Table of Contents
Entra ID Access Reviews Based on User Affiliation Won’t Work Without an Accurate Directory
I like the idea behind Azure AD (Entra ID) Access Reviews and have previously described their use to identify inactive guest members of Microsoft 365 groups. I’ve also covered how to use the Graph API to retrieve information about Access Reviews.
Access reviews are a premium identity governance feature, which means that the people involved in reviews need Azure AD Premium P2 licenses (more on this later). Given that automation saves time, paying for a few P2 licenses is not a big deal.
Which brings us to the July 17 announcement covering two new features for Access reviews:
- Machine learning powered access review recommendations (user to group affiliation).
- User inactivity access review scoping.
Artificial Intelligence Everywhere
As everyone knows, Microsoft’s current big bet is the application of machine learning and artificial intelligence wherever possible within their products. Microsoft 365 Copilot is the poster child for this initiative, but I have my doubts that many organizations will seize the opportunity to buy $30 monthly licenses to help people create better documents or process email more quickly. Yes, it’s only a dollar a day, but a dollar a day across an entire organization soon becomes big money, especially if you need to buy Microsoft 365 E3 or E5 licenses to become eligible to use Copilot.
Directory Accuracy Key for User-to-Group Affiliation in Entra ID Access Reviews
According to Microsoft’s documentation, “Machine Learning based recommendation opens the journey to automate access reviews, thereby enabling intelligent automation and reducing access rights attestation fatigue.” That’s quite a promise. In reality, recommendations based on user-to-group affiliation means that access reviews use a machine learning-based score to figure out if group members are close to or far from other group members in terms of the organization’s reporting structure.
In other words, if you are in a team with another person and share the same manager, you have high affiliation. Someone else who works in a completely different part of the organization and has a manager who has no relationship in the reporting structure to another in your reporting chain has low affiliation with you and your co-workers.
This is yet another example of a Microsoft feature that depends on a high level of accuracy for manager-employee links in the directory. Unhappily, the directory of some tenants is sadly neglected, with just enough attention being paid to ensure that users can sign into their accounts. Maintaining organizational information so that Teams, the Microsoft 365 user profile, and Outlook’s Org Explorer can display accurate organization charts is not as high on the agenda as Microsoft obviously thinks it should be.
Finding Inactive Group Members
Machine learning to analyze user affiliation won’t work for guest members of Microsoft 365 groups because these accounts usually aren’t part of the organization’s reporting structure. What Microsoft calls “User inactivity access review scoping” means checking sign-in logs to establish if an account has signed in within a set period (like 30 days). If they haven’t signed in, the account is deemed to be inactive and becomes a candidate for removal from the group.
Although it’s got a spiffing new name, this feature was in public preview for a long time and is a blunt instrument for detecting inactivity. For instance, many guests participate in group discussions via email. They don’t need to sign into the host tenant to receive copies of group discussions.
Testing Entra ID Access Reviews with Affiliation
In any case, I decided to try out the new features. After creating a new access review and requesting that the review should include user-to-group affiliation, I saw that Entra ID politely rejected my request (Figure 1).
The answer lies in the fact that access reviews including user to group affiliation or inactive users require Microsoft Entra ID Governance licenses. I have Azure AD Premium P1 and P2 licenses, but no governance licenses.
“ID Governance can be added to Azure AD Premium P1 or P2 licenses as a cost-effective way to bring comprehensive identity governance to all employees and business guests, for $7 per user per month for Azure AD Premium Plan 1 (P1) customers.”
Microsoft offers a 1-month free trial of 25 licenses for Microsoft Entra ID Governance. In this instance, I’ll pass. Perhaps the delights of Entra ID Governance will attract me in the future. It’s just disappointing to find that features are blocked because of new licensing demands.
Reviewing Guests is a Good Idea, and You Don’t Need Entra ID Access Reviews to Check
It’s sensible to review guest accounts regularly and remove those that are no longer used for B2B collaboration (guest accounts in Teams and groups) or SharePoint sharing. You don’t need Access Reviews to check guest accounts as some basic PowerShell will do the trick. And if you only want to find old guest accounts over a certain age, you can do that with this script. Even better, neither script won’t need any additional licenses.
So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.