Access Reviews: Active Directory Security Groups
How to review security group assignments for user principals in Microsoft Active Directory.
Last updated
How to review security group assignments for user principals in Microsoft Active Directory.
Last updated
In Microsoft Active Directory, human and machine principals, known as users and service accounts, are assigned to security groups and distribution groups for management and administration. Security groups are used to assign user rights and permissions on shared resources, while distribution groups are used for email distribution lists.
Regularly reviewing the security groups to which users are assigned is crucial for maintaining security and compliance within Active Directory. Ensuring that only authorized users have access to sensitive information and resources can prevent potential security breaches, and is typically required by organizational policy.
This document describes how to create an Access Reviews configuration to periodically review and certify Active Directory User to Active Directory Group relationships in your organization, with a focus on built-in security groups.
You will need:
An Active Directory domain integration added in Veza.
The Veza admin or operator role, required to create configurations and start access reviews.
Open the builder to create an access review configuration:
1.1. Log in to Veza and go to Access Reviews > Configurations.
1.2. Click New Configuration to open the review builder.
1.3. Give the configuration a name and description to communicate the purpose of the Access Review to other reviewers and operators.
Define the scope of the access review: Use the Review Scope section of the configuration builder to search for related Active Directory User and Active Directory Group.
2.1. For the Source Entity Type, search for Active Directory User and select it.
2.2. For the Destination Entity Type, click to open the menu and scroll down to search for **Active Directory Group
2.3. Expand Advanced Options and enable Summary Entities.
Choose Active Directory Group from the dropdown. This will show the relationships between any intermediate groups that result in a specific group membership.
2.4. Add an attribute filter to only include security groups. In the Filters section, click Add Filter Group and select Active Directory Group as the entity type to filter. Save the filter Is Security Group Equals True.
Create a review:
3.1. Click Save to open the Configuration Details.
3.2. From the configuration details, click New Review.
3.3. Click Create to make the review available without publishing it.
From the configuration details, in the Active Reviews section, click the review name or click Open next to the one you just created.
The reviewer interface shows a unique row for each Active Directory User to Active Directory Group assignment. Inspect each row to approve or reject the access, checking for assignments that are unnecessary or incorrect.
Customizing the reviewer interface can improve visual clarity and aid in decision-making. For this review, click Columns above the table of rows. Scroll or type to search for an attribute to show or hide:
Enable the Summary Entities column to show inherited access when assignments involve groups assigned to other groups.
Search for User “IdP Unique ID” and deselect it, unless this is needed to differentiate between users with the same name.
Search for and enable User “Department” and User “Is Active.” These attributes can help determine whether a group is appropriate for a user.
Enable Destination “Group Type” to show the group scope.
Hover over a row and click the Details icon to open the sidebar. Add columns or use the details sidebar to see more attributes for the user or group. If the Summary Entities column includes many nodes, click on an entity to show the full name and exact order.
Click the Approve ✅ or Reject ❌ icon for each row to make an initial decision.
Make decisions final by clicking Sign-off at the top right.
Finish the review by deciding and signing off on all rows. Once all rows have a decision, click Complete Review on the top right.
