:10.080000 --> 0:00:17.340000 The topics that we're going to cover are the basic concepts of Azure Access 0:00:17.340000 --> 0:00:21.360000 Reviews, what they are, and then we'll take a look at actually implementing 0:00:21.360000 --> 0:00:24.940000 Azure AD Access Reviews. 0:00:24.940000 --> 0:00:28.740000 Let's start out talking about some of the concepts. 0:00:28.740000 --> 0:00:31.460000 What is an Access Review? 0:00:31.460000 --> 0:00:34.540000 The Access Review is exactly what it sounds like. 0:00:34.540000 --> 0:00:39.420000 It is designed to review access levels of your users. 0:00:39.420000 --> 0:00:45.480000 And the idea is that you want to be able to recertify, make sure that 0:00:45.480000 --> 0:00:48.700000 the people that have these rights should have these rights. 0:00:48.700000 --> 0:00:53.760000 You can positively attest to the fact that folks have the rights that 0:00:53.760000 --> 0:00:55.680000 they should. And it's also a way to audit. 0:00:55.680000 --> 0:00:57.900000 Now, why have this? 0:00:57.900000 --> 0:00:59.500000 What is this when it comes down to it? 0:00:59.500000 --> 0:01:03.340000 Well, think about pretty much any organization, particularly any large 0:01:03.340000 --> 0:01:08.320000 organization. You have people that are changing their job roles within 0:01:08.320000 --> 0:01:11.660000 the organization, moving from one department to another, moving from a 0:01:11.660000 --> 0:01:13.460000 position to another. 0:01:13.460000 --> 0:01:16.760000 You have people who are moving out of the company. 0:01:16.760000 --> 0:01:19.200000 You may have people who are temporary. 0:01:19.200000 --> 0:01:23.880000 There's a lot of change oftentimes in terms of what level of access people 0:01:23.880000 --> 0:01:30.480000 need. If somebody is a project manager in the IT environment that's responsible 0:01:30.480000 --> 0:01:34.840000 for the administration of your Azure resources and that person gets moved 0:01:34.840000 --> 0:01:38.740000 to finance, you probably are going to have different responsibilities. 0:01:38.740000 --> 0:01:43.260000 And therefore, it should have different access to your resources. 0:01:43.260000 --> 0:01:44.380000 And that's really what this is about. 0:01:44.380000 --> 0:01:47.580000 It gives you the ability to do these things with your users. 0:01:47.580000 --> 0:01:49.100000 Now, how does this apply? 0:01:49.100000 --> 0:01:51.340000 I can audit effectively. 0:01:51.340000 --> 0:01:55.760000 I can review these different types of objects right now. 0:01:55.760000 --> 0:02:01.580000 I've got office groups, so that would be Office 365 groups, Azure AD groups, 0:02:01.580000 --> 0:02:07.880000 app access, Azure AD roles, and Azure RBAC roles. 0:02:07.880000 --> 0:02:13.080000 So roles within Azure AD such as global administrator, or I can also audit 0:02:13.080000 --> 0:02:20.080000 RBAC roles in an Azure subscription such as owner or contributor, etc. 0:02:20.080000 --> 0:02:23.940000 That's what it does and that's where it does it. 0:02:23.940000 --> 0:02:29.420000 And you have the ability to approve or deny continued access. 0:02:29.420000 --> 0:02:32.540000 This is going to run, it's going to analyze the users and you can do this 0:02:32.540000 --> 0:02:35.460000 periodically. You can do it over a stretch of time. 0:02:35.460000 --> 0:02:38.240000 Who's in a particular group, for example? 0:02:38.240000 --> 0:02:41.920000 And you have the ability to say, okay, yeah, those are all good. 0:02:41.920000 --> 0:02:43.040000 Let's go ahead and keep those in. 0:02:43.040000 --> 0:02:45.580000 Or maybe some of these people really don't need to be here anymore. 0:02:45.580000 --> 0:02:49.560000 And there's a pretty robust process for that. 0:02:49.560000 --> 0:02:52.360000 And part of that process is having reviewers. 0:02:52.360000 --> 0:02:55.340000 The system is going to go out, Azure AD, the access reviewer is going 0:02:55.340000 --> 0:02:59.920000 to be generated, and it's going to identify the folks that are in a particular 0:02:59.920000 --> 0:03:01.900000 group or have a particular role. 0:03:01.900000 --> 0:03:06.600000 And then somebody needs to review that and you need to get highs on that. 0:03:06.600000 --> 0:03:08.340000 And you have options for that. 0:03:08.340000 --> 0:03:12.580000 You can have group owners that are going to review this. 0:03:12.580000 --> 0:03:13.760000 You can have group members. 0:03:13.760000 --> 0:03:18.720000 You can specify individual accounts or you can let people review their 0:03:18.720000 --> 0:03:22.980000 own. So if you really want to open this up, there are some caveats to 0:03:22.980000 --> 0:03:29.800000 that. You have the option of really generating a one-off review, a one 0:03:29.800000 --> 0:03:32.720000 -time review, or you can set up a recurring schedule. 0:03:32.720000 --> 0:03:36.340000 Maybe this is a monthly thing or a bi -monthly thing, semi-monthly, whatever 0:03:36.340000 --> 0:03:42.020000 it is that you need, so make sure that you are maintaining compliance 0:03:42.020000 --> 0:03:45.520000 with whatever your security rules and regulations are. 0:03:45.520000 --> 0:03:51.200000 One thing to note is that there is a licensing requirement for this. 0:03:51.200000 --> 0:03:55.360000 In order to use this, you have to have either the enterprise mobility 0:03:55.360000 --> 0:04:00.520000 and security E5 or you have to have Azure AD Premium too. 0:04:00.520000 --> 0:04:06.460000 However, you don't have to have this for every account that you review. 0:04:06.460000 --> 0:04:10.660000 You only need these licenses for this particular functionality. 0:04:10.660000 --> 0:04:14.400000 You only need these licenses for the reviewers. 0:04:14.400000 --> 0:04:21.220000 So you might have 5,000 users in groups, all local, but maybe you only 0:04:21.220000 --> 0:04:22.840000 have five reviewers. 0:04:22.840000 --> 0:04:23.480000 And that's fine. 0:04:23.480000 --> 0:04:25.960000 You would need licenses just for those reviewers. 0:04:25.960000 --> 0:04:31.360000 So that is the idea behind the access review. 0:04:31.360000 --> 0:04:33.180000 And this is another one of those concepts. 0:04:33.180000 --> 0:04:35.220000 It's really a pretty straightforward concept. 0:04:35.220000 --> 0:04:38.420000 So let's take a look at how you would implement this. 0:04:38.420000 --> 0:04:43.400000 I'm going to show you a couple of different options here. 0:04:43.400000 --> 0:04:48.360000 Well, actually there's a few different options for finding your access 0:04:48.360000 --> 0:04:50.420000 reviews, but there's one thing you have to do first. 0:04:50.420000 --> 0:04:52.800000 I have already done it, but I do want to show you. 0:04:52.800000 --> 0:04:56.400000 And I will tell you there's, right now at the time of this recording, 0:04:56.400000 --> 0:04:59.920000 there's a little bit of a glitch because it appears I can do, or I can 0:04:59.920000 --> 0:05:03.980000 take the next step from multiple places, but there's only one that it 0:05:03.980000 --> 0:05:04.940000 really seems to work for. 0:05:04.940000 --> 0:05:06.640000 And that process is onboarding. 0:05:06.640000 --> 0:05:08.260000 It's a very easy process. 0:05:08.260000 --> 0:05:11.160000 But at least for right now, and you can always check this and see if this 0:05:11.160000 --> 0:05:16.240000 is true going forward, but I need to start at the identity governance 0:05:16.240000 --> 0:05:21.460000 blade. This is actually a relatively new blade, and it shows up here. 0:05:21.460000 --> 0:05:29.700000 And what I need to do is I need to onboard my access reviews. 0:05:29.700000 --> 0:05:33.900000 Now I have already onboarded them, so it's not giving me the option to 0:05:33.900000 --> 0:05:37.340000 do so, but there's literally just a link right here. 0:05:37.340000 --> 0:05:42.520000 You click that and then you get a pop -up window and you accept it, and 0:05:42.520000 --> 0:05:43.440000 then you're onboarded. 0:05:43.440000 --> 0:05:46.540000 It's not hard to do, but for now at least you have to do it from here. 0:05:46.540000 --> 0:05:52.500000 I say that because you can access, there's reviews through the group interface. 0:05:52.500000 --> 0:05:55.080000 So I can go to a group and I can find the reviews, and it looks like I 0:05:55.080000 --> 0:05:58.060000 can onboard there, but that doesn't work. 0:05:58.060000 --> 0:06:01.500000 In any case, the process of creating an access review doesn't really matter 0:06:01.500000 --> 0:06:05.360000 where you are. But I'm in this identity governance, and I'm going to create 0:06:05.360000 --> 0:06:07.140000 an access review. 0:06:07.140000 --> 0:06:11.840000 I'm going to give this a name, and the name of my access review is going 0:06:11.840000 --> 0:06:17.560000 to be super secret review. 0:06:17.560000 --> 0:06:19.180000 You'll see why in a moment. 0:06:19.180000 --> 0:06:21.620000 I should give it a description, but I'm not going to. 0:06:21.620000 --> 0:06:25.700000 I'm going to start this review right now, and it's a one-time review. 0:06:25.700000 --> 0:06:29.980000 I'm just going to look at the current state of whatever it is that I'm 0:06:29.980000 --> 0:06:33.980000 reviewing. Now there's other options here, weekly, monthly, quarterly, 0:06:33.980000 --> 0:06:42.380000 etc. If I go to monthly, then I can start to take a look at how long I 0:06:42.380000 --> 0:06:45.860000 want to run that review for. 0:06:45.860000 --> 0:06:49.240000 But we're going to go ahead and make this one-time. 0:06:49.240000 --> 0:06:52.820000 And hang on a second here. 0:06:52.820000 --> 0:06:57.500000 It should go back one day anyway, but let's just make sure. 0:06:57.500000 --> 0:06:59.540000 There we go. All right. 0:06:59.540000 --> 0:07:02.060000 Now, what am I going to review? 0:07:02.060000 --> 0:07:04.240000 Oh, and by the way, that end date, before I go down there, sorry, skip 0:07:04.240000 --> 0:07:06.260000 that. That's important. 0:07:06.260000 --> 0:07:11.660000 The end date is not the end date for when the review is going to occur. 0:07:11.660000 --> 0:07:13.540000 There's two parts. 0:07:13.540000 --> 0:07:17.740000 One is the actual analysis, what I just referred to as occurring. 0:07:17.740000 --> 0:07:22.780000 But then the other is actually reviewing the access review results. 0:07:22.780000 --> 0:07:27.460000 And that is what's going to end in this case on 7.6. 0:07:27.460000 --> 0:07:28.920000 What am I going to review? 0:07:28.920000 --> 0:07:32.480000 I have members of a group or assigned to an application. 0:07:32.480000 --> 0:07:34.820000 We're going to go with members of a group. 0:07:34.820000 --> 0:07:36.840000 And I can scope that to just guess. 0:07:36.840000 --> 0:07:42.240000 So if I just want to see what B2B guest users have been added to my group, 0:07:42.240000 --> 0:07:45.380000 I can do that. But I want everyone. 0:07:45.380000 --> 0:07:47.900000 And then I'm going to select a group. 0:07:47.900000 --> 0:07:52.980000 Now, as it turns out, I have one group, and that is the super secret group. 0:07:52.980000 --> 0:07:57.220000 So we'll pick that group and hit OK. 0:07:57.220000 --> 0:08:00.160000 Now, once I've selected the group, I can go ahead and start. 0:08:00.160000 --> 0:08:02.460000 But we're going to do a few more things. 0:08:02.460000 --> 0:08:06.780000 One, I'm going to change the reviewers from group owners to selected users. 0:08:06.780000 --> 0:08:09.600000 Notice also, you've got self review. 0:08:09.600000 --> 0:08:11.680000 It will go to selected users. 0:08:11.680000 --> 0:08:18.240000 And I have to select the user, and that's going to be me. 0:08:18.240000 --> 0:08:21.960000 Now, the program, programs are really just metadata that allow you to 0:08:21.960000 --> 0:08:23.100000 organize reviews. 0:08:23.100000 --> 0:08:25.920000 You're in a large organization with a lot of groups. 0:08:25.920000 --> 0:08:29.040000 You're probably going to have different people reviewing the groups. 0:08:29.040000 --> 0:08:30.560000 You want to be able to track them. 0:08:30.560000 --> 0:08:31.640000 That's all a program does. 0:08:31.640000 --> 0:08:34.740000 I might, for example, have a program for the finance department and a 0:08:34.740000 --> 0:08:41.240000 different program for, I don't know, the IT staff. 0:08:41.240000 --> 0:08:45.520000 And then, I have, upon completion, what do you want to do? 0:08:45.520000 --> 0:08:51.140000 I can auto apply results to the resource. 0:08:51.140000 --> 0:08:56.700000 I can also pick what happens if no one responds. 0:08:56.700000 --> 0:08:59.380000 In the first one, it's going to be once the review is done, it's going 0:08:59.380000 --> 0:09:03.200000 to auto, if I enable that, it will auto apply the recommendation. 0:09:03.200000 --> 0:09:06.100000 It's going to recommend to either keep somebody in the group or to remove 0:09:06.100000 --> 0:09:07.500000 them from the group. 0:09:07.500000 --> 0:09:10.900000 But we'll go ahead and leave that off. 0:09:10.900000 --> 0:09:15.880000 I could say, okay, but if the end date comes and there's people that have 0:09:15.880000 --> 0:09:21.220000 not been reviewed, manually go ahead and take the recommendations. 0:09:21.220000 --> 0:09:24.320000 Finally, we have advanced settings. 0:09:24.320000 --> 0:09:28.140000 And I can show recommendations, which, of course, would be required. 0:09:28.140000 --> 0:09:29.880000 Require a reason on approval. 0:09:29.880000 --> 0:09:30.860000 I'm going to leave that on. 0:09:30.860000 --> 0:09:34.640000 I don't want mail notifications, and I don't want reminders. 0:09:34.640000 --> 0:09:39.820000 And now, I am going to start the review. 0:09:39.820000 --> 0:09:49.180000 And... We should... 0:09:49.180000 --> 0:09:55.620000 Pop there. There's my review group, so I have this dashboard. 0:09:55.620000 --> 0:10:00.360000 And I can see status of members, number of guest members, guest accounts. 0:10:00.360000 --> 0:10:04.760000 I can see that I've got one member, no guest accounts. 0:10:04.760000 --> 0:10:09.000000 Let's go ahead and let's take a look. 0:10:09.000000 --> 0:10:11.740000 Oh, let's go to programs. 0:10:11.740000 --> 0:10:13.520000 There's my default program. 0:10:13.520000 --> 0:10:15.280000 Again, you can have more than that. 0:10:15.280000 --> 0:10:20.360000 And again, I'm seeing the same kind of interface. 0:10:20.360000 --> 0:10:23.420000 And I go down and see the access reviews. 0:10:23.420000 --> 0:10:26.240000 All right, here's an access review that I just set up. 0:10:26.240000 --> 0:10:28.320000 I can create a new one now. 0:10:28.320000 --> 0:10:33.200000 We'll go here. I've got an overview. 0:10:33.200000 --> 0:10:37.420000 There are two users, two members of that group, which is right. 0:10:37.420000 --> 0:10:40.820000 I view the results. 0:10:40.820000 --> 0:10:46.880000 I've got both of these have been recommended to be approved. 0:10:46.880000 --> 0:10:50.020000 But neither one has been reviewed. 0:10:50.020000 --> 0:10:52.100000 Go to reviewers. 0:10:52.100000 --> 0:10:54.280000 I am a reviewer. 0:10:54.280000 --> 0:10:57.540000 And go to settings. 0:10:57.540000 --> 0:11:03.340000 And I can change specific attributes of the settings, including I may 0:11:03.340000 --> 0:11:08.000000 not need a reviewer to give a reason. 0:11:08.000000 --> 0:11:09.940000 Here's where it ends. 0:11:09.940000 --> 0:11:12.240000 And again, these are all the settings I made. 0:11:12.240000 --> 0:11:15.280000 I set when I was creating this. 0:11:15.280000 --> 0:11:19.360000 All right, let's go to Bonnie. 0:11:19.360000 --> 0:11:29.380000 And I can see all of Bonnie's activities in the last 30 days. 0:11:29.380000 --> 0:11:32.440000 I get some information there. 0:11:32.440000 --> 0:11:37.800000 And there's Buh. 0:11:37.800000 --> 0:11:44.640000 And you can go in and you can also approve these or you can remove them 0:11:44.640000 --> 0:11:48.700000 manually or again, you can have that happen automatically. 0:11:48.700000 --> 0:11:52.840000 That is the process for implementing Access Reviews.