Written: 29/05/2022 | Updated: N/A
So Build is in the books. And it was awesome. And I got to catch up with friends such as Vesa Nopanen, Chirag Patel, Sharon Sumner, Al Eardley, Kevin McDonnell, Chris Huntingford and Claire Smyth. I got to speak a bit on Metaverse and delivering next-gen experiences at scale at Microsoft 365. I got to start an Anti-Sticker and Pro-Golf (the car) movement with Garry Trinder. And then there was great food – and I am going to call out the wall full of doughnuts up on the first floor where I was speaking in particular. But all good things must come to an end. And by end I mean an opportunity to do other good things such as getting back to the blog. Now, I was torn between doing something quick and dirty this week, and doing something a bit more intricate. This is because Stranger Things Season 4 came out a few days ago. But however interesting the Mind-Flayer is, the Demogorgon – whoever they got this time running around going off their nut in Hawkins, Azure AD has a few new pieces currently in Preview regarding the old Identity Governance. So this is going to show off both multi-stage access reviews, as well as the ability to now remove Azure AD inactive users within the context of Teams. This will be another tool in the toolkit for dealing with Stale Users and Stale Guests: all of which could be used to get through to your users or your data.
Sorry Eleven. Lets go.
This blog will cover
- Setting up the Multi-Stage Access Review for Inactive Users
- The Access Review
- Azure AD P2 for every person doing the access review
- Global Administrator, User Administrator or Identity Governance Administrator for setting up
- Teams Licence (Within Microsoft 365 Licence) for testing
You are an administrator for your organisation. Someone in your organisation has told you they are part of a team with users who left your organisation long ago. There is also guests who worked on former projects but as far as they knew, their work with your organisation was finished last year. Therefore the members of the team were not who they ought to be. What you can now do is set up an Access Review so that anyone who is in the Team (and therefore the Microsoft 365 Group) who has not logged onto the tenant for x days is removed from the organisation. This access review can be multi-stage – in other words it can pass through multiple people to decide on if they should continue to exist.
SETTING UP THE MULTI-STAGE ACCESS REVIEW FOR INACTIVE USERS
1.) Login with administrator credentials to https://login.microsoftonline.com
2.) From the left app rail, or via the waffle (top left) select Admin
3.) In the M365 Admin Centre from the left navigation select Show All and then Azure Active Directory
4.) In Azure Active Directory, from the left navigation select Azure Active Directory
5.) Select Identity Governance
6.) Select Access Reviews
7.) Select New Access Review
8.) First, under What to Review select Teams + Groups
9.) Then, for Review Scope select Select Teams + Groups. This can be applied across the whole organisation in terms of guests, however in this example we’ll stay small with a single team
10.) For Group select +Select Group(s) and then select the group (here with the example of the Microsoft 365 Group Azure AD)
11.) Under Scope this example will choose All Users. In other words, this will not just review guests within that Team, and that Microsoft 365 group, this will be an access review to all members, even from our own organisation
12.) Now comes the part with setting the review to be about Inactive Users. In other words, this access review will apply to both guests outside our organisation and users within our organisation if they haven’t accessed it for a period of time. Tick the Box Inactive Users (on tenant level) only and then set the number of days inactive. This example stays with the default of 30.
Once done, select the button at the bottom Select:Reviews
13.) First, tick the box (preview) Multi Stage Review
14.) Now complete the First Stage Review.
- Select Reviewers: This can be the group owner (Team Owner), the manager of the user, a selected user or even the user themselves if they are self attesting. This example uses a selected user.
- User(s) or Group(s): The selected user
- Stage Duration: The number of days the first access reviewer has to do the reviews of the
15.) Rinse and repeat for the Second Stage Review. It is possible to add another stage here. As shown the access review will move first through Chris and then Vesku in an identical manner, however with multi-stage the options are many and varied. You could have users self-attest before an IT administrator does, or you could get a team owner before an IT administrator. To note, if you do self attest then the users themselves would need AAD P2 licences
16.) Now complete the further details about the review
- Reveal Review Results: will determine whether previous stage decisions are shown. In this example the box is ticked so Vesku and see Chris’ decisions
- Recurrence of Review: specifies how often the review will take place. This example uses monthly with the review never expiring
- Specify Reviewees to go to next stage: this access review has the ability to weed out stale accounts which are denied at an earlier stage and are not carried forward or deferred to a later stage. This example ensures all go through (approved, denied, missed or don’t know) to the later stage
Once done, select Next: Settings
17.) Complete the upon completion settings: what happens when the review is complete
- Auto-apply results to resource: In other words, when the review is complete automatically apply the decision to the user/guest (E.g. denied, remove them). This example ticks the box
- If reviewers don’t respond: If the user/guest goes through the access review and the reviewers in the multi stage do not give a response, or forget to review, what happens. This example sets remove
- At the end of review, send notification to: you can send a notification to a user or group
18.) Complete the Decision Helpers and Advanced Settings
- Decision helpers are recommended actions by Microsoft for reviewers
- Justification required is that a reviewer must provide a justification when approving a user to remain in the Team/Microsoft 365 Group/Tenant
- Email Notifications are to ensure email notifications for reviewers are on
- Reminders: are reminders for the reviewers to complete their reviews
These are all tick boxes which in this example are ticked. Once done, select Next: Review + Create
19.) Give the access review a name – here called Multistage Inactive, review the access review settings to ensure they are as they should be, and then select Create
20.) The access review is now created. Selecting the review you can now go back in and manage it. From the details below, 9 users and 0 guests qualified for this access review as they have not logged into the tenant within 30 days
THE ACCESS REVIEW
How does the review itself go? In this case due to the settings when setting up, the review begins by an email to the selected user in the first stage review. They go to Outlook either via their desktop client or via the web app through https://login.microsoftonline.com
1.) Select Outlook
2.) The email asks to start the access review. Select Start Review
3.) The first stage reviewer is taken to https://myaccess.microsoft.com/. Here, the reviewer can decide whether to approve, deny, set don’t know (defer) or accept the recommendations (accepting the recommendations is based upon the decision helpers enabled within the access review)
4.) This example is going to batch approve the users by selecting them all, selecting Approve and then entering a justification. Again, the justification step was configured when setting up the access review
5.) At this point all the users who qualify for the access review have not moved to the second stage, as the first stage lasts – as per set up – for 1 day before moving to the second stage. In this period Chris could change his mind and decision based upon new information received and come back to deny specific users or guests based upon that information. One of the great features of access reviews are that they are not simply instant because a quick decision could lead to removal from the tenant which could cause another issue
Once the same process has been completed for the second stage – which is exactly the same as this one with it’s 1 day review, then the action is taken upon the users and guests. Any approved users and guests will keep their access. Any denied users and guests will lose their access – and because we are focussing on inactive users – will be removed from the tenant. Anyone that does not have a response will be removed per configuration and any under the I don’t know bucket (since many people ask me what happens here) are actually kept but audited.
All this was roughly set up in the space of an hour. Granted – I have worked with Identity Governance, Access Reviews, Entitlement Management and PIM many times previously, but both multi-stage reviews and inactive users fit into the existing setup so experienced administrator should find this quite easy to implement
Q.) What is the scope of the inactive users? Does it cover guests in standalone SharePoint Sites?
A.) Not currently. It covers Microsoft 365 Groups, Security Groups and Apps. In this case, you would look to Teamify the SPO Site and then remove and re-add the guests.
Q.) What is the licencing?
A.) Azure AD P2 to anyone who does an access review. If users within the org self-attest they also have to have P2. With Guests, you would look to use External Identities and link an Azure Subscription which covers the first 50,000 guests for free and goes beyond the 1:5 user to guest ratio.
Q.) Would I seriously do this via a Team?
A.) Yes, as this is not specifically about what Team the user or guest is in, but inactive users focusses on whether the user or guest has accessed the tenant or not within a period of time. In other words, if they haven’t accessed the tenant in a long time, they are probably no longer part of, or working with the organisation. Administrators may prefer security groups, or setting up different access reviews for their guests as opposed to their users. This blog is really applying it to Teams whilst showing the functionality of multi-stage reviews and inactive users
Q.) How many stages can multi-stage go up to?
A.) At least 3. I haven’t tested any more than that
Q.) How many inactive days can you go up to?
A.) 720 days, or 2 years