With guest access switched on for Microsoft Teams, do you have a process to manage guest access reviews?
It is easy for Team owners to invite external guests into their Team. However, how do you proactively review guest accounts to ensure people only have access as long as they need it?
With internal users, there are joiners, movers and leavers processes to manage access and reviews, but these processes typically exclude guest users.
Read on to see how you create a regular review of external guest access to ensure they only have access as long as necessary.
So what is guest access?
Guest access is when external users can join a Microsoft Team to collaborate with internal users securely. The Team owner has the authority to add and remove guests in the Teams they manage.
When a Team owner adds a guest user to their Team, an Azure AD B2B (Guest) account is created (if one does not already exist). This Azure AD guest account manages access permissions for the external guest to the Team and group resources.
However, when a Team owner removes a guest from their Team, the guest’s Azure AD B2B account remains because the guest may still be a member of other Teams. Therefore, over time you will end up with many redundant Azure AD B2B Guest accounts in your tenant.
So what is the issue?
Security and compliance best practice recommends user access is proactively reviewed regularly. But how can you accomplish this as guests are not part of your joiners, movers and leavers process and may not belong to any Teams?
- You cannot ask the Team owner as they are not in any Teams
- They are not an internal user, so they do not have a manager or department attributes you can use
- You do not know who invited them in the first place unless you have a bespoke guest onboarding process.
So who do you ask to see if the Guest account is still? It is unlikely that someone in IT will know.
Use Azure AD Access Reviews to provide an automated periodic review of your Guest users with only one Azure AD Premium 2 licence.
Azure AD Access Reviews requires Azure AD Premium 2 licences, and the number of licences must exceed the number of reviewers.
Azure AD Access reviews are part of the Azure AD Premium 2 licencing, so many organisations may think this functionality is out of scope.
However, suppose the reviewers are guest users. Licences are not required for the guest users as they use the AD External Identities (guest user) licencing model where the first 50,000 monthly guest user activities are free. See my post describing guest licencing in detail. https://nikkichapple.com/how-to-extend-identity-governance-to-your-azure-ad-b2b-guest-users/.
Therefore as long as you have one Azure AD premium 2 licence in your tenant to activate the functionality, you can create Guest Access Reviews as long as the Guests review their own access.
Let me show you how.
Create your Guest Access review with one Azure AD P2 licence
You need at least one Azure AD Premium 2 licence in your tenant use Access Reviews.
Step 1 Create a dynamic security group that will contain all Guests users in your tenant.
From Azure AD > Guests create a dynamic Security Group called ‘Guests of Company Name’ Make sure the name is user-friendly as this will appear in the communication to the user later.
Select the type = Dynamic user
Set the dynamic membership rules
userType = Guest. (All Azure AD B2B (Guest) accounts. It does not matter if they are members of Teams or not)
Step 2 Create the Access Review – Review type
From Azure AD Identity Governance, create a new Access review for Teams + Groups. Do not select All groups with Guest users because it excludes dynamic security groups, excludes guest users who are not in any Teams and Groups and will not delete the Azure AD B2B account.
- The review scope = Teams + Groups
- Review scope = Select Teams + Groups
- Group = select the dynamic security group you created, ‘Guests of Company Name’, which contains an up-to-date list of all the Guests in your organisation.
- Inactive users = tick
- Days inactive = 30
You can also further limit the review by only reviewing Guests’ users who have been active for a specific number of days. In this scenario, they have been inactive for 30 days.
Step 3 Add the review options.
Next, create the review process.
- Select reviewers = Users review their own access. Each guest will self-review and decide if they still need access. Note. This option takes advantage of free licencing for the Azure AD external identities (Guest user). If you choose any other option, then licences are required for the reviewers.
- Duration = 7 days (Guests will have one week to respond before actions are taken).
- Review recurrence = Quarterly (repeat reviews every quarter)
- Start date = choose your start date
- End = Never
Step 4 Add the review settings
Define the settings for your Access Review.
- Auto apply results to resource = Tick (After the review, the actions are auto-applied, so no manual steps are needed)
- If reviewers (the Guests) don’t respond = Remove access. (This will address scenarios such as email bouncing or the user forgetting they had access)
- Action to apply on denied guest users = Block sign-in for 30 days and then remove user from the tenant. (This automates deleting the guest user’s Azure AD B2B account).
- No sign-in within 30 days = tick
- Justification = Tick (allow you to capture why the guest still needs access)
- Email notifications = Tick (this sends the email to the guests)
- Reminders = Tick (this sends a reminder email to the guests if they have not responded
- Additional content for the reviewer email = Customise the email text with your wording.
Step 5 Review and create the Access review
Finally, review and save the Access Review.
- Review name = Add a name for your review
- Description = add a description for your review
The Guest Access Review will commence on your start dates and run quarterly.
The Access review will:
- Send the customised emails to all inactive Guest users in the dynamic security group to ask if they still need access.
- The guest user must answer the email, confirm that they still need access to the tenant, and add their justification.
- Reminders emails are sent to guests who have not responded.
- At the end of seven days, the Access Review review is closed
- Guests that stated they still need access are automatically marked as ‘approved’. No further action is required and their Guest accounts remain active.
- Guests that responded ‘no’ they no longer need access are marked as denied.
- All users who did not respond are marked as ‘denied’.
- All Guest accounts marked as denied have their sign-in blocked.
- After 30 days, the system automatically deletes the Azure AD B2B Guest accounts. Note this is a soft delete so that an Admin can restore it within 30 days.
Results are logged so an Administrator or an auditor can review the results and demonstrate compliance with a periodic review of users’ access.