When an office 365 group is created, we have options to collaborate with public partner accounts .As a result of this People outside organization can see and have access to office365 public groups contents when they are been invited as guests.
When we have allowed the end users to create the office 365 groups and invite the external partners to collaborate,over a period of time the groups left unattended without the access reviews. There is a high possibility of an user having access to the sensitive documents which they don’t need them anymore.
In order to alleviate these security issues , we can influence the Microsoft Azure Identity Governance – Access reviews
With the access reviews created for office365 groups , we can let the group owners review their office 365 public group guests present on them and take necessary action based on the requirement.
In order to create access review navigate to azure portal – Identity Governance – Access reviews – Click on access review – Select New access review.
Now we can create them with name ,description , start date and frequency of how often the access reviews needs to take place for the office365 groups.
We can set the number of times, end date and the scope to guest users only. And target the external groups which have the guest users added. Probably this part needs to be reviewed periodically and add the new groups in this list.
Furthermore we have the options to customize the reviewers who will be the reviewers of this access review task.
Upon completion we have the action to choose – Remove,Approve or take recommendations.
Finally we have few options which is present in the advanced settings. Once the customization is done as per the requirement we can start the review.
Once the schedule is triggered as per the configuration the reviewers get an email with the timeline.
Once clicked on review the user gets the guest user details and the options to take action based on the business requirement.
The reviewer gets an option to type the comment and take the necessarily action.
We have the review results section where we have an option to download the access review tasks and save them for ISO audit compliance which will help during the ISO Audit Evaluation cycles.
This is usual in most of the organizations when the guest accounts are provided access to the business sensitive content. Ultimately its the group owner’s responsibility to periodically review them and take necessary actions.
There is lot more to get benefited with Identity Governance access reviews. The above method will help us in evaluating and having right access only to the required individuals in Office 365 Groups.