Highly privileged role assignments shall be periodically reviewed
Description
Access reviews should be periodically performed for users with permanent or eligible privileged roles. Users should evaluate whether they still need these permissions and update assignments accordingly. Access reviews can be performed manually or with a tool like Microsoft Access Reviews which is part of an Azure AD P2 subscription.
Policy
Access reviews shall be performed for users with permanent or eligible privileged roles.
Licensing Considerations
To leverage the Access Reviews in Microsoft, an Azure AD P2 license is required. This can be purchased standalone or as part of the following bundles:
EMS + E5
Microsoft 365 E5
Set Up Instructions
Follow these steps to create Access Reviews leveraging the native tooling in Microsoft.
End-User Impact
Level: Low
Impact is limited to the users with privileged roles. When an access review is conducted, the user will be notified via email to review their existing roles. They will be able to provide feedback on if they need to continue to have that role with a justification reason.
Tips
Try to perform access reviews on a semi-annual basis at the minimum.
PowerShell Scripts
365 Admin Report: Export Office 365 Admin Role Report using PowerShell (o365reports.com)
Access Reviews PowerShell samples: microsoft/access-reviews-samples: This repo contains sample code that demonstrates programmatic access to Azure AD Access Reviews. Sample code includes reading and managing Access Reviews, as well as working on decisions and results of Access Reviews. (github.com)
Videos
Last updated