A cool feature of Azure AD is Access review. It can be used for many things to control Azure AD group membership. One of the things I will be using it for is to control licenses and help to provide self service license management.
With Access Review we can control how often the users or owners are prompted to re-validate if the still need access to the group. This can be weekly, montly, quarterly or yearly. Once this period is over the users will be prompted via email to review their access to the group. We can even control what behavior will happen if the fail to do so.
We want the users to be able to get eg. Adobe Creative Cloud apps or Microsoft Visio licenses. But we want to revoke the license if the users do not use them anymore. There’s multiple ways to control this, one way is the let the group owner decide if the users still needs access to the license (Azure AD Group) or not.
Another one is to let the users decide if they still need access to the license (Azure AD group) or not. If they don’t need access or don’t reply to the email sent from Access Review, they will get removed from the group and the license will be removed automatically.
The latter is what I’m going to focus on.
Create the Azure AD group
Go to the Azure AD portal https://aad.portal.azure.com/. Go to groups and click New group.
Give it a name and an owner.
Now, before users are able to join Security groups using Self Service, an owner of the group needs to go to Myapps and change the “Group policy” option on the group. By default owner the owner of the group can add new members.
If the group is to be used for licensing, assign a licens to the group. Find the group click Licenses, Assignment and select the license it need. In my example I’m giving it the Office 365 E5 license.
Change the “Group policy” option on Azure AD group
By default only owners of the group can add new members. We want to enable self service group management in order for user to be able to request access to the groups. To do this we need to change the “Group policy” option on the Azure AD group. For some reason the only place i’ve been able to change it, is in the Myapps portal logged in as a group admin.
Go the https://Myapps.microsoft.com signin with a owner of the group. Once signed in click Groups
Select the newly created group
Click Edit details and click on the group down in “Group policy” and select “This group is open to join for all users” and click Update.
We have now enabled users to join this group with self service from within Myapps / Access panel.
How do the users join the group?
The users can join the group from Myapps / Access panel.
Try and go the https://myapps.microsoft.com as a normal user that needs access to the group and click Groups
Click + Join group
Find the newly created group and click it. If you did the above steps with a group owner, you’ll see the option to “Join group”
Type a reason and click Request. The request will be auto-approved.
How do we control the life cycle of this group?
Go to https://aad.portal.azure.com and find the newly created group. Then click Access Review
Click “new access review”. You will now be prompted for a lot of informations. I’ll try and go through them one by one.
- Give it a name
- Select when the review should begin
- Select how often the users will be prompted to review the access
- Select how many days the users have to do the review before the access will be removed/granted
- Select never so this review is being done always
- Select everyone to monitor everyone in the group
- In reviewers select “Members (self)”, to enable self service handling of the access review. If you choose “Group owners” or “Selected users” the enable certain users to do the review.
Scrolling down on the page:
- Select Enable to remove users that were denied.
- Select Remove access to automatically remove the users from the group if they do not respond to the Access review email
- Click Start
The user experience
When the review is due, this is the notification the users get. If they don’t respond, they will be reviewed from the Azure AD group if that’s the action we have selected on the Access Review.
If we continue this is what the users have to take action on.
This example is using Access Review to control licenses, but we can use it for multiple things. An other example could be to use it to review Guest accounts permissions, apps and such.