Starting Access Reviews for specific Microsoft 365 Groups and Teams using Azure Runbooks
Overview
With Entra ID Governance, organizations can delegate periodic access reviews to owners of Microsoft 365 groups and Microsoft Teams teams. The owners must confirm whether access for internal members as well as external guests shall remain in place or whether access can be removed.
In Entra ID portal or via Microsoft Graph API, there is no proper, enterprise-ready option to start access reviews for a desired subset of M365 groups or teams only. The reviews can be started for all groups and teams, or a static list of objects can be selected. Instead, large organizations might have implemented a naming convention and require to initiate access reviews for groups/teams with certain prefixes or to exclude certain prefixes, for example.
With this blog post, I suggest an Azure Automation runbook that exactly closes this functional gap and allows to tailor which M365 groups and teams are in scope of the Entra ID access reviews. In summary, my runbook allows to:
- only include Microsoft 365 groups or only Microsoft Teams teams, or both
- only include groups/teams with a certain prefix
- exclude groups/teams with a certain prefix
- only include groups/teams with private or public visibility, or both
- only include groups/teams that already exist in the tenant for X days
- only start the access review for one specific group/team if desired
- combine all these options with each other according to your needs
- easily implement your own custom filter to include/exclude certain groups/teams based on other group attributes
If you want to skip the rest of my blog post and you are just interested in the Azure runbook code, please visit my Github repository under:
Start Access Reviews for specific M365 Groups and Teams ยท CloudProtectNinja (github.com)
Limitations of the Access Review Feature
In Entra ID portal, access reviews can be started as to the following screenshot:
Unfortunately, it is only possible to choose between “All Microsoft 365 Groups with guest users” or to manually select multiple workspaces.
Alternatively, the Microsoft Graph API endpoint /identityGovernance/accessReviews/definitions
can be leveraged to initiate access reviews as well (see Create access review definitions via Microsoft Graph API | Microsoft Learn). The documentation creates the impression that an arbitrary groups filter query can be defined in the “instanceEnumerationScope” object of the payload. According to extensive test cases, I must state that Microsoft filters out custom query logic, such as the startswith()
operator from /groups?$filter=(groupTypes/any(c:c+eq+'Unified') and startswith(mailNickname,'PRJ-'))
.
Consequently, it is not possible to properly tailor access reviews to a subset of groups/teams as large organizations would need it.
Tailoring Access Reviews with an Azure Runbook
To overcome the limitations described above, my Azure runbook Start-AccessReviews.ps1 can be used. It leverages a subset of Microsoft.Graph PowerShell modules and allows for app-only authentication against your target Entra ID tenant with either a managed identity or an app registration (see also Using Managed Identities to Connect to Microsoft 365 & Azure). With the runbook parameters, access reviews can be started for certain M365 groups and/or MS Teams teams only. For example, you can include or exclude groups with desired prefixes in case your organization has implemented a group naming convention. Thus, you can start access reviews for project teams with a “PRJ-” prefix or you can exclude department teams with a “DEPT-” prefix.
The README page in my Github repository explains in more detail how to setup the Azure Automation runbook, including the usage of a helper script to grant Microsoft Graph API permissions (Group.Read.All & AccessReview.ReadWrite.All) to the managed identity or app registration.
In the following, you can find some examples how to use the parameters of the runbook for different scenarios:
- Start access reviews for private M365 groups and MS Teams teams with a “PRJ-” project prefix using managed identity-based authentication:
Runbook parameter name | Exemplary value |
AuthenticationType | SystemAssignedManagedIdentity |
IncludedGroupsServerSideFilterQuery | groupTypes/any(c:c eq ‘Unified’) |
IncludedGroupsMailNicknamePrefixes | PRJ- |
IncludedGroupsVisibility | Private |
AccessReviewAdditionalMailText | In case of any questions, please contact the Contoso helpdesk. |
- Start access reviews for private MS Teams teams, except for teams with an “DEPT-” department prefix or an “X-” prefix, using app-based authentication:
Runbook parameter name | Exemplary value |
TenantId | aa4201e7-433f-44aa-88be-8eeb2d88a908 |
AuthenticationType | AppRegistration |
AuthenticationAppRegistrationClientId | c091754f-c31c-4d60-ae79-53cfcd3a5d97 |
AuthenticationAppRegistrationCertificateThumbprint | 31ED9B5036A479CE2E7180715CC232359D5E8F98 |
IncludedGroupsServerSideFilterQuery | groupTypes/any(c:c eq ‘Unified’) and resourceProvisioningOptions/Any(x:x eq ‘Team’) |
ExcludedGroupsMailNicknamePrefixes | DEPT-;X- |
IncludedGroupsVisibility | Private |
- Only start a “dry run” to check, which groups/teams would be in scope of your access review, with the following command:
Runbook parameter name | Exemplary value |
AuthenticationType | SystemAssignedManagedIdentity |
DryRun | true |
- Only start a an access review for a single Microsoft 365 group:
Runbook parameter name | Exemplary value |
AuthenticationType | SystemAssignedManagedIdentity |
GroupId | 3c6abeea-a4be-4633-acf6-18927400aeef |
The runbook job will cause a transparent output about the group/team objects that have actually been processed according to the following screenshot:
For validation purposes, you can open the Identity Governance page in Entra ID to confirm that the desired reviews are started by the Microsoft system:
If you want to repeat the access reviews with certain parameters periodically, e.g. every six months, you can leverage Azure runbook schedules.