Enterprise Mobility and Security Blog

RSS

Howdy folks,

More cool news to share. We’ve just turned on the preview of our new Security Reviews in Azure AD Premium!

Many large organizations are required to do security reviews (what we identity geeks commonly call “attestation campaigns”) to prove that only the correct employees have access to specific important resources in order to meet government and industry compliance requirements. We’ve received a LOT of requests from customers to add support for this kind of campaign for the privileged roles in Azure AD, Intune and Office 365.

Mark Wahl, who many of you probably already know due to his deep identity expertise and industry experience is the Principal Program Manager in our team responsible for this new set of features. He’s done a great blog post below walking you through how it all works.

This is our first foray into Cloud Based Enterprise Role Management and we’d love to receive any feedback or suggestions you have!

Best regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity and Security Services Division

—————————————————

Hi everyone,

It’s me, Mark!

We’ve recently enhanced our Azure Active Directory Privileged Identity Management preview by adding a new feature: Security Reviews. Security Reviews make it easier for you to determine whether your administrators still need to be in a privileged role for managing Azure AD/Office365/Intune, by asking them to confirm they still need that role.

We’ve heard from many of our enterprise customers that as their use of cloud services increases, often they find they’re adding more and more users to highly privileged roles in Microsoft Online Services, such as the Global Administrator role. Over time, users may still be in that role even though those privileges are no longer necessary for their current job. This poses security concerns and makes their accounts high-value targets for attacks. Security reviews help the organization stay protected, by ensuring that users periodically confirm they still need to be in those roles. Subsequent updates to Azure Active Directory will expand the scope of security reviews to other features, such as group memberships.

Security reviews have 3 steps:

  1. Select the resource and access rights to review: the security administrator picks a privileged role, such as Global Administrator, where they believe administrators might still be holding that role who no longer need it.
  2. Review of the access rights: Azure AD sends each user in that role a notification, and they respond in the Azure portal whether or not they need still need that role.
  3. Complete the review: the security administrator reviews the results to decide who to remove from the role.

Getting started

Security reviews currently appear inside the Azure AD Privileged Identity Management part of the Azure preview portal, portal.azure.com.

If you are already using Azure AD Privileged Identity Management, then you can get started with security reviews immediately. If you’re not familiar with it, you can learn more about the privileged identity management from the blog post and video announcing the preview back in May. To get started with Azure AD Privileged Identity Management, sign in to the Azure preview portal as a global administrator of your directory, and then:

  • Click the Marketplace tile on your Startboard
  • Click Security and Identity
  • Click the ‘Azure AD Privileged Identity Management’ item
  • Complete the wizard
  • Pin the resulting service instance to your Startboard
  • Click on the tile to get started with Azure AD Privileged Identity Management

Selecting the resource and access rights to review

As a security administrator, to get to the new security reviews section on the Azure AD Privileged Identity Management dashboard, open the Azure AD Privileged Identity Management tile from your startboard. Then click on “Manage Identities”. To create your first security review, click on the “Active security reviews” area to bring up the security reviews list, and click the “Review” button.

The first screen in the wizard is to select the role you want to review: pick a role which one or more users have, such as Global Administrator.

Next, select who will perform the review. If you just want to test the concept of security reviews without notifying the administrators currently in the role, chose “Me” for who will review, otherwise, choose “Self review by role members”. We’ll be adding more options for delegation in the future.

Finally, pick the start and end dates for the review. For example, you might wish to give users a week to respond.

Once you click to complete the wizard, then the users currently in the selected role will be ready to be reviewed. Unless you selected “Me” as reviewer option, those administrative users will get an email notification that their review has started.

Reviewing the access rights

The administrators perform their review in a new part of the Azure AD Privileged Identity Management UI, by clicking on “Review administrative access”.

 

For each role, they can select to either approve or deny whether they need continue to need it. Selecting each user and clicking the Approve access or Deny access buttons at the bottom of the screen completes their part of the review.

Completing the security review

The security administrator can review the results of their security review in progress in the Azure AD Privileged Identity Management UI, by clicking on “Manage identities”, on the “Security reviews” section of the dashboard.

The security administrator can then drill into these results and decide what actions to take, including removing user’s role assignments or converting permanent role assignments to temporary assignments.

In later previews we’ll expand the capabilities of this feature, including optional automatic updates of the role assignments in Azure Active Directory, and also bring the security reviews concepts to other parts of Azure AD, in particular security reviews for group memberships.

 

We welcome your feedback on this or any other feature in Azure AD and Azure AD Premium, so please don’t hesitate to leave comments or questions on our forum as well.

Thanks,

Mark Wahl
Principal Program Manager