Access Reviews: Azure AD Roles
How to conduct access reviews for user > role assignments in Microsoft Azure AD (Entra ID).
Overview
This document describes how to create an Access Review Configuration you can use to periodically review and certify role assignments for Azure AD users in your organization.
In Microsoft Azure AD, roles provide permissions within the Identity Provider. For example, you can assign roles to allow adding or changing users, resetting user passwords, managing user licenses, or managing domain names. Regularly reviewing these role assignments is important to limit the blast radius of compromised identities, and enforce least privilege access to your identity provider.
Roles can be built-in or customer-defined. Built-in roles cover common sets of permissions needed for development, administration, auditing, and other functions. Custom roles are typically created to provide specific sets of permissions to address edge cases or complex business requirements.
Before you start
Microsoft Azure AD is now the Microsoft Entra ID product. Veza uses the legacy term Azure AD to identify the Azure service and users, apps, groups, and roles in a domain.
You will need:
Create an access review configuration
Open the builder to create an access review configuration:
1.1. Log in to Veza and go to Access Reviews > Configurations.
1.2. Click New Configuration to open the review builder.
1.3. Give the configuration a name and description to communicate the purpose of the review to other reviewers and operators.
Define the scope of the review:
Use the Review Scope section of the configuration builder to search for related Azure AD User and Azure AD Role.
2.1. For the Source Entity Type, search for Azure AD User and select it.
2.2. For the Destination Entity Type, click to open the menu and scroll down to search for Azure AD Role.
You can optionally review just built-in or custom roles by adding an attribute filter on the Azure AD Role attribute
Builtin
, which can beTrue
orFalse
.Create a review:
4.1. Click Save to open the Configuration Details.
4.2. From the configuration details, click New Review.
4.3. Click Create to make the review available without publishing it.
From the configuration details, in the Active Reviews section, click the review name or click Open next to the one you just created.
Review Access: Azure AD User to Azure AD Role
The reviewer interface shows a unique row for each Azure AD User and Azure AD Role assignment. Review the table to confirm that users have appropriate access rights based on their operational roles and responsibilities.
Hover over a row and click the Details icon to open the sidebar. Add columns or use the details sidebar to see more attributes for each user and role, such as activity status or role type.
To approve or reject access and finish the review:
Click the Approve ✅ or Reject ❌ icon for each row to make an initial decision.
Make decisions final by clicking Sign-off at the top right.
Finish the review by deciding and signing off on all rows. Once all rows have a decision, click Complete Review on the top right.
See also
Last updated