Access Review Monitoring and Response

Access Review Monitoring and Response – SC-300 Identity and Access Administrator

Access Review Monitoring and Response

Why Is Access Review Monitoring and Response Important?

In any modern organization, users accumulate access to resources over time — a phenomenon often called access creep. Without a structured process to review, monitor, and respond to access assignments, organizations face significant security, compliance, and governance risks. Access reviews are a critical component of Identity Governance in Microsoft Entra ID (formerly Azure AD), ensuring that only the right people maintain the right level of access to the right resources at the right time.

Key reasons this topic matters:
- Regulatory Compliance: Standards such as SOX, HIPAA, GDPR, and ISO 27001 require periodic review of access privileges.
- Least Privilege Enforcement: Ensures users do not retain unnecessary permissions beyond what their current role requires.
- Audit Readiness: Provides documented evidence that access decisions are reviewed and acted upon regularly.
- Risk Reduction: Stale accounts, orphaned group memberships, and excessive privileged access are common attack vectors that access reviews help mitigate.
- Operational Efficiency: Automated reviews reduce manual overhead for IT and security teams.

What Is Access Review Monitoring and Response?

Access Review Monitoring and Response refers to the process of:

1. Configuring access reviews in Microsoft Entra ID Governance to periodically evaluate who has access to groups, applications, and Azure AD roles.
2. Monitoring the progress and status of those reviews — tracking how many reviewers have responded, which decisions have been made, and whether reviews are on schedule.
3. Responding to review outcomes — taking action on the results, such as removing access for users who were denied, auto-applying results, or escalating incomplete reviews.

Access reviews in Microsoft Entra ID can target:
- Group memberships (Security groups, Microsoft 365 groups)
- Application assignments (Enterprise applications)
- Azure AD role assignments (via Privileged Identity Management / PIM)
- Access package assignments (via Entitlement Management)

How Does It Work?

Step 1: Create an Access Review

Administrators configure an access review in the Microsoft Entra admin center under Identity Governance > Access Reviews. Key configuration settings include:

- Scope: What is being reviewed — group membership, application access, or role assignment.
- Reviewers: Who performs the review — self-review (users review their own access), managers, group owners, specific users, or multiple stages of reviewers.
- Frequency: One-time, weekly, monthly, quarterly, semi-annually, or annually.
- Duration: How long reviewers have to complete the review.
- Auto-apply results: Whether denied access is automatically removed when the review ends.
- If reviewers don't respond: What happens — no change, remove access, approve access, or take recommendations.
- Recommendations: Microsoft Entra ID can provide system-generated recommendations based on the user's last sign-in activity (e.g., if a user hasn't signed in for 30 days, it may recommend denying access).

Step 2: Monitor the Access Review

Once an access review is active, administrators and designated reviewers can monitor progress:

- Dashboard view: Shows overall completion percentage, number of users reviewed vs. pending, and the decisions made (Approve, Deny, Don't Know).
- Reviewer status: Track which reviewers have completed their tasks and which have not.
- Reminders: The system can automatically send email reminders to reviewers who haven't responded.
- Audit logs: Every decision made during an access review is logged in the Microsoft Entra audit log, providing a full trail for compliance audits.

Step 3: Respond to Access Review Results

When the review period ends, results need to be acted upon:

- Auto-apply: If configured, denied users automatically lose access. This is the most efficient approach.
- Manual apply: An administrator can review the results and manually apply changes by clicking Apply in the access review results page.
- Download results: Results can be downloaded as a CSV file for offline review, reporting, or compliance documentation.
- Non-responsive reviewers: If a reviewer does not respond, the configured fallback action is applied (no change, remove access, approve access, or follow system recommendations).

Multi-Stage Access Reviews

Microsoft Entra ID supports multi-stage access reviews, which allow organizations to define up to three stages of reviewers. For example:
- Stage 1: The user's manager reviews access.
- Stage 2: A resource owner or security team member reviews the decisions from Stage 1.
- Stage 3: A final approver or compliance officer provides the ultimate decision.

Only users who were approved in a previous stage proceed to the next stage. This creates a layered governance approach that is especially useful for sensitive resources or privileged roles.

Key Features to Remember

- Recommendations engine: Uses sign-in data to suggest Approve or Deny. Based on whether the user has signed in during a configurable period (default: 30 days).
- Decision helpers: Inactive users, user-to-group affiliation, and machine learning-based recommendations can guide reviewers.
- Recurrence: Access reviews can be set to automatically recur at defined intervals, ensuring continuous governance.
- Scope filtering: Reviews can target all members, guest users only, or specific users within a group.
- PIM integration: Access reviews for Azure AD roles configured through PIM allow periodic re-certification of privileged role assignments (both eligible and active).
- Entitlement Management integration: Access packages can be configured to require periodic access reviews as part of their policy, automatically prompting review of users who received access through the catalog.

Licensing Requirements

Access reviews require Microsoft Entra ID Governance or Microsoft Entra ID P2 licenses. Users who are subject to access reviews (in-scope users) need the appropriate license assigned. This is a commonly tested detail on the SC-300 exam.

Common Scenarios Tested on the SC-300 Exam

1. Scenario: An organization wants to ensure that guest users in a Microsoft 365 group are reviewed quarterly by the group owner. Solution: Create a recurring access review scoped to guest users only, with the group owner as the reviewer, set to quarterly recurrence.

2. Scenario: A compliance team requires that if a reviewer doesn't respond, the user's access should be removed. Solution: Configure the access review with the setting If reviewers don't respond set to Remove access.

3. Scenario: A security team wants to automatically remove access for users who are denied during a review. Solution: Enable the Auto apply results to resource setting when creating the access review.

4. Scenario: An organization needs a two-tier review process where the manager reviews first, then the resource owner. Solution: Configure a multi-stage access review with Stage 1 assigned to the user's manager and Stage 2 assigned to the resource owner.

5. Scenario: Reviewers need guidance on whether to approve or deny. Solution: Enable Decision helpers / Recommendations based on sign-in activity so reviewers see system suggestions alongside each user.

---

Exam Tips: Answering Questions on Access Review Monitoring and Response

1. Know the reviewer types: Self, manager, group owner, specific users, and application owner. Understand which reviewer type is appropriate for each scenario. Questions often test whether you can identify the correct reviewer for a given business requirement.

2. Understand auto-apply vs. manual apply: If a question asks about automatically removing access after a review completes, the answer involves enabling Auto apply results to resource. If the question mentions an administrator reviewing results before taking action, it's manual apply.

3. Non-responsive reviewer behavior is heavily tested: Know all four options — No change, Remove access, Approve access, Take recommendations. Pay close attention to the scenario's security posture. A security-focused organization will likely choose Remove access for non-responsive reviewers.

4. Guest user reviews are a favorite exam topic: Many questions involve reviewing external/guest user access to groups or applications. Remember that you can scope an access review to Guest users only.

5. Licensing is testable: Remember that access reviews require Entra ID P2 or Entra ID Governance licenses. If a question mentions an organization using Entra ID P1 or Free, access reviews will not be available.

6. PIM + Access Reviews: When a question involves reviewing privileged role assignments (e.g., Global Administrator, Exchange Administrator), the answer usually involves creating an access review from within Privileged Identity Management for Azure AD roles. Know that both eligible and active assignments can be reviewed.

7. Multi-stage reviews: If a question describes a requirement for multiple levels of approval or review, think multi-stage access reviews. Up to 3 stages are supported.

8. Recommendations and decision helpers: If a question asks how to help reviewers make informed decisions, the answer is to enable recommendations (based on last sign-in activity). The default inactivity threshold is 30 days but can be customized.

9. Audit logs and compliance: If a question asks about tracking or documenting access review decisions for compliance purposes, remember that all decisions are captured in Microsoft Entra audit logs and can also be exported as CSV.

10. Read the question carefully for trigger words:
- "automatically remove" → Auto-apply results
- "if no response" → If reviewers don't respond setting
- "guest users" → Scope filtering to guest users only
- "periodic" or "recurring" → Recurrence settings
- "privileged roles" → PIM access reviews
- "manager and then resource owner" → Multi-stage review
- "recommend" or "suggestion" → Decision helpers / Recommendations

11. Where to create access reviews: Know the navigation path — Microsoft Entra admin center > Identity Governance > Access Reviews > New access review. For PIM role reviews, navigate through Privileged Identity Management > Azure AD roles > Access reviews.

12. Entitlement Management connection: Access reviews can be embedded in access package policies. If a question mentions access packages and periodic review, the answer involves configuring the review within the access package assignment policy lifecycle settings.

By mastering these concepts and tips, you will be well-prepared to handle any SC-300 exam question related to Access Review Monitoring and Response. Focus on understanding the why behind each configuration option, not just the how, as Microsoft certification exams frequently present scenario-based questions that require you to apply knowledge to real-world situations.