How to Create and Manage Access Reviews for Group Owners

Access Reviews in Microsoft Entra provide a way to continuously review access to resources in your tenant. More importantly, you as the owner of your tenant can enable resource owners (of groups or Teams) to govern external users’ access to said resources themselves, thus reducing your workload and shifting the responsibility.

Many organisations rely on the collaboration features available in Microsoft 365, like Microsoft Teams, to work with external organisations on projects. A convenient way of doing this is by inviting said external users as guests to your organisation, this comes with its governance challenges, which Access reviews will solve.

Enable group owners to manage access reviews

Access reviews for group owners are disabled by default. To enable this feature, log in to your Microsoft Entra tenant as a Global Administrator and follow the below steps:

1. Expand Identity Governance and select Access reviews.

2. Select Settings, then enable Group owners can create and manage access reviews for groups they own.

Enable Access review management for group owners
Enable Access review management for group owners

Enable Group owner access reviews with Microsoft Graph PowerShell

You can also enable this feature using Microsoft Graph PowerShell.

(For steps on installing the Microsoft Graph PowerShell SDK, check out my post here.)

Connect-MgGraph -scopes Policy.ReadWrite.AccessReview

$params = @{
	isGroupOwnerManagementEnabled = $true
}

Update-MgBetaPolicyAccessReviewPolicy -BodyParameter $params

Create a new access review as a group owner

Any user who is the owner of a group will now be able to create access reviews for groups they own through the Microsoft Entra admin center. Follow the below steps to create a new access review.

1. While signed in to your standard user account (without any roles) open the Identity Governance Access Reviews blade.

2. Click New access review.

New Access Review
New Access Review

3. On the Review type page, you will only have the option to set the Review scope to Select Teams + groups. Click Select groups and you will see only the groups you own, choose your target group and click Select.

Select the review type
Select the review type

4. In our scenario, I am going to create a single-stage review for the group owners to conduct. On the Reviews page, you will have the option to select specific reviewers. 

I suggest you select Group owners as the reviewer. Then create a fallback reviewers group with appointed users. If a groups owners no longer exist (they leave the organisation for example), the fallback reviewers will be alerted of the review and can continue to maintain governance over the group.

You should also select the duration, recurrence and end date of the review, here are my recommendations:

  • Duration: 2 days
  • Review recurrence: Monthly
  • End date: Never

When managing guest users, there should never be a time when their access to your data is not being governed or reviewed. Of course, change these settings to as you prefer, but ensure the end date is set to never when reviewing guest users. 

Access review settings
Access review settings

5. The Upon completion settings allow you to define important settings around automatic remediation. 

  • Auto-apply results to resource: If the user’s access is denied, their access to the resource will be removed automatically after the review is completed, otherwise manual remediation is required.
  • If reviewers don’t respond: I have chosen No change, however, for the most governance, I recommend selecting Remove Access. All options include:
    • No change
    • Remove access
    • Approve access
    • Take recommendation
  • Action to apply on denied guest users:
    • Remove the user’s membership from the resource
    • Block the user from signing in for 30 days, then remove the user from the tenant.
  • At end of review, send notification to: Sends a notification to specific users.
upon completion settings
upon completion settings

6. For the remaining options on the settings page, while they do not impact the outcome, they enable you to review notifications and reminders for the review and also provide helpful information such as the last sign-in date for the guest user. This will help you decide on whether to remove access or not.

Access review advanced settings
Access review advanced settings

7. Click Review + create, then define a review name and click Create.

Completing the Access Review

When the access review begins (as defined by the start date within the review settings), the reviewer of the group will receive a notification email with a link to start the review.

Start Access Review
Start Access Review

The link will take them to the Access reviews blade within https://myaccess.microsoft.com/. You can also navigate directly to that link and then select the name of the access review you want to begin.

Select the Access review
Select the Access review

As you can see, Entra is recommending that because the user has been inactive in the tenant for over 30 days, it should be denied access to the resource. 

Access review action
Access review action

Once access is denied, it will show as denied in the list. This action can be reversed if an incorrect decision is made.

Denied access review
Denied access review

Impact of denying access in an Access review

Once the reviewer has actioned the review and denied the guest access to the resource, once the review is complete, the guest access will be removed from the resource.

This only happens once the duration period is finished and not instantly. For example, if the review duration is 2 days and you deny access on the first day, the guest will still have access for anther day, before their access is removed.

Wrapping up

Access reviews are a powerful tool to ensure that guest users in your tenant do not retain access to resources for longer than they need. In this post, I have demonstrated how to can delegate permission to create access reviews to the owner of groups and hence collaborative resources in your tenant. 

This ensures guest users are governed in larger organisations where it would not be feasible for a single team to manage them and maintain responsibility for them.

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

Leave a Reply