Starting Access Reviews for specific Microsoft 365 Groups and Teams using Azure Runbooks

Overview

With Entra ID Governance, organizations can delegate periodic access reviews to owners of Microsoft 365 groups and Microsoft Teams teams. The owners must confirm whether access for internal members as well as external guests shall remain in place or whether access can be removed.

In Entra ID portal or via Microsoft Graph API, there is no proper, enterprise-ready option to start access reviews for a desired subset of M365 groups or teams only. The reviews can be started for all groups and teams, or a static list of objects can be selected. Instead, large organizations might have implemented a naming convention and require to initiate access reviews for groups/teams with certain prefixes or to exclude certain prefixes, for example.

With this blog post, I suggest an Azure Automation runbook that exactly closes this functional gap and allows to tailor which M365 groups and teams are in scope of the Entra ID access reviews. In summary, my runbook allows to:

  • only include Microsoft 365 groups or only Microsoft Teams teams, or both
  • only include groups/teams with a certain prefix
  • exclude groups/teams with a certain prefix
  • only include groups/teams with private or public visibility, or both
  • only include groups/teams that already exist in the tenant for X days
  • only start the access review for one specific group/team if desired
  • combine all these options with each other according to your needs
  • easily implement your own custom filter to include/exclude certain groups/teams based on other group attributes

If you want to skip the rest of my blog post and you are just interested in the Azure runbook code, please visit my Github repository under:
Start Access Reviews for specific M365 Groups and Teams ยท CloudProtectNinja (github.com)

Limitations of the Access Review Feature

In Entra ID portal, access reviews can be started as to the following screenshot:

Starting Access Reviews for specific Microsoft 365 Groups and Teams using Azure Runbooks

Unfortunately, it is only possible to choose between “All Microsoft 365 Groups with guest users” or to manually select multiple workspaces.

Alternatively, the Microsoft Graph API endpoint /identityGovernance/accessReviews/definitions can be leveraged to initiate access reviews as well (see Create access review definitions via Microsoft Graph API | Microsoft Learn). The documentation creates the impression that an arbitrary groups filter query can be defined in the “instanceEnumerationScope” object of the payload. According to extensive test cases, I must state that Microsoft filters out custom query logic, such as the startswith() operator from /groups?$filter=(groupTypes/any(c:c+eq+'Unified') and startswith(mailNickname,'PRJ-')).

Consequently, it is not possible to properly tailor access reviews to a subset of groups/teams as large organizations would need it.

Tailoring Access Reviews with an Azure Runbook

To overcome the limitations described above, my Azure runbook Start-AccessReviews.ps1 can be used. It leverages a subset of Microsoft.Graph PowerShell modules and allows for app-only authentication against your target Entra ID tenant with either a managed identity or an app registration (see also Using Managed Identities to Connect to Microsoft 365 & Azure). With the runbook parameters, access reviews can be started for certain M365 groups and/or MS Teams teams only. For example, you can include or exclude groups with desired prefixes in case your organization has implemented a group naming convention. Thus, you can start access reviews for project teams with a “PRJ-” prefix or you can exclude department teams with a “DEPT-” prefix.

The README page in my Github repository explains in more detail how to setup the Azure Automation runbook, including the usage of a helper script to grant Microsoft Graph API permissions (Group.Read.All & AccessReview.ReadWrite.All) to the managed identity or app registration.

In the following, you can find some examples how to use the parameters of the runbook for different scenarios:

  1. Start access reviews for private M365 groups and MS Teams teams with a “PRJ-” project prefix using managed identity-based authentication:
Runbook parameter nameExemplary value
AuthenticationTypeSystemAssignedManagedIdentity
IncludedGroupsServerSideFilterQuerygroupTypes/any(c:c eq ‘Unified’)
IncludedGroupsMailNicknamePrefixesPRJ-
IncludedGroupsVisibilityPrivate
AccessReviewAdditionalMailTextIn case of any questions, please contact the Contoso helpdesk.
  1. Start access reviews for private MS Teams teams, except for teams with an “DEPT-” department prefix or an “X-” prefix, using app-based authentication:
Runbook parameter nameExemplary value
TenantIdaa4201e7-433f-44aa-88be-8eeb2d88a908
AuthenticationTypeAppRegistration
AuthenticationAppRegistrationClientIdc091754f-c31c-4d60-ae79-53cfcd3a5d97
AuthenticationAppRegistrationCertificateThumbprint31ED9B5036A479CE2E7180715CC232359D5E8F98
IncludedGroupsServerSideFilterQuerygroupTypes/any(c:c eq ‘Unified’) and resourceProvisioningOptions/Any(x:x eq ‘Team’)
ExcludedGroupsMailNicknamePrefixesDEPT-;X-
IncludedGroupsVisibilityPrivate
  1. Only start a “dry run” to check, which groups/teams would be in scope of your access review, with the following command:
Runbook parameter nameExemplary value
AuthenticationTypeSystemAssignedManagedIdentity
DryRuntrue
  1. Only start a an access review for a single Microsoft 365 group:
Runbook parameter nameExemplary value
AuthenticationTypeSystemAssignedManagedIdentity
GroupId3c6abeea-a4be-4633-acf6-18927400aeef

The runbook job will cause a transparent output about the group/team objects that have actually been processed according to the following screenshot:

Starting Access Reviews for specific Microsoft 365 Groups and Teams using Azure Runbooks

For validation purposes, you can open the Identity Governance page in Entra ID to confirm that the desired reviews are started by the Microsoft system:

Starting Access Reviews for specific Microsoft 365 Groups and Teams using Azure Runbooks

If you want to repeat the access reviews with certain parameters periodically, e.g. every six months, you can leverage Azure runbook schedules.

Sources and Further Readings

  • November 26, 2023
Consent Management Platform by Real Cookie Banner