The emails sent to complete an access review have unnecessary additional content (e.g. Microsoft Address) and do not allow addition of more information to help those that receive a message.4 votes
Thanks for the feedback! Good news is that we are working to improve the emails to provide the reviewers the necessary information succinctly. Some of the information you see, the Microsoft logo and address, some are there because of legal reasons. We are actively working on this right now and will provide updates here.
Follow up question for you, what else do you think is unnecessary, and what would you like to see?
Access Reviews don't reflect the azure ad recommendation (example: user not logged for last 30 days etc.) for reviewers of 3rd party SaaS applications. Also, will be great to automate the line manager for each user as the access reviewer, as it would help in larger organisations to better manage and speed up the review process1 vote
get rid of this .... just a totally unnecessary pita1 vote
J'ai besoin de votre aide pour reactive mon compte ;je n'ai pas de signal avec mon telephone ;je suis sur une plate forme et j'ai besoin de mon compte .
I would like to create an access review for ALL Teams to review guest membership so whenever someone adds an external user to their Team the review will occur. Currently I have to tell the access review policy which teams it applies to. Because my users can add their own teams I have to create a manual process to look at new teams and add them to an access review. I'd rather just apply it to the entire application so it happens with every Team that exists.2 votes
Thanks for writing! We actually have this feature in our roadmap and it is under active development. if you are interested in private previewing this, please email us directly at email@example.com, and I would love to learn more about your scenarios!
Hi, would be very beneficial if we can increase the time frame Access Reviews checks. At the moment the time frame is 30 days. It would be great to give the options for reviews that check time frames that are 3 months / 6 months / 12 months.
Example: Long term sickness
Would also help in creating accurate user to application assignments.1 vote
Thanks for writing! This is a very valid scenario and it is in our roadmap. We are actively trying to improvethe recommendations with richer analytics. Will let you know when we have a private preview, please stay tuned!
As a user I should be able to upload a CSV file containing:
User and Group relationship
I should be able to launch an access review based on above files. I should be able to select reviewers based on AAD identities or specify them in the file.
Most ID governance tools have this function built in.1 vote
Thanks for writing! This is a very valid scenario and it is in our roadmap. Will let you know when we have a private preview, please stay tuned!
Currently I am a owner of multiple Access Reviews. And my name is sent in the e-mail as owner of the Review. I would like an option to remove my name from the mail, and the option to sent the user to the service desk if they have questions about the Review.
What would be even better is the option to customize the e-mail which is sent to the users.2 votes
Thanks for the feedback and I’m glad we are thinking in the same direction! We have a plan to remove the "inviter"’s name in the email and replace it with a help desk link. Question for you, you mentioned that you prefer to have an “option” to send the users to service desk, 1) would this be an internal link specific to your organization, 2) should this be the default behavior, if not, what would you prefer? 3) another idea – would having a “friendly” description displayed to the users (different from the description the IT admin writes when creating the review), with a service desk link pasted in that description solve your problem?
Access reviews icon is showing for all users in myapps portal when we onboard the feature. It could be better if this icon appears only when you are in the scope of ongoing review as reviewer or self reviewer. That's create a lot of questions from users about the utility. And it could be the case also for group icon.1 vote
Thanks for writing! We actually fixed this issue and only show the access reviews icon in the access panel for users who have review to do, if you are still seeing this, please email us directly at firstname.lastname@example.org.
Expand access reviews to support Azure Subscription and Resources for explicit assigned identity.8 votes
Thanks for the feedback, we have this work in planning.
Introduce the ability to add exceptions when creating Access Reviews
eg. This will allow us to exclude service accounts from the report of accounts that have not logged on in the last 30 days3 votes
Thanks so much for the feedback! Could you clarify what the “report of accounts” you are referring to in the example? Thanks!
Access Reviews should let you review guest users access on the directory level. Using a dynamic group with all guest users in it, I should be able to have access reviews DELETE the user from the Azure Active Directory rather than just removing the user from a group.5 votes
Hi Sigurd, thanks so much for the feedback! If you could reach out to me I would love to chat more to understand your use case and have you participate in our private preview of the delete scenario.
Only a timer based Access Review is not enough for us.
We have multiple situation we need to trigger review again, including:
1. Based on some user's attributes update, e.g. Manager reporting line changes, Department changes, job role changes
2. Based on usage pattern, e.g. a user haven't use a certain app/resource for last X days.1 vote
Thanks for the feedback! We are working on adding more triggers to kick off access reviews like what you listed in 1!
For 2. we do show user’s sign-in data to the reviewers to help them make the decisions. If a user hasn’t signed in to the tenant in the last 30 days, then the system will recommend denying that user’s continued access. Are you referring to automatically triggering a review on users who have not accessed an app/resource in the last X days?
We have two scenario:
1. For internal organization users, we need FTE manager as reviewer
2. For external organization users, we need to have "sponsor" as reviewer.
I already saw there is a feedback on supporting Manager as reviewer which should be fulfill our requirement 1. above.
For requirement 2 above, we need to assign different "sponsor group" as reviewers (instead of individual users hardcode in Access Review)1 vote
Thanks for the detailed feedback! Yes we are working on adding both manager and sponsor groups as reviewers, will update here when we have a preview ready. In the mean time, if you have any more questions or more requirements, please let us know by commenting here!
It would be VERY beneficial to apply an Access Review policy to new groups as they are created, eliminating the management overhead of creating new policies AFTER each group created.
Also, if a Access Review Policy could be applied to multiple groups at a time, Access Reviewmanagement overhead would be reduced.22 votes
Thanks for all the feedback, we have made progress on this and the ability to apply the same policy to multiple groups (and applications) is now live! You can include multiple groups or apps in a single Azure AD access review for group membership or app assignment. Access reviews with multiple groups or apps are set up using the same settings and all included reviewers are notified at the same time. (more info in “What’s new in AAD, Feb 2019” https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/whats-new)
We’ll be continuing to work on applying an Access Review policy to new groups as they are created, and update here when that’s done.
Access for some applications/groups should be approved by the users manager. As the functionality is not available we cannot utilise the promising Access Review tool.2 votes
Thanks for taking the time to give feedback! We have the work to add managers as reviewers in our backlog, will update here once we have a preview to share!
Currently, we do support group owners as the reviewers, would that help with your scenario?
Would this functionality be your only blocker to use access reviews? I would love to know how you review access right now, any timelines you have. Thanks!
Debería ser mas fácil de utilizar.2 votes
Gracias por el comentario. Podría darnos más información sobre qué parte de la experiencia es confusa? Algún scenario en específico que está intentando?
We have a challenging situation to manage group owners in Azure Active Directory. If a person leaves organization, his/her identity will be set to "disabled" state. Is there a way automatic emails can be sent to admins notifying Group Owner ID is disabled for all the managed groups?2 votes
Hi Jaya, thanks for the feedback! I’d love to understand your scenario a bit more and loop in the team working on Groups. To clarify your concern – Is the disabling of group owners when they leave the organization affecting the completion of your existing access reviews? Feel free to comment here or email email@example.com directly. Thanks!
Would be great if Access Reviews could include the on-prem group Domain Admins, and the Cloud based group GLobal Admins. Right now this is not possible.4 votes
Thank you John for the feedback! My understanding is that you are referring to access reviews of privileged roles in the PIM experience.
In regards to reviewing on-prem group Domain Admins, historically, groups like that were blocked by AAD connecto for not sending them to AAD, so they are filtered out.
For cloud based group Global Admins, you can review global admins in the current PIM experience, these 2 articles should help you get started –
If you have any more questions – feel free to email firstname.lastname@example.org
- Don't see your idea?