Share via

Azure Access Review Best Practice?

Lewis Nagel 20 Reputation points
2025-03-26T16:36:58.61+00:00

Hi, I have some questions about Microsoft Azure Access Review Best Practice.

As an org we have access reviews for our guest users; but we also have a process in place that creates a new access review for each group and MS Team created (using Power Automate.)

The flow adds the owners at time of creation as the reviewers of the access reviews. The issue we are having is if a user changes role or moves department, they may be removed from a group or team, but if they are an original owner, they will still get emails for access reviews, even though they are not an owner. This can create additional work for manual changes of those access reviews.

Is there a way to automate access reviews so group owners of a team that has an access review for it automatically changes the reviewers if a user account leaves the group / deleted or if a user is added as a new group owner? Also, what are generally the best practices recommended for Access reviews?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments
Accepted answer
  1. Marcin Policht 50,570 Reputation points MVP Volunteer Moderator
    2025-03-26T17:35:14.02+00:00

    You can automate the update of access review reviewers to match the current owners of a Microsoft 365 group or team using such services as Power Automate or Entra ID Governance.

    Automating reviewer updates

    1. Trigger on group ownership changes
      • Use a Power Automate flow triggered by Entra ID audit logs when group membership or ownership changes.
      • Alternatively, schedule a Graph API query to check for ownership changes regularly.
    2. Retrieve current group owners
      • Use the Microsoft Graph API (GET /groups/{id}/owners) to fetch the latest list of owners for a group or team.
    3. Update the access review reviewers
      • Use the Graph API (PATCH /identityGovernance/accessReviews/definitions/{id}) to update the reviewers dynamically with the latest group owners.
      • If using Power Automate, create a step to update the access review configuration.
    4. Remove reviewers who are no longer owners
      • Before updating, compare the current reviewers list with the latest group owners.
      • Remove any users who are no longer owners and add new ones.

    Best practices for Access Reviews

    1. Assign access reviews to dynamic owners
      • Instead of static owners, use Microsoft Entra dynamic groups to ensure ownership updates dynamically.
    2. Use recurring access reviews
      • Set access reviews to run quarterly or bi-annually to reduce stale permissions.
    3. Require justification for continued access
      • Ensure reviewers must provide a reason when approving continued access.
    4. Automate removal of inactive or non-reviewed users
      • If a user is not reviewed within a period, automate access removal using Entitlement Management.
    5. Audit access review effectiveness
      • Regularly check review completion rates and adjust policies to improve efficiency.

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.