A warm welcome to my next blog in the Identity Governance series which will focus on the identity Lifecycle management for your guests, with a completely new functionality called ‘Inactive Users‘ in Azure AD Access Reviews!
But first some introductions, each organization is dealing with guest users today in their Azure AD tenant. Some of the guest users are maybe invited just yet, some of them are maybe months old and some of them are years old. Whereby some guest users are still active, some of them are only using it twice a year and some of them have already left the company whereby the account of the user was removed in their home tenant, but never the guest user in your tenant.
Whereby it’s super easy to get guest users in your tenant, as people can invite from MS Teams or share documents in OneDrive / SharePoint. It’s on the other hand quite hard to get them cleaned up correctly, there isn’t really an automated process for that in place, or is there?
Well to get an answer to that question I will show you in the upcoming three blogs in this series, of which this is the third one, the latter by applying identity lifecycle management around guests within your tenant. This whereby we are going to use the Azure AD Identity Governance features called Access Packages and Access Reviews and will use a PowerShell script as well within Azure Automation. This as there are several ways to achieve your goal(s) and depending on the use case(s) you have you need to determine what the right solution is for your environment.
I can hear you thinking, “What are those three options in short?”, therefore I’ve summarized them in short for you below:
- Let the lifecycle of guest accounts be managed via Identity Governance – Whereby an access package will manage the provisioning and deprovisioning process of the guest users.
- Use Azure Automation and scripting logic to clean-up guest accounts – Whereby a global access review will be used for your guest users and a script will be placed within Azure Automation which will disable and eventually clean-up ‘inactive’ guest users from your tenant.
- Use Access Reviews to clean-up Guest Accounts – Whereby an access review is created for guest users which can and eventually will disable and clean-up ‘inactive’ guest accounts from your tenant.
NOTE: If you’ve Azure AD Premium P2 available in your tenant and already have guests in your tenant, I highly suggest to at least use the last option as that is using native Azure AD functionality.
Now you know the three options we have available, let’s have a look at the third option ‘Use Access Reviews to clean-up Guest Accounts’ in this blog in more detail and how to get this configured and get you up and running!
Option 3: Use a global Access Review to clean-up inactive Guest Accounts
Now we know how we can manage the lifecycle of guests using the identity governance access package process and we know how we can manage the lifecycle of guests with a custom build script which you can finetune on your own let’s have a look at one of the newest features Identity Governance has to offer and which you can use as well.
This feature is based on a global access review which can look at the inactive state of the account and based on that take the necessary actions to block the account and eventually delete the account as well! This functionality has very recently been released and is a must have if you got inactive guest users in your Azure Active Directory!
Now to get this arranged (and this maybe sounds a bit silly) we have to create a dynamic group which contains the guest users which we are going to target for this access (or better called Identity) lifecycle review. For that go to the Azure Active Directory, hit Groups and and hit ‘+ New Group’.
Within the new group wizard select as Group Type ‘Security’, give the group a name like ‘All Guest Users Dynamic Group’, provide a description, select ‘Dynamic User’ as the Membership type and hit ‘Edit dynamic query’.
Within the dynamic query use the rule syntax ‘(user.userPrincipalName -contains “#EXT#”)’. This will make sure all guest users are being made a member of this group, including guests which have been converted to the ‘member’ type. And once done hit ‘Save’.
NOTE: You can of course make different access (or Identity) lifecycle reviews for guests with different settings and whereby different dynamic groups with different dynamic queries are used so by using dynamic groups it gets extremely flexible.
Now the dynamic query is created and ready and you’re returned to the ‘New group’ wizard, verify if everything is correct and hit ‘Create’ to create the dynamic group.
Once the group is created let’s go to the ‘Identity Governance’ blade within Azure Active Directory and go to ‘Access Reviews’.
Within the Access Review tab, hit ‘+ New access review’ to create the new access review for the identity lifecycle management for guests.
Now within the ‘Review type’ Settings make sure to select ‘Teams + Groups’ at the select what to review, at the review scope select ‘Select Teams + Groups’ and select the Dynamic Azure AD Group we just created. Make sure that at the user scope ‘Guest users only’ is selected, hit ‘True’ at inactive users and determine for how long users need to be inactive before being challenged with this access review. Once all is configured correctly, hit ‘Next’.
Within the ‘Reviews’ settings, at select reviewers, select ‘Users review their own access’ (you can eventually make users an owner of the dynamic group and let them to the review but that probably requires you to create more dynamic groups and thus access reviews). Furthermore I’ve selected a quartarly review (without end date) which runs for 7 days and then applies the results. Once you’re ready hit ‘Next’.
Next within the ‘Settings’ of the access review make sure that ‘Auto apply results to resource’ is checked, the setting ‘if reviewers don’t respond’ is set to ‘Remove Access’ (which will remove access for users who don’t respond) and the action to apply on denied guest users (or users who haven’t responded) is set to ‘Block user from signing-in for 30 days, then remove user from the tenant’. Eventually select a user who should receive notifications at the end of the review.
The next step is to enable reviewer decision helpers (which will tell the user if they still used their account in the last 30 days) and configure the advanced settings as required, I’ve enabled that guest users require to fill in a justification, they will be informed by email and if they didn’t respond to the access review yet at the midpoint of the access review, they will receive a reminder. Once done hit ‘Next’.
At the ‘Review + Create’ settings pane please make sure to provide a review name (this is what end users will also see within the email being send out, so please make sure to provide a correct name here which is familiar to your guest users).
And once ready hit ‘Create’.
Now the Access Review is created wait until the status becomes ‘Active’.
At that point in time, if you have selected today as the date to start the access review, the guest user(s) which are a member of the dynamic group will receive an access review to determine if they still need their identity within this tenant. Within the email they can hit ‘Review Access’.
Once we hit the button ‘Review Access’ we are guided to the My Access portal in which we can determine if we still would need access and if so, why we would need access. In my example I’ve selected ‘No’ which simply means remove access and disable my account and delete it 30 days later in this example. And hit ‘Submit’.
After the access review has been finished (in my example I’ve configured it to run for 7 days) it will apply the results and hereby you can see that indeed my guest account has been disabled as the Block sign-in value is set to ‘Yes’.
And to prove this wasn’t just me 😊, in the Audit logs of my guest account I can see the ‘Disable account’ activity was executed via the Azure AD Identity Governance process.
Now this is all implemented we have made sure all guest accounts are challenged with a review within our tenant. Once the guest user either didn’t respond or ‘denied’ their challenge the user will automatically be disabled and 30 days later it will automatically be removed. By using this feature within Identity Governance it’s straight forward to cleanup ‘inactive’ accounts.
The above will make sure that you have applied Identity Lifecycle management around your guests and will improve the security posture of your accounts! If you today however have the need for some more advanced configuration, you can of course use the script I provided you earlier in my previous blog and enhance and tweak it on your own! 😊
After you’ve followed the above steps and / or steps from my previous blogs you have now implemented a strong and solid lifecycle management solution for guest accounts in place within your tenant. You know the different options as well, you are able to customize them on your own and you are sure that only guest users which should have an account within your tenant actually have one. This will, besides executing a good cleanup, improve the security posture within your tenant as well around guest accounts!
In my next blog we will continue to have a look at the Identity Governance features in more detail, whereby we will have a look at the provisioning process to 3rd party applications.
I hoped you enjoyed reading this new blog within the Azure AD Identity Governance series! Stay tuned for my next Azure AD Identity Governance blog soon :-).
- An Introduction to Azure AD Identity Governance
- Identity Governance 1 of 10: Implementing a Strong Identity Foundation
- Identity Governance 2 of 10: Implementing Identity Lifecycle management for guest users – part 1
- Identity Governance 2 of 10: Implementing Identity Lifecycle management for guest users – part 2
- Identity Governance 2 of 10: Implementing Identity Lifecycle management for guest users – part 3
- Identity Governance 3 of 10: Configuring Provisioning in 3rd party apps for (guest) users
- Identity Governance 4 of 10: Implementing Lifecycle Workflows – Configure the basics
- Identity Governance 4 of 10: Implementing Lifecycle Workflows – Configure onboarding workflows
- Identity Governance 4 of 10: Implementing Lifecycle Workflows – Configure offboarding workflows
- Identity Governance 5 of 10: Using the hidden gems in Azure AD access packages, all you need to know! – Part 1
- Identity Governance 5 of 10: Using the hidden gems in Azure AD access packages, all you need to know! – Part 2
- Identity Governance 5 of 10: Using the hidden gems in Azure AD access packages, all you need to know! – Part 3
- Identity Governance 5 of 10: Using the hidden gems in Azure AD access packages, all you need to know! – Part 4
- Identity Governance 6 of 10: Implementing Access Reviews
- Identity Governance 7 of 10: Implementing Privileged Identity Management
- Identity Governance 9 of 10: Review by Monitoring and reporting
- Identity Governance 10 of 10: Implementing Identity Lifecycle management for employees
2 thoughts on “Implementing Identity Lifecycle management for guest users – Part 3”
Quick question, when you set days inactive to 60, which i would assume is looking at the last sign-in date. What effect would the reviewers decision helper have since its locked at 30 days, when it cannot be disabled.. Would it review all users with no sign-in in between 30 and 60 days aswell? . Example if you set inactive days at 180 for a onetime review, would every single guest with no sign-in between 30 and 180 also receive the review.? Documentation is not clear on this…
Great question! The decision helper is only to inject additional data into the access review UI for the actual review. The inactive user review is only looking at users who are inactive for more then 60 days in your example. So in general you got a fair point here that the decision helper in that example isn’t very useful. I would agree also on the fact that the decision helper in this example should be more ‘tweakable’.