Reviewing your external access must be in your top-10 governance guidelines. Either manually or automated. For the latter, look at this option.
Whenever I’m asked to do governance sessions or draw up governance guidelines for clients, I always remind them to look at external (guest) users. These are users how can access specific application and content within your organisation. And you (normally) don’t manage these accounts.
Sidenote: when I’m talking about external users in this blog, I’m referring to Azure AD B2B (guest)users.
External collaboration in SharePoint Online, Office Groups and/or Microsoft Teams, is made very easy. When allowed to share with external users, these are added to your Azure Active Directory as Business-to-Business (B2B) guest accounts. This allows for easy collaboration, especially in a self-service model.
But there are two governance-issues which need to be addressed:
- Does the external guest-user still need to have access?
- Has the external guest-user been provided with administrative privileges?
The second one is not part of this blog. Internal (governance) procedure should guarantee that external users cannot be assigned with owner (or equivalent) permissions in Office 365. You can use PowerShell to enumerate and check these permissions. For example: https://3sharp.com/blog/taking-inventory-with-powershell-sharepoint-online/
But the first part can be automated. And for this, we can use Azure Access Reviews. This Azure option requires Azure Active Directory P2 (included in EMS E5). It provides an automated workflow for reviewing (external) access to your environment. These checks can be done on a one-time only basis or periodically.
You can have specific people review the current access or you can let the people themselves attest that they still need to have access to your environment.
Let’s take a look.
Sidenote: this function does not check if external parties still have access to shared folders or documents explicitly.
One of the first things to do is to onboard your tenant for this function. This is very straight forward and works easily.
Now we can create an access review. In this example below I will check the external access for an Office 365 group called Unmask mole and have added myself as the reviewing party. I can choose to have this access reviews linked to a program. Which is a clever way to organize your access reviews.
One other nice touch is the Upon completion setting. Here you can configure the actions in case someone does not respond in time. So if you asked your external users to re-attest their need for access, but they fail to do so, you can block their access. Cool stuff!
When the review cycle is running, you can access the information on the review by using the dashboard. This dashboard includes information on the running review and also the settings and auditlog. Very useful information.
When you start an access review, it will take Azure some time to start this. One of the first things you will notice is the e-mails. Either as reviewer or as member of the group, you will receive a notification e-mail. This message includes a link to start the review process.
The review process depends on the type of review which was started. If you are the reviewing party, then you will see a nice dashboard of (external) users and recommended actions.
You can select the required users and the required actions.
But heads-up! These actions won’t take effect until you choose the option Accept recommendations. This option shows you a summary of the actions and will complete the review cycle.
All these steps and actions are nicely detailed in the auditlog of the review.
But what if you let the people themselves decide? Well, in that case the review action needs to be performed by the end-users themselves as-well. This is mostly and awareness notification in which the user needs to state if access is still required.
At the end of the review cycle you will receive a nice e-mail message with a link to the completed review. Very nice Azure functionality. although I do have two remarks:
- I’m wondering if the self-service model will work with external access. But, then again, you could set-up a regular review in addition (at a later stage);
- As an external user you don’t receive a notification of the cancellation of your access.
I think that this function will help with governing your Office 365 environment. Although for many an organisation the required licenses will be a big hurdle.
I was testing this with my client this week and I noticed that the Access Review request also shows up in Teams, i.e., since the Group must be reviewed, the Teams owner is notified in the Teams app. This is another nice feature by the folks at MS.