In my previous article, Entra ID Identity Governance, we looked at the why and when you want to use Entra ID governance. In this article we look into the external user lifecycle management. We are not covering all the topics, but some that will get you started.
External user access review
So we have all in place to start the work. I want to start with some Access Reviews of all external users in Teams, and make the owner of the team report back.
Go to entra.microsoft.com > Identity governance > Access reviews and click New access review
You have two options, first select Teams + Groups and in review scope you also have two options. If you select All Microsoft 365 groups, note that dynamic groups and groups that can be assigned roles are not a part of the review.
We want to include as many as possible and we would like to keep it simple now in the start. At a later point we can create a multi stage reveiw and let users first review themselves, and then a group/team owner can review as well. Some Teams doesn’t have owners, they could be abandoned or they haven’t been updated with new owners. So we want to have fallback reviewers that can do this for these kind of groups.
Now that most of the settings are complete, we would need to figure out what to do with these users. If someone doesn’t complete their review you have the option to; Not change anything, remove access for the users, approve access from the users and take recommendations. In our scenario we remove access (note that this doesn’t remove the user from Entra ID, it simply removes the user from that group or team).
We let the reviewer know if the user has been active the last 30-days to help with the review.
Now the job has been created. It can take some time before it is set to active in the dashboard. Once it is you should be able to access it and see all groups that require a review (meaning they have guest users in the M365 group). In this case you can see it is the groups “U.S. Sales” and “Sales and Marketing” that has guest users.
Megan Bowen, one of the Team owners, receives an email from Entra ID with information that an access review is required.
All owners will receive this email for groups where there is a review. The email contains a link to the My access page and to the overview page.
Clicking the link will take Megan to the My access page, and give Megan a good overview of all groups that need review and the progress.
In this case there is only one user that is a guest in the M365 group/Team that is due for review.
Let’s review one of the groups.
There are several actions to select. First we see the name and email of the user, then we get a recommendation. In this case it tells us that the user is an inactive user, because it hasn’t had any activity.
For the review you can;
Approve: User access is retained, as is.
Deny: User access is revoked.
Don’t know: User access is retained.
Accept recommendations: User access is revoked – but your answer will be logged.
If you don’t do anything the user access will be revoked as per the review setting.
Let’s select “Don’t know” and enter a reason for the selection and press Submit.
For the other group we accept the access review and let the user keep access.
The review runs for the number of days and is not completed automatically when the review is completed by the reviewers. They will have until the end of the period to make changes. In the case where someone is uncertain, other can go in and change the answer. Let’s make Nestor Wilke change the decision that Megan gave and deny access.
Implementation
How would you go about implementing access review in the organization?
There are several methods, but I suggest to ease into it. If the scope is IT, the implementation is fairly simple. Start with access review of all privileged roles in Entra ID. If you are implementing this to a larger group of the organization, or external parties as well (self review) then user adoption is key. Have a clear communication plan and training kit ready to implement. Identify a pilot group of user, with mixed skill level in IT, to see where you should focus your adoption efforts.
An implementation scenario could look like this;
- Implement Access review for Privileged roles
- Implement Access review for Guest Users (for a pilot group)
- Continue expanding access reviews for guest into the entire org
- Start with internal access review for applications and groups
This is essentially a governance plan for access, and it’s important that the plan is accepted on a C-level and implemented down into the organization. This way employees will know what is expected of them in regards to access reviews. That is another chapter, that I will not cover here. Let me know if this is an interesting topic to cover in a future post.
Licensing
The licensing option for Identity and Governance has changed somewhat in the last few months with a new licesen, Microsoft Entra ID Governance, being added. Some features that has been covered by Entra ID P2 has been moved to Entra ID Goverance. As I understand it soon external users (guest accounts and external users) may require it’s own license and may not be covered under the Subscription and MAU model used before. It’s therefore important to figure out what features you will use before acquiring licenses. If you choose the wrong license it may be a costly investment to upgrade.
The table below shows what feature requires what license. Do note that the table may change.
Full table in the table caption below.
| Feature | Microsoft Entra ID P1 | Microsoft Entra ID P2 | Microsoft Entra ID Governance |
|---|---|---|---|
| My Access portal | ✅ | ✅ | |
| Access Reviews – Basic access certifications and reviews | ✅ | ✅ | |
| Access reviews – PIM For Groups(Preview) | ✅ | ||
| Access reviews – Inactive Users reviews | ✅ | ||
| Access Reviews – Inactive Users recommendations | ✅ | ✅ | |
| Access reviews – Machine learning assisted access certifications and reviews | ✅ | ||
| Insights and reporting – Inactive guest accounts(Preview) | ✅ |