Achieve a least privilege model using Azure AD’s new multi-stage access reviews

This post has been republished via RSS; it originally appeared at: Azure Active Directory Identity Blog articles.

Howdy folks! 

 

Today we’re excited to announce the public preview of multi-stage reviews with Azure AD access reviews!

 

With this enhancement, you can now construct access reviews in sequential stages, each with its own set of reviewers and configurations. 

 

This capability allows you and your organization to enable complex workflows to meet recertification and audit requirements calling for multiple reviewers to attest to access for users in a particular sequence. It also helps you design more efficient reviews for your resource owners and auditors by reducing the number of decisions each reviewer is accountable for. Previously you may have artificially created multiple disjointed reviews to achieve the same purpose, but now with multi-stage reviews this all takes place in the context of just one review. 

 

Multi-stage reviews help you achieve key access certification scenarios 

 

  • Reach consensus across multiple sets of reviewers. Require agreement from independent reviewers at every stage before access is recertified.  
  • Assign alternate reviewers to weigh in on unreviewed decisions. Ensure accounts left unreviewed by unresponsive or out-of-office reviewers are sent to the next appropriate reviewer, such as the user’s manager or the resource owner.  
  • Reduce burden on later-stage reviewers. Filter down the number of decisions for your later-stage reviewers by excluding accounts denied in previous stages. For example, have users attest to their own needs for access before asking the resource owners to attest.  

 

Want to try multi-stage access reviews yourself? 

Chassis Imagery - Access Review - Tablet.jpg

 

 The above shows how you may configure a multi-stage review. You can specify up to three stages, choosing the reviewers and the duration of each stage individually. In addition, you can define whether earlier stage decisions should be revealed to later-stage reviewers.  

 

Finally, specify which reviewees you want to continue from stage to stage: 

 

Chassis Imagery - Access Review - Mobile.jpg

 

For detailed instructions on how to set up multi-stage reviews, see our Azure AD access review documentation. To try these reviews out via our MS Graph APIs (beta), review our MS Graph API documentation. 

 

We’re excited to see how you leverage multi-stage reviews for your attestation needs!  

 

Best regards, 

Alex Simons (@Alex_A_Simons) 

Corporate VP of Program Management 

Microsoft Identity Division 

 

----------------------------------------------------------------------------------------------------------

 

Frequently asked questions 

 

Q: Can I use multi-stage reviews for guest reviews? 

Yes! You can use multi-stage reviews with guest users. You can even engage guest users as self-reviewers in any of the three stages. 

 

Q: Do multiple stages of reviewers appear in downloadable review history reports? 

Yes! Up to three stages of reviewers are recorded in review history reports. Learn more about access review history reports for download. 

 

Q: I’ve had multiple reviewers in a review before. How are multi-stage reviews different? 

Multiple reviewers in single-stage reviews engage all at the same time. Their decisions have equal weight, and at the end of the review period, the last reviewer’s decision on any reviewee is used.  

 

In multi-stage reviews, you define up to three audiences of one or more reviewers that review sequentially. Reviewers in the first stage complete their reviews before reviewers in the second stage begin their reviews. Reviewers in different stages review independently, and you can configure which reviewees are moved from one stage to another, as well as whether reviewers see previous stage decisions. 

 

Q: I would like to use multi-stage reviews for Privileged Identity Management role assignments for Azure AD roles or Azure RBAC roles. How can I configure multi-stage for role assignment reviews? 

We are working on expanding the review types that support multi-stage configurations. For the moment, we only support multi-stage for reviews of Security and M365 groups, as well as applications. 

 

----------------------------------------------------------------------------------------------------------

 

Learn more about Microsoft identity: 

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.