Create an access review of Privileged Access Groups in Azure AD (preview)

This article describes how to create one or more access reviews for Privileged Access Groups, which will include the active members of the group as well as the eligible members. Reviews can be performed on both active members of the group, who are active at the time the review is created, and the eligible members of the group.

Prerequisites

For more information, see License requirements.

Create a Privileged Access Group access review

Scope

  1. Sign in to the Azure portal and open the Identity Governance page.

  2. On the left menu, select Access reviews.

  3. Select New access review to create a new access review.

    Screenshot that shows the Access reviews pane in Identity Governance.

  4. In the Select what to review box, select Teams + Groups.

    Screenshot that shows creating an access review.

  5. Select Teams + Groups and then select Select Teams + groups under Review Scope. A list of groups to choose from appears on the right.

    Screenshot that shows selecting Teams + Groups.

Note

When a Privileged Access Group (PAG) is selected, the users under review for the group will include all eligible users and active users in that group.

  1. Now you can select a scope for the review. Your options are:

    • Guest users only: This option limits the access review to only the Azure AD B2B guest users in your directory.
    • Everyone: This option scopes the access review to all user objects associated with the resource.
  2. If you are conducting group membership review, you can create access reviews for only the inactive users in the group. In the Users scope section, check the box next to Inactive users (on tenant level). If you check the box, the scope of the review will focus on inactive users only, those who have not signed in either interactively or non-interactively to the tenant. Then, specify Days inactive with a number of days inactive up to 730 days (two years). Users in the group inactive for the specified number of days will be the only users in the review.

Note

Recently created users are not affected when configuring the inactivity time. The Access Review will check if a user has been created in the time frame configured and disregard users who haven’t existed for at least that amount of time. For example, if you set the inactivity time as 90 days and a guest user was created or invited less than 90 days ago, the guest user will not be in scope of the Access Review. This ensures that a user can sign in at least once before being removed.

  1. Select Next: Reviews.

After you have reached this step, you may follow the instructions outlined under Next: Reviews in the Create an access review of groups or applications article to complete your access review.

Note

Review of Privileged Access Groups will only assign active owner(s) as the reviewers. Eligible owners are not included. At least one fallback reviewer is required for a Privileged Access Groups review. If there are no active owner(s) when the review begins, the fallback reviewer(s) will be assigned to the review.

Next steps