Access Reviews: Azure AD Roles

How to conduct access reviews for user to role assignments in Microsoft Azure AD (Entra ID).

Overview

This document describes how to create an Access Reviews configuration you can use to periodically review and certify role assignments for Microsoft Azure AD users in your organization.

In Azure AD, roles provide permissions within the Identity Provider. For example, you can assign roles to allow adding or changing users, resetting user passwords, managing user licenses, or managing domain names. Regularly reviewing these role assignments is important to limit the blast radius of compromised identities, and enforce least privilege access to your identity provider.

Roles can be built-in or customer-defined. Built-in roles cover common sets of permissions needed for development, administration, auditing, and other functions. Custom roles are typically created to provide specific sets of permissions to address edge cases or complex business requirements.

You can specifically review users assigned to built-in admin roles or custom roles with a filter, described in the instructions below. To review users with a specific role, use the Select a single entity in the query builder to choose a single role by name.

Before you start

Microsoft Azure AD is now the Microsoft Entra ID product. Veza uses the legacy term Azure AD to identify the Azure service and users, apps, groups, and roles in a domain.

You will need:

  • A configured Azure integration. Veza discovers the Azure AD service by default when connecting to your organization's tenant.

  • The Veza admin or operator role, required to create configurations and start access reviews.

Create an access review configuration

  1. Open the builder to create an access review configuration:

    1.1. Log in to Veza and go to Access Reviews > Configurations.

    1.2. Click New Configuration to open the review builder.

    1.3. Give the configuration a name and description to communicate the purpose of the review to other reviewers and operators.

  2. Define the scope of the review:

    Use the Review Scope section of the configuration builder to search for related Azure AD User and Azure AD Role.

    2.1. For the Source Entity Type, search for Azure AD User and select it.

    2.2. For the Destination Entity Type, click to open the menu and scroll down to search for Azure AD Role.

  3. To only review users assigned to built-in roles, add an attribute filter on the Azure AD Role attribute Builtin. The value will be true for built-in roles, and false for custom roles:

    3.1. Under Filters > Attributes, click Add Filter Group,

    3.2. Choose Azure AD Role as the entity type to apply the filter to.

    3.3. In Filter Group 1, create the filter:

    • Attribute Field "Builtin"

    • Operator "Equals"

    • Attribute Value "True".

    3.4 Save the filter.

  4. Create a review:

    4.1. Click Save to open the Configuration Details.

    4.2. From the configuration details, click New Review.

    4.3. Click Create to make the review available without publishing it.

  5. From the configuration details, in the Active Reviews section, click the review name or click Open next to the one you just created.

Review Access: Azure AD User to Azure AD Role

The reviewer interface shows a unique row for each Azure AD User and Azure AD Role assignment. Review the table to confirm that users have appropriate access rights based on their operational roles and responsibilities.

Hover over a row and click the Details icon to open the sidebar. Add columns or use the details sidebar to see more attributes for each user and role, such as activity status or role type.

To approve or reject access and finish the review:

  1. Click the Approve ✅ or Reject ❌ icon for each row to make an initial decision.

  2. Make decisions final by clicking Sign-off at the top right.

  3. Finish the review by deciding and signing off on all rows. Once all rows have a decision, click Complete Review on the top right.

See also

Last updated