Highly privileged role assignments shall be periodically reviewed

Description

Access reviews should be periodically performed for users with permanent or eligible privileged roles. Users should evaluate whether they still need these permissions and update assignments accordingly. Access reviews can be performed manually or with a tool like Microsoft Access Reviews which is part of an Azure AD P2 subscription.

Policy

  • Access reviews shall be performed for users with permanent or eligible privileged roles.

Licensing Considerations

To leverage the Access Reviews in Microsoft, an Azure AD P2 license is required. This can be purchased standalone or as part of the following bundles:

  • EMS + E5

  • Microsoft 365 E5

Set Up Instructions

  1. Follow these steps to create Access Reviews leveraging the native tooling in Microsoft.

End-User Impact

Level: Low

Impact is limited to the users with privileged roles. When an access review is conducted, the user will be notified via email to review their existing roles. They will be able to provide feedback on if they need to continue to have that role with a justification reason.

Tips

Try to perform access reviews on a semi-annual basis at the minimum.

PowerShell Scripts

365 Admin Report: Export Office 365 Admin Role Report using PowerShell (o365reports.com)

Access Reviews PowerShell samples: microsoft/access-reviews-samples: This repo contains sample code that demonstrates programmatic access to Azure AD Access Reviews. Sample code includes reading and managing Access Reviews, as well as working on decisions and results of Access Reviews. (github.com)

Videos

Last updated