# Access Reviews: Active Directory Security Groups ### Overview In Microsoft Active Directory, human and machine principals, known as *users* and *service accounts*, are assigned to *security groups* and *distribution groups* for management and administration. *Security groups* are used to assign user rights and permissions on shared resources, while *distribution groups* are used for email distribution lists. Regularly reviewing the *security groups* to which users are assigned is crucial for maintaining security and compliance within Active Directory. Ensuring that only authorized users have access to sensitive information and resources can prevent potential security breaches, and is typically required by organizational policy. This document describes how to create an Access Reviews configuration to periodically review and certify Active Directory User to Active Directory Group relationships in your organization, with a focus on built-in security groups. ### Before you start You will need: * An [Active Directory](/4yItIzMvkpAvMVFAamTf/integrations/integrations/active-directory.md) domain integration added in Veza. * The Veza admin or operator [role](/4yItIzMvkpAvMVFAamTf/administration/administration/users/roles.md), required to create configurations and start access reviews. ### Create a review configuration 1. Open the builder to create an access review configuration: 1.1. Log in to Veza and go to **Access Reviews** > **Configurations**. 1.2. Click **New Configuration** to open the review builder. 1.3. Give the configuration a name and description to communicate the purpose of the Access Review to other reviewers and operators. 2. Define the scope of the access review: Use the **Review Scope** section of the configuration builder to search for related Active Directory User and Active Directory Group. 2.1. For the **Source Entity Type**, search for **Active Directory User** and select it. 2.2. For the **Destination Entity Type**, click to open the menu and scroll down to search for \*\*Active Directory Group 2.3. Expand **Advanced Options** and enable **Summary Entities**. Choose **Active Directory Group** from the dropdown. This will show the relationships between any intermediate groups that result in a specific group membership. ![Review scope: Active Directory Security Groups.](/files/Zh6BgFfY8ONWWDimKzcs) 2.4. Add an attribute filter to only include security groups. In the **Filters** section, click **Add Filter Group** and select **Active Directory Group** as the entity type to filter. Save the filter `Is Security Group` `Equals` `True`. ![Adding a filter on Active Directory Security Groups.](/files/BdXyFFINk1GR3qJ3ScHR) 3. Create a review: 3.1. Click **Save** to open the **Configuration Details**. 3.2. From the configuration details, click **New Review**. 3.3. Click **Create** to make the review available without publishing it. 4. From the configuration details, in the **Active Reviews** section, click the review name or click **Open** next to the one you just created. ### Review Access: Active Directory User to Active Directory Security Group The reviewer interface shows a unique row for each Active Directory User to Active Directory Group assignment. Inspect each row to approve or reject the access, checking for assignments that are unnecessary or incorrect. {% hint style="success" %} Customizing the reviewer interface can improve visual clarity and aid in decision-making. For this review, click **Columns** above the table of rows. Scroll or type to search for an attribute to show or hide: 1. Enable the **Summary Entities** column to show inherited access when assignments involve groups assigned to other groups. 2. Search for **User “IdP Unique ID”** and deselect it, unless this is needed to differentiate between users with the same name. 3. Search for and enable **User “Department”** and **User “Is Active.”** These attributes can help determine whether a group is appropriate for a user. 4. Enable **Destination “Group Type”** to show the group scope. {% endhint %} ![Access review: Active Directory Security Groups](/files/UX59R5mRX5xBNPvMJpKz) Hover over a row and click the **Details** icon to open the sidebar. Add columns or use the details sidebar to see more attributes for the user or group. If the **Summary Entities** column includes many nodes, click on an entity to show the full name and exact order. 1. Click the **Approve ✅** or **Reject ❌** icon for each row to make an initial decision. 2. Make decisions final by clicking **Sign-off** at the top right. 3. Finish the review by deciding and signing off on all rows. Once all rows have a decision, click **Complete Review** on the top right. ### See also * [Access Reviewer's Guide](/4yItIzMvkpAvMVFAamTf/features/access-reviews/access-reviewer-guide.md) * [Integration Guide: Microsoft Active Directory](/4yItIzMvkpAvMVFAamTf/integrations/integrations/active-directory.md) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/access-reviews/scenarios/active-directory-security-groups.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.