Azure Identity Governance Acesss Reviews results not applied

G. Ruddell 6 Reputation points
2021-07-28T20:08:03.727+00:00

We've got reviews setup for a number of AD groups that manage access to file shares. Although the reviews seem to function as expected, we get an error when results are applied at the end of the review. The Apply Result column in the review results says 'Not Supported - Removal of this user membership is not supported.'? What would cause the result not to be applied as configured?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,093 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Florian Frommherz 76 Reputation points Microsoft Employee
    2021-10-27T09:34:34.807+00:00

    Hi!

    If these are groups that are managed in Windows AD and synchronized to Azure AD via Azure AD Connect, then that's expected behavior. Since these groups are read-only in Azure AD, and can only be managed/written/changed in Windows AD, the Access Reviews engine can't commit changes to group membership after a review. We have no way of directly reaching to on-premises Windows AD and perform the changes.

    While we're looking at ways to support that scenario in the future, currently, you can't write decisions back to groups that are managed on-premises in Windows AD.

    0 comments No comments

  2. Thomas Pepper 1 Reputation point
    2021-11-03T16:24:24.473+00:00

    @G. Ruddell I have had the same issue and it likely because the security groups are associated to several applications. The systems does not know how to differentiate between blocking access to App A and not App B when they both use the same security group. Where a 1:1 relationship does not exist, i would suggest running the assessments at the Security Group level rather than the application.

    Some denied users are unable to have results applied to them. Scenarios where this could happen include:

    • Reviewing members of a synced on-premises Windows AD group: If the group is synced from on-premises Windows AD, the group cannot be managed in Azure AD and therefore membership cannot be changed.
    • Reviewing a resource (role, group, application) with nested groups assigned: For users who have membership through a nested group, we will not remove their membership to the nested group - and therefore they will retain access to the resource being reviewed.
      User not found / other errors can also result in an apply result not being supported.
    0 comments No comments

  3. Purish Dwivedi 1 Reputation point
    2021-12-02T02:42:02.387+00:00

    I have a sightly different use case wherein I am using Azure AD group to provision access to an enterprise application. The access to the Azure AD group itself is by means of an access package handling a request and approval workflow. This Azure Ad group then in turn provides access to the enterpise application.
    Now, I created an access review of the application from Identity Governance and reviewer denied the access as part of the review decision. This access review was configured to apply results manually instead of automatically. Then I stopped the access review and applied the result. This did not result into users access being removed from the Azure AD group and user still has access to the enterise application.
    I received the same message as mentioned in the question even though the group is Azure AD hosted. There is no nesting and on-prem Ad groups in play here. Any clue?
    "Not Supported
    Removal of this user membership is not supported.
    "

    0 comments No comments