Microsoft recently released a feature that has been a long time coming, this was the ability to use Azure AD security groups to assign a user a privileged role, such as SharePoint Admin, Global Admin etc. This will help make life easier for Admins who manage these roles, so let me help explain why these are so useful and how we can leverage those. We will also show how we can leverage Azure AD Access Reviews to ensure that groups are maintained.

So in Azure AD we can go and create a new Group, and you can now see that we can now decide if we want to use this Group for privileged role assignment

Create New Azure AD Group

Let’s create a Group and use it for Exchange Admin role assignment. In the example below I have created a new Group, made myself the Owner, and added a colleague as a Member, and given the Role of Exchange Administrator. Pretty simple.

 

You can also add more Roles to the Group if you wanted, for example, you might have an Helpdesk type role that needs a few of the Priv Roles, so you can bundle them into one Azure AD Group.

Identity Governance

The above is probably nothing new to get really excited about, but where I think this really comes together is when you look to leverage Azure AD Access Reviews with this. To use this feature called Access Reviews, you will need Azure AD P2 or EMS E5 license, and need to onboard your tenant for Access Reviews. This only take a few clicks and we can always help you with it. Let’s assume we have done that bit though, and dive into creating an Access Review for the Group above.

In Azure AD, go to Identity Governance, and then Access Reviews and you can click to Create an Access Review.

I have opted for this scenario;

I then clicked on Start

After a few minutes, because I was listed as an Owner of the Group we created previously, I received this email

 

 

When I now click on Start Review, we get taken to an Azure AD page where I am able to review who is in that Group.

 

To demonstrate how this helps with Privileged Groups, I have decided to Deny this access and then it should remove the user from the Group, which would then in turn remove them from the Privileged Role group

The account was successfully removed from the Group, which was exactly what was expected.

This is especially useful now, because once we have started to use Azure AD groups to assign Privileged Roles, then we can apply some automation and governance to who has what roles.

If you would like to contact us to show you this in more depth and see the benefits, please do get in touch.