BIO 09.02.05 ISO A.9.2.5

Access Reviews Design

πŸ“… 2025-10-30
β€’
⏱️ 8 minuten lezen
β€’
πŸ”΄ Must-Have

πŸ’Ό Management Samenvatting

Access Reviews automatiseren periodieke reviews van user access, groep memberships, en privileged rollen voor least privilege enforcement.

Aanbeveling
IMPLEMENTEER ACCESS REVIEWS
Risico zonder
High
Risk Score
7/10
Implementatie
24u (tech: 8u)
Van toepassing op:
βœ“ Azure AD

Access creep (users accumulating machtigingen) leidt tot excessive access. Access Reviews forceren: quarterly reviews van groep memberships, annual reviews van admin rollen, guest user access validatie, en removal van stale access. Zonder reviews: privilege creep, orphaned accounts, en compliance schendingen.

PowerShell Modules Vereist
Primary API: Microsoft Graph
Connection: Connect-MgGraph
Required Modules: Microsoft.Graph.Identity.Governance

Implementatie

Access Review design: (1) Guest access reviews (quarterly), (2) Admin rol reviews (monthly), (3) Application access reviews (semi-annual), (4) groep membership reviews (quarterly). Automated removal van non-responded access.

Vereisten

  1. Azure AD Premium P2
  2. Access review owners defined
  3. Review cadence approved

Implementatie

Gebruik PowerShell-script access-reviews.ps1 (functie Invoke-Remediation) – Access reviews setup.

Azure AD β†’ Identity Governance β†’ Access reviews: Maak aan reviews voor guests, admins, groeps.

Monitoring

Gebruik PowerShell-script access-reviews.ps1 (functie Invoke-Monitoring) – Controleren.

Monitor: review completion rate, denied access, automatische removals.

Compliance en Auditing

  1. BIO 09.02 - User Toegangsbeheer
  2. ISO 27001 A.9.2.5 - Review of user access
  3. NIS2 - Access reviews

Remediatie

Gebruik PowerShell-script access-reviews.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Access Reviews Design .DESCRIPTION Access reviews: Guests (quarterly by resource owners), privileged roles (monthly by Security + Manager), sensitive groups (quarterly by group owners), app assignments (yearly by app owners), auto-remove if not approved. .NOTES Filename: access-reviews.ps1 Author: Nederlandse Baseline voor Veilige Cloud Created: 2025-10-15 Last Modified: 2025-10-15 Version: 1.0 Related JSON: content/design/identity/access-reviews.json Category: identity Workload: design .LINK https://github.com/m365-tenant-best-practise .EXAMPLE .\access-reviews.ps1 -Monitoring Check compliance status .EXAMPLE .\access-reviews.ps1 -Remediation Apply configuration #> #Requires -Version 5.1 [CmdletBinding()] param( [Parameter()] [switch]$Monitoring, [Parameter()] [switch]$Remediation, [Parameter()] [switch]$Revert, [Parameter()] [switch]$WhatIf ) $ErrorActionPreference = 'Stop' # ============================================================================ # HEADER # ============================================================================ Write-Host " ========================================" -ForegroundColor Cyan Write-Host "Access Reviews Design" -ForegroundColor Cyan Write-Host "Nederlandse Baseline voor Veilige Cloud" -ForegroundColor Cyan Write-Host "======================================== " -ForegroundColor Cyan # ============================================================================ # FUNCTIONS # ============================================================================ function Test-Compliance { <# .SYNOPSIS Tests if current configuration is compliant #> [CmdletBinding()] param() return Invoke-Monitoring } function Invoke-Monitoring { <# .SYNOPSIS Monitors current configuration status #> [CmdletBinding()] param() Write-Host " Monitoring:" -ForegroundColor Yellow # Design document - no API calls # Use global customer name set by Run-Controls.ps1 $modulesPath = Join-Path (Split-Path (Split-Path (Split-Path $global:PSScriptRoot -Parent) -Parent) -Parent) "Customers\$global:CustomerName\modules.json" if (Test-Path $modulesPath) { $modules = Get-Content $modulesPath -Raw | ConvertFrom-Json $breakGlassIds = $modules.'customer-settings'.'break-glass-accounts'.objectID $foundAccounts = @() foreach ($id in $breakGlassIds) { try { $user = Get-MgUser -UserId $id -ErrorAction SilentlyContinue if ($user) { $foundAccounts += $user } } catch {} } @{ isCompliant = ($foundAccounts.Count -ge 2) definedAccounts = $breakGlassIds.Count foundAccounts = $foundAccounts.Count accounts = $foundAccounts.UserPrincipalName } } else { @{ isCompliant = $false message = "modules.json not found at: $modulesPath" } } } function Invoke-Remediation { <# .SYNOPSIS Applies recommended configuration #> [CmdletBinding()] param() Write-Host " Remediation:" -ForegroundColor Yellow # Design document - no API calls # Manual: Create 2 emergency access accounts and add ObjectIDs to modules.json under customer-settings.break-glass-accounts.objectID } function Invoke-Revert { <# .SYNOPSIS Reverts configuration to previous state #> [CmdletBinding()] param() Write-Host " Revert:" -ForegroundColor Yellow Write-Host "Reverting configuration..." -ForegroundColor Yellow Write-Host "Manual revert required - see JSON documentation" -ForegroundColor Gray } # ============================================================================ # MAIN EXECUTION # ============================================================================ try { if ($Revert) { if ($WhatIf) { Write-Host "WhatIf: Would revert configuration" -ForegroundColor Yellow } else { Invoke-Revert } } elseif ($Monitoring) { Invoke-Monitoring } elseif ($Remediation) { if ($WhatIf) { Write-Host "WhatIf: Would apply remediation" -ForegroundColor Yellow } else { Invoke-Remediation } } else { Write-Host "Available parameters:" -ForegroundColor Yellow Write-Host " -Monitoring : Check current status" -ForegroundColor Gray Write-Host " -Remediation : Apply configuration" -ForegroundColor Gray Write-Host " -Revert : Revert changes" -ForegroundColor Gray Write-Host " -WhatIf : Show what would happen" -ForegroundColor Gray } } catch { Write-Error "Error: $_" throw } finally { Write-Host " ======================================== " -ForegroundColor Cyan }

Risico zonder implementatie

Risico zonder implementatie
High: Access creep = users accumulate permissions zonder removal. Orphaned accounts (ex-employees), excessive privileges, stale guest accounts. Compliance: ISO 27001 A.9.2.5, BIO 9.02. Het risico is HOOG - privilege accumulation.

Management Samenvatting

Access Reviews: Automated periodic reviews - Guest accounts (quarterly attestation), Privileged roles (monthly admin reviews), Group memberships (quarterly), Application access (bi-annual). Reviewers approve/deny continued access. Auto-remove denied. Vereist: Azure AD P2 (Access Reviews). Activatie: Entra ID β†’ Identity Governance β†’ Access Reviews. Kosten: P2 license. Verplicht ISO 27001 A.9.2.5, BIO 9.02. Implementatie: 8-24 uur (review workflows + training). Essential access governance - prevents privilege creep.