Automate auditing of Azure AD group memberships

Question

Automate auditing of Azure AD group memberships

Girish Prajwal 706

Hi Team,

We are planning to implement Group membership audits for the security groups on our Azure AD. Please suggest if you have a script which does the job.

Regards,
Girish

Girish Prajwal 706 Reputation points

2021-12-24T13:00:59.41+00:00

Hi Azure AD Team,

@AmanpreetSingh-MSFT

We are planning to Automate the User Groups Audit in our Tenant as below.

![160279-image.png][1]

Please suggest the Pre-requisistes and the permissions needed to perform the Automated Audits from AAD. Also any PS scripts to begin with.

Regards,
Girish

Accepted answer

1 additional answer

Your answer

Girish Prajwal 706 Reputation points

2021-12-24T13:00:59.41+00:00

Hi Azure AD Team,

@AmanpreetSingh-MSFT

We are planning to Automate the User Groups Audit in our Tenant as below.

![160279-image.png][1]

Please suggest the Pre-requisistes and the permissions needed to perform the Automated Audits from AAD. Also any PS scripts to begin with.

Regards,
Girish

Answer 1

JamesTran-MSFT 36,911 Microsoft Employee Moderator

@Girish Prajwal
Thank you for your post!

When it comes to automating Access Reviews, you should be able to do this by creating an access review of an access package. When creating or editing an existing policy within your Access Package, you can designate a Review Frequency, which will run the access review on an annual, bi-annual, quarterly, monthly, or weekly basis.

For more info:
Start new access package
Create an access review of an access package

If this isn't what you're looking for, I'd recommend leveraging our User Voice forum and creating a feature request, so our engineering team can look into implementing this.

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Girish Prajwal 706 Reputation points

2021-12-31T12:23:38.6+00:00

Hi @JamesTran-MSFT ,

Wish you happy new year 2022 :)

Thank you for the suggested answer. I am looking for something similar to this image.

Please suggest the pre-requisite roles for the above task. How can we achieve this. Is this similar to your answer that is suggested.

Regards,
Girish P
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2022-01-03T19:30:30.147+00:00

@Girish Prajwal
Happy New Year!

An Access Review of an Access Package (conducting an access review for multiple resources) is used to reduce the risk of stale access. This is done by performing periodic reviews of users who have active assignments to an access package in Azure AD entitlement management. For more info.

When it comes to automating Access Reviews without an Access Package, you should be able to do this when you create your Access Review. You can choose to have access removal automated by setting the "Auto apply results to resource" option, to Enable. For more info.

Note - After the review is finished and has ended, users who weren't approved by the reviewer will be automatically removed from the resource or kept with continued access. Options could mean removing their group membership, or their application assignment, or revoking their right to elevate to a privileged role.

You can also automate Access Review tasks by using the Microsoft Graph API - Use the Access Reviews API.

I hope this helps!
Thank you for your time and patience throughout this issue.
Girish Prajwal 706 Reputation points

2022-01-04T14:31:16.57+00:00

Hi @JamesTran-MSFT ,

How often the reminder mails are sent to the end users. Is there an option to ignore the BOT-ID's as there wont be an option to auto-reply from the same. Also, can we create dashboards as Azure is our primary Identity management for other cloud platforms. Can we segregate based on the cloud platforms.

Regards,
Girish Prajwal
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2022-01-04T17:44:13.293+00:00

@Girish Prajwal
Thank you for following up with this!

When it comes to automating Access Reviews, during the creation of your Access Review, you can specify a recurrence period for how often you want these reviews to take place. This will trigger the review and notify your reviewers.

You can create dashboards for PIM by using the resource dashboard. I don't believe you can segregate the dashboard based on the cloud platforms, since this should be specific to the Azure AD tenant you're leveraging PIM on. If you'd like this to be a feature, I'd recommend leveraging our User Voice forum and creating a feature request, so our engineering team can look into implementing this.

When you mention BOT-ID's, can you share an example of what you're referring to?

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
Girish Prajwal 706 Reputation points

2022-01-10T07:24:01.507+00:00

Hi @JamesTran-MSFT ,

Any update on the above ask.

Regards,
Girish Prajwal
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2022-01-10T14:57:09.43+00:00
@Girish Prajwal
Thank you for following up on this! I just wanted to see if you were able to review my previous comment, or did you have additional questions that I missed?

1) How often the reminder mails are sent to the end users?

This all depend on the recurrence frequency you set (i.e. weekly, monthly, quarterly, etc.), this will trigger the review emails and notify your reviewers.

2) You can create dashboards for PIM by using the resource dashboard. I don't believe you can segregate the dashboard based on the cloud platforms, since this should be specific to the Azure AD tenant you're leveraging PIM on.

3) When you mention BOT-ID's, can you share an example of what you're referring to?

I hope this helps!

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
Girish Prajwal 706 Reputation points

2022-01-11T08:45:43.657+00:00

@JamesTran-MSFT ,

Bot-Id's - We have some of the Azure ID's where there are no Owners for those.. They do login to some of the servers to fetch some data or perform some actions on the servers automatically. Again, these are not SPN's/Run as accounts.

From the dashboard perspective, I will try and gather some info around it.

Thank you James.. you have been very helpful.

Answer 2

Devaraj G 2,096 Volunteer Moderator

Hi,

You should be able to view the audit logs though Azure AD audit logs and you can also access the audit log through the Microsoft Graph API.
Refer this link for more info : https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-audit-logs#what-license-do-i-need

Girish Prajwal 706 Reputation points

2021-12-21T10:00:53.1+00:00

Hi Dev073,

I was looking to automate on the Group Members access automation from this link as below.
https://learn.microsoft.com/en-us/azure/active-directory/governance/deploy-access-reviews

Regards,
Girish Prajwal

Share via

Automate auditing of Azure AD group memberships

1 additional answer

Your answer