Azure AD access reviews on-prem AD groups manager (ManagedBy)

Question

Hi,

we would like to use Azure AD access reviews for on-prem AD groups (approx. 20 000) synced to AAD, where group owner would be the reviewer. We would like to use on-prem AD attribute ManagedBy as the group owner. ManagedBy seems not to be replicated to AAD, and it is impossible to set AAD group owner manually, because it is synced from on-prem. Is there any way how to use Access Reviews for synced on-prem groups, where value from ManagedBy would be used as the reviewer?

Answer 1

The ManagedBy property is not currently accessible from Azure AD.

For synced on-premises groups, everything needs to be done on premises. From Deploy Access Reviews:

Access Reviews can't change the group membership of groups that you synchronize from on-premises with Azure AD Connect. This is because the source of authority is on-premises.

You can still use Access Reviews to schedule and maintain regular reviews of on-premises groups. Reviewers will then take action in the on-premises group.

That said, one workaround is to add a custom attribute on the Group schema in the local AD and configure it to sync as an extension property to Azure.

https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-feature-directory-extensions

Then you can populate the custom attribute with the required information from the ManagedBy user to get access to it via the Graph API.

There are open feedback items in user voice to add this property and I believe the product team is planning it.