You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/governance/access-reviews-application-preparation.md
+10-12Lines changed: 10 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -63,14 +63,16 @@ The integration patterns listed above are applicable to third party SaaS applica
63
63
64
64
* Some Microsoft Online Services, such as Exchange Online, use licenses. While user's licenses can't be reviewed directly, if you're using group-based license assignments, with groups with assigned users, you can review the memberships of those groups instead.
65
65
* Some applications may use delegated user consent to control access to Microsoft Graph or other resources. As consents by each user aren't controlled by an approval process, consents aren't reviewable in Azure AD. Instead, you can review who is able to connect to the application through Conditional Access policies, that could be based on application role assignments or group memberships.
66
-
* If the application doesn't support federation or provisioning protocols, then you'll need a process for manually applying the results when a review completes. For an application that only supports password SSO integration, if an application assignment is removed when a review completes, then the application won't show up on the *myapps* page for the user, but it won't prevent a user who already knows the password from being able to continue to sign into the application. Please[ask the SaaS vendor to onboard to the app gallery](../manage-apps/v2-howto-app-gallery-listing.md) for federation or provisioning by updating their application to support a standard protocol.
66
+
* If the application doesn't support federation or provisioning protocols, then you'll need a process for manually applying the results when a review completes. For an application that only supports password SSO integration, if an application assignment is removed when a review completes, then the application won't show up on the *myapps* page for the user, but it won't prevent a user who already knows the password from being able to continue to sign into the application. For your on-premises applications, see [govern the users of an application that does not support provisioning](identity-governance-applications-not-provisioned-users.md). For SaaS applications, please[ask the SaaS vendor to onboard to the app gallery](../manage-apps/v2-howto-app-gallery-listing.md) for federation or provisioning by updating their application to support a standard protocol.
67
67
68
-
## Check the application and groups are ready for the review
68
+
## Check the application is ready for the review
69
69
70
70
Now that you have identified the integration pattern for the application, check the application as represented in Azure AD is ready for review.
71
71
72
72
1. In the Azure portal, click **Azure Active Directory**, click **Enterprise Applications**, and check whether your application is on the [list of enterprise applications](../manage-apps/view-applications-portal.md) in your Azure AD tenant.
73
-
1. If the application is not already listed, then check if the application is available the [application gallery](../manage-apps/overview-application-gallery.md) for applications that can be integrated for federated SSO or provisioning. If it is in the gallery, then use the [tutorials](../saas-apps/tutorial-list.md) to configure the application for federation, and if it supports provisioning, also [configure the application](../app-provisioning/configure-automatic-user-provisioning-portal.md) for provisioning. If the application uses AD security groups, [add the application for remote access through Application Proxy](../app-proxy/application-proxy-add-on-premises-application.md) and [configure group writeback to AD](../hybrid/how-to-connect-group-writeback-v2.md).
73
+
1. If the application is not already listed, then check if the application is available the [application gallery](../manage-apps/overview-application-gallery.md) for applications that can be integrated for federated SSO or provisioning. If it is in the gallery, then use the [tutorials](../saas-apps/tutorial-list.md) to configure the application for federation, and if it supports provisioning, also [configure the application](../app-provisioning/configure-automatic-user-provisioning-portal.md) for provisioning.
74
+
1. If the application is not already listed, but uses AD security groups and is a web application, [add the application for remote access through Application Proxy](../app-proxy/application-proxy-add-on-premises-application.md) and [configure group writeback to AD](../hybrid/how-to-connect-group-writeback-v2.md).
75
+
1. If the application is not already listed, uses AD security groups and is not a web application, then [configure group writeback to AD](../hybrid/how-to-connect-group-writeback-v2.md) and continue at the next section.
74
76
1. Once the application is in the list of enterprise applications in your tenant, select the application from the list.
75
77
1. Change to the **Properties** tab. Verify that the **User assignment required?** option is set to **Yes**. If it's set to **No**, all users in your directory, including external identities, can access the application, and you can't review access to the application.
76
78
@@ -95,23 +97,19 @@ Now that you have identified the integration pattern for the application, check
95
97
96
98
1. Check the list of directory objects assigned to the roles to confirm that there are no groups assigned to the application roles. It's possible to review this application if there is a group assigned to a role; however, a user who is a member of the group assigned to the role, and whose access was denied, won't be automatically removed from the group. If the application does not itself rely upon groups, then we recommend first converting the application to have direct user assignments, rather than members of groups, so that a user whose access is denied during the access review can have their application role assignment removed automatically. If the application does rely upon groups, and all of the application's groups are assigned to the same application role, then you'll review the group memberships instead of reviewing the application assignments.
97
99
100
+
## Check the groups are ready for the review
101
+
98
102
Next, if the application integration also requires one or more groups to be reviewed, as described in pattern B, then check each group is ready for review.
99
103
100
-
1. In the Azure portal experience for Azure AD, click **Groups**, and then select the group from the list.
104
+
1. In the Azure portal experience for Azure AD, click **Groups**, and then search for and select each group from the list.
101
105
1. On the **Overview** tab, verify that the **Membership type** is **Assigned**, and the **Source** is **Cloud**. If the application uses a dynamic group, or a group synchronized from on-premises, then those group memberships can't be changed in Azure AD. We recommend converting the application to groups created in Azure AD with assigned memberships, then copy the member users to that new group.
102
106
1. Change to the **Roles and administrators** tab. This tab displays the administrative roles, that give rights to control the representation of the group in Azure AD, not the access rights in the application. For each administrative role that allows changing group membership and has users in that administrative role, ensure that only authorized users are in that role.
103
107
1. Change to the **Members** tab. Verify that the members of the group are users, and that there are no non-user members or nested groups. If there are no members of a group when the review starts, the review of that group will complete immediately.
104
-
1. Change to the **Owners** tab. Make sure that no authorized users are shown as owners. If you'll be asking the group owners to perform the access review of a group, then confirm that the group has one or more owners.
108
+
1. Change to the **Owners** tab. Make sure that no unauthorized users are shown as owners. If you'll be asking the group owners to perform the access review of a group, then confirm that the group has one or more owners.
105
109
106
110
## Select appropriate reviewers
107
111
108
-
When you create each access review, administrators can choose one or more reviewers. The reviewers can carry out a review by choosing users for continued access to a resource or removing them.
109
-
110
-
Typically a resource owner is responsible for performing a review. If you're creating a review of a group, as part of reviewing access for an application integrated in pattern B, then you can select the group owners as reviewers. As applications in Azure AD don't necessarily have an owner, the option for selecting the application owner as a reviewer isn't possible. Instead, when creating the review, you can supply the names of the application owners to be the reviewers.
111
-
112
-
You can also choose, when creating a review of a group or application, to have a [multi-stage review](create-access-review.md#create-a-multi-stage-access-review). For example, you could select to have the manager of each assigned user perform the first stage of the review, and the resource owner the second stage. That way the resource owner can focus on the users who have already been approved by their manager.
113
-
114
-
Before creating the reviews, check that you have at least as many Azure AD Premium P2 licenses in your tenant as there are member users who are assigned as reviewers. Also, check that all reviewers are active users with email addresses. When the access reviews start, they each review an email from Azure AD. If the reviewer doesn't have a mailbox, they will not receive the email when the review starts or an email reminder. And, if they are blocked from being able to sign in to Azure AD, they will not be able to perform the review.
0 commit comments