Why You Need Azure Active Directory Reviews

Azure Active Directory reviews are a cyber security tool to ensure only those people who you want to have access to your network actually have access. Your internal IT team or managed service provider should complete Azure Active Directory reviews on a regular basis as part of your overall cyber security plan.

What Is Azure Active Directory (AD)?

Active Directory (AD) controls the management of group memberships and who has access to your applications such as Teams, SharePoint, Yammer and more, as well as role assignments. With Azure AD, collaboration with users from both inside and outside your  organization is easy. Users can join groups, invite guests, connect to cloud apps and work remotely from their work or personal devices.

Why Are These Reviews So Important?

Active Directory gives your team the ability to share and collaborate easily with people both inside and outside your organization. Reviews are the  best way to ensure each user has access to everything they need, and nothing they don’t. Consider the many operational changes that could impact which areas of the network a user should have access to:

  • A new hire or an existing employee changes roles or positions
  • Someone leaves the company
  • An external resource you needed for a project is no longer actively working on it
  • A group or department is taking on a new purpose or task

Periodic reviews make  sure that the appropriate changes to your Active Directory permissions have been made as a result of these and other changes. And — if they haven’t been — it allows you to correct the issue before it leads to a data compromise.

How AD Roles Impact Access Reviews

When you complete an access review, you will need input from group leaders and administrators to determine which users should have permissions for their areas. Azure Active Directory has more than 80 built-in roles, including:

  • AD global administrator, who manages access and all administrative features in Azure AD, assigns roles to other users and can reset the password for any user. The user who signs up for the Azure AD tenant is the default global administrator.
  • AD user administrator, who manages all users, groups and support tickets. This admin can reset passwords for other user admins, helpdesk administrators and users.
  • AD billing administrator, who manages purchases, subscriptions and support tickets.
  • AD application administrator, who creates and manages app registrations and enterprise applications.
  • AD compliance administrator, who manages compliance configurations and reports.
  • AD Teams administrator, who manages the Teams service and configurations.

The full list of Azure AD roles can be found here: administrator role permissions in Azure Active Directory. Active Directory also allows for group level and guest permissions and restrictions. 

Limit Admin Permissions

One trigger that it’s time for an Azure Active Directory review is when there is a high number of users with admin roles. The threshold for what is too many will vary from business to business, but it should be a small percentage of your overall team. If it looks like there are too many users who have admin privileges, find out:

  • How many are global admins?
  • How many are user admins?
  • How many are guests?

Purge those who no longer need access or should not have had it in the first place just as you would former employees of your business.

When to Complete an Azure AD Access Review

You can trigger an access review at any time within Azure AD for part or all of your users and roles. For example, you can choose a single group or team and send out an access review for each member to verify that they need access to the areas they currently have (a self review). You could also trigger all group administrators to review the users and guests within their groups. You may also want to run AD access reviews to verify:

  • Privileged role access.
  • New groups/new admins.
  • Business-critical data access.
  • Guest user access rights.
  • Default user access rights.
  • Group access rights.
  • Policy exceptions.
  • Security group members.
  • Office group members.
  • Teams channels.
  • Self-review.
  • Azure resource role.
  • Compliance (group owners confirm they still need guests in their groups and owners).
  • Automated reviews that recur periodically (weekly, monthly, quarterly, yearly).

What Is the AD Review Process

To start a review, visit the “Identity Governance” page in the Azure portal.

  • Click Access reviews in the left menu.
  • Click New access review.
  • Select the resource you want to review.

There is a great deal of granularity in determining the scope and object of each review. 

Once the review parameters are set, an email will be sent to the appropriate reviewers (based on Active Directory roles and group/area ownership) according to the schedule you set for the review recurrence.

Imagine you are the owner of a Teams group. You would receive an email each quarter with a list of all the members of your Teams group with a prompt to deny access to anyone no longer needing it. If no reply is received, all members remain approved, but when you reply with certain users marked as no longer needing access, their permissions for your group will be removed.

Get Expert Help With Azure Active Directory Reviews

This article only scratches the surface of Azure Active Directory reviews. While they can be a bit complicated to set up, AD reviews are a critical component to your business security. When people only have access to areas they need and access data is maintained, it leaves less room for mistakes or malicious behavior to compromise your network.  

The good news is the Convergence Networks experts can help. As your managed service provider, we will  set up your Azure AD reviews and train your team on how to make the most of them. Contact us to learn more about  our managed IT and security services.


Contact Us
Get Started
Contact Our CLIENT
Support Team
Get connected With
Remote Access

To connect, please enter the 6-digit code given to you by your Network Administrator: