Microsoft Entra ID Governance Introduces Two New Features in Access Reviews

As announced on June 7, 2023, Microsoft Entra ID Governance is now generally available, and with it a set of new capabilities to empower businesses in their pursuit of streamlined access management. This includes (ML) powered access review recommendations and user inactivity access review scoping. These additions leverage advanced technologies to enhance access reviews, granting reviewers intelligent recommendations and simplifying security management by regularly reviewing and removing inactive accounts.

Let's explore how these features assist organizations in making informed decisions and safeguarding critical resources.

Machine Learning-based recommendations for reviewers 

Access reviews play a crucial role in ensuring the right users have the appropriate access privileges within an organization. However, the decision-making process can be challenging and time-consuming for reviewers. This is where -based recommendations for reviewers come into play. Leveraging algorithms and the organization's reporting structure, this feature provides insightful recommendations to reviewers, enabling them to make well-informed decisions swiftly. Nevertheless, it's worth emphasizing that while this recommendation is significant, it's merely the first step towards unlocking the full potential of artificial intelligence (AI) and machine learning.

Scenario: You want reviewers to make the review process easier so that reviewers can make quicker and more accurate decisions

You want your reviewers to be efficient during your access certification campaigns. When creating the access review, you select ‘User-to-Group Affiliation' as part of enabling reviewer decision helpers.

JMQuade_1-1689277822995.png

The user-to-group affiliation recommendation analyzes users' relative affiliation with other users in the group, while also considering the organization's reporting structure. By utilizing a machine-learning-based scoring mechanism, the system identifies users who are at a significant distance from other users in the group, indicating “low affiliation.”

The reviewer now will see the recommendation in My Access when going through the access review. These insights help flag potential candidates for closer scrutiny before a decision is made to accept or deny access, thereby helping reviewers increase review efficiency, reduce attestation fatigue, and ensure the sensitive resources are secure.

JMQuade_2-1689277823002.png

The reviewer can now take immediate action. They have the option to accept the recommendations by clicking on “Accept Recommendations,” enabling swift, efficient decision-making. Alternatively, reviewers can manually review the recommendations and exercise their judgment to accept or deny access accordingly. This feature empowers reviewers to make well-informed decisions while reducing the time and effort required to complete an access review.

To learn more see: Review recommendations for Access reviews.

Unleashing the power of inactive user scoping 

Managing inactive user accounts is a significant challenge for organizations, as dormant accounts can pose potential security risks. ID Governance tackles this challenge head-on with the introduction of inactive user scoping. This feature allows administrators to review and address stale accounts that haven't been active for a specified period. By encompassing both interactive and non-interactive sign-in activities, inactive user scoping provides a comprehensive view of user activity. Administrators can set a specific duration, such as 30, 60 or 90 days, to determine inactive accounts. As part of the review process, stale accounts can automatically be removed.

Scenario: You want to set up a recurring review of inactive users in a critical group 

You want to set up a recurrent review of the audit team group, who have not signed into any application in (both interactively and non-interactively) in the last 30 days. For that you create a new access review, you choose the group, all users in the group and choose the new option for inactive users, with a threshold of 30 days.

JMQuade_3-1689277823004.png

Removing inactive user accounts improves an organization's security posture by reducing the and minimizing the risk of unauthorized access. By regularly reviewing and removing stale accounts, organizations can ensure that access privileges align with business requirements and maintain a lean, secure user environment.

Give it a try 

We're excited about these new capabilities, and we'd love for you to try them out! Current Microsoft Premium customers have two ways to use the new capabilities:

  1. You can set up a trial of Microsoft Governance at https://aka.ms/EntraIDGovTrial.
  2. You can upgrade to Microsoft Entra ID Governance by purchasing licenses online, via our licensing partners, or directly from Microsoft if they work with a Microsoft account team.

Joseph Dadzie

Partner Director of Product Management

LinkedIn: @joedadzie

Twitter: @joe_dadzie

Learn more about Microsoft identity:

 

This article was originally published by Microsoft's Core Infrastructure and Security Blog. You can find the original article here.