Who Is Reviewing Teams Guest Access?

Date:Tuesday, Nov 19, 2019
Author: Paul Maggs
Reading Time: 9 minutes
Tags: Azure Identity Governance
Categories: Security Tips


Collaboration shouldn’t be limited to people within your own organisation, extending these capabilities to allow external guest participants improves how people share ideas and information. Keeping files and conversations within a single location removes the need to continually swap communications via email or other methods, reduces unnecessary copies of data that is difficult to reconcile when compiling authoritative versions, and removes the need to send this information externally for which you have no control over its use (unless you’ve deployed rights managements, which is a conversation for another time).

By default, when switching on teams guest access the effect is that the change is global within your Office 365 tenant, meaning that every team owner, which may be anyone within your organisation, has the ability to allow external guests into their teams within your organisation therefore have access the associated conversations and files within them. This poses the critical question, how to you review and reconcile who has access to your organisation, your teams, and data? It can be a scary proposition if you’ve enabled guest access without thought to this question.

Organisations utilising a governance model relying on team owners to police their own teams need to provide tools to assist with the review and remediation process. Relying on team owners to perform these administration tasks without assistance invariably leads to poor governance as tasks are forgotten or staff are unaware of their responsibilities. Whilst external guests are trusted entities, over time if they no longer require access it’s best practise to limit this access as it limits risk of something going awry.

Does Office 365 provide native tools?

Multiple tools and methods exist that can assist organisations review and remediate external guest access, and for some organisations the solution may be to deploy Azure identity governance access reviews. Access reviews enable organisations the ability to delegate group management to specific people or groups of people so that they can validate membership and perform actions as a result. Access reviews are not limited to teams and can be utilised within other areas of Office 365, however a good use case is pairing with teams to ensure membership is kept up to date and valid.

Where access reviews excel is the ability to enable regular group membership validation assigned to people within your organisation who are best placed to make these decisions. It’s one thing to have the IT department review where access has been granted, yet in many instances they will not be able to make a value judgement on whether this access is warranted or should be rescinded. Empowering the right people, in this instance the team owners, to regularly make these decisions puts the responsibility in the right hands and ensures guest access to teams is regulated and up to date.

Access reviews. How do they work?

Access reviews provide flexibility in regards to the number of policies you can deploy, the data they protect, and how they respond when enacted. This means there’s ample opportunity to deploy different policies based on need, including, what data access is affected, how often a review should be completed, who should be completing the reviews, and whether the review include not only external guests but also internal staff.

Here are some areas to be aware of:

  • Recurrence: How often do you wish to trigger a review? Individual access reviews are possible and may be used to perform a single remediation of access, however the ability to schedule recurring reviews ensures ongoing group membership remediation tasks are completed. Reviewers are reminded when an access review is to be performed and are provided a simple and effective interface to complete this task.

  • Scope: The scope can be enabled for all members, which for some team membership lists could be essential, yet if external guess access if your main concern then this can be limited to only include those external guest membership for review

  • Reviewers: Who reviews each groups membership is extremely important (and each group can have multiple reviewers to ease the administrative overhead), and whilst you can set this to be specific people within your organisation the better approach is to have the access review automatically assign this task to each team owner who is best place to know who requires access. Alternatively, you may want members to review their own access and elect to remove themselves from the group membership; this is useful when wanting people to self regulate their own access to each team they are either an owner or member, and can also be actioned by external guests

  • Review completion: Each access review has a set duration and it is important that at the conclusion of each review cycle that there is an outcome and this includes what changes to access will occur and what happens if reviewers fail to perform their access review tasks

Additional training and adoption is required

Enabling access reviews affects what data is accessible and by whom, therefore it’s highly recommended implementing a change such as this be planned with sufficient education and reference materials. Whilst Microsoft have provided a friendly interface for the review process there is a potential for incorrectly applied reviews to impact the ability for people to access and collaborate through loss of access.

Keep in mind when enabling access reviews:

  • Depending on how an access review is configured, if no review is completed within the timeframe allocated then an automatic process to remove access from the accounts being reviewed may occur
  • Each review may be updated or changed by a reviewer up until the conclusion of each review cycle
  • Multiple reviewers may be assigned to a single access review rule. Whilst this ensures more coverage to address review event, each reviewer should understand that other reviewers may change their decisions on retaining or revoking access

Example of the access review process

Step 1: Example Access Review Email

At each review cycle, reviewers are sent an email informing them that they are responsible for an access review audit with a link to the review resources.

Guest access review

Step 2: Actioning an access review

A list of all team members, in this example they are external guests, who require their access to be validated by a reviewer. Note that for this particular review there are recommendations generated by Azure providing guidance on whether to renew or revoke permissions.

Guest access review

Step 3: Reporting

Reviewers and administrators are provided with reports indicating the results of each review. A visual graph provides a quick summary whilst detailed results provide in depth information including why access was either extended or denied and the effects of any change

Guest access review
Guest access review

Licensing requirements

Access reviews are part of Azure’s Identity Governance features and require either Enterprise Mobility + Security E5 or Azure Active Directory Premium P2 licenses.