Design for access reviews


An employee of a company might work in several different roles during their tenure. Each position they hold can require access to different resources or have varying levels of permissions requirements. When an employee is first hired, they need initial access to corporate resources and apps. For each position they hold, they can have specific access requirements and privileges. When the employee leaves the company, their access is removed.

Diagram that shows identity management for an employee from their hire date, to access for specific roles, to their access removed when they leave the company.

To ensure employees and users always have the correct access, you can perform an access review. An Azure Active Directory access review is a planned review of the access needs, rights, and history of user access.

As the Tailwind Traders CTO, you need to determine how you're going to do access reviews for your employees. You ask yourself:

  • As new employees join, how can we ensure they have the access they need to be productive?

  • As employees switch teams or leave the company, how do we make sure their existing access is removed?

Things to know to determine the purpose of the Azure AD access review

While you consider how to use Azure AD access reviews for Tailwind Traders, think about the following characteristics of an access review.

  • Access reviews mitigate risk by protecting, monitoring, and auditing access to critical assets.

  • You use access reviews to help ensure the correct users have the correct access to the correct resources.

  • Confirm correct user access to apps integrated with Azure AD for single sign-on, including SaaS apps and line-of-business apps.

  • Verify group memberships that are synchronized to Azure AD, or created in Azure AD or Microsoft 365, including Microsoft Teams.

  • Check access packages that group resources (groups, apps, and sites) into a single package to manage access.

  • Access reviews can also be used for Azure AD roles and Azure Resource roles as defined in Privileged Identity Management (PIM).

Determine who will conduct the access reviews

Access reviews are only as good as the person doing the reviewing. Selecting good reviewers is critical to your success. The creator of the access review decides who will conduct the review. This setting can't be changed after the review is started. There are three types of reviewers:

  • Resource owners: The business owners of a resource.

  • Delegates: A group of individuals selected by the access reviews admin.

  • End user: A user who self-attests to their need for continued access.

When you create an access review, admins can choose one or more reviewers. All reviewers can start and carry out a review, and choose to grant the user continued access to a resource or remove their access.

Things to consider when creating an access review plan

Before you implement access reviews for Tailwind Traders, you should plan the types of reviews that are relevant to your organization. You need to make business decisions about what you want to review and the actions to take based on those reviews.

Review the following implementation scenario of an access review plan for Microsoft Dynamics resources.

Access review component Implementation
What are the resources to review Microsoft Dynamics resources
How often should the access review be done Once a month
Who are the reviewers Dynamics business group program managers
How will reviewers be notified 24 hours before the start of the review, send email to the alias Include an encouraging custom message to secure reviewer cooperation.
How long should the review take to complete At most, 24 hours, which is 48 hours after the reviewers are first notified.
Are there automatic actions for these resources Yes. Automatic actions include:
- Remove access for any user account that has had no interactive sign-in within 90 days.
- Remove users from the security group dynamics-access.
- Perform access review actions for any user accounts that aren't reviewed within the specified time to complete.
Are there manual actions available to the reviewers Yes. Reviewers can approve user account removals before the automated action is completed, as desired.
How will affected users be notified Send email to internal (member) users who are removed, explain their removal, and how they can regain access.