Access Reviews Planning and Configuration

Access Reviews Planning and Configuration – SC-300 Exam Guide

Why Access Reviews Matter

Access reviews are a critical component of identity governance in Microsoft Entra ID (formerly Azure AD). Organizations must regularly validate that users, groups, and applications retain only the access they need. Without periodic reviews, organizations face access creep—the gradual accumulation of unnecessary permissions—which increases the attack surface, violates the principle of least privilege, and can lead to compliance failures. Regulations such as SOX, HIPAA, GDPR, and ISO 27001 often mandate periodic recertification of access rights. Access reviews provide an auditable, automated mechanism to meet these requirements.

What Are Access Reviews?

Access reviews in Microsoft Entra ID Governance allow designated reviewers to periodically evaluate whether users still need access to specific resources. They can be configured for:

• Group memberships – Review who belongs to security groups or Microsoft 365 groups.
• Application assignments – Review who has been assigned to enterprise applications.
• Azure AD (Entra) role assignments – Review users assigned to directory roles such as Global Administrator, User Administrator, etc.
• Azure resource role assignments – Review privileged roles on Azure subscriptions, resource groups, or individual resources (integrated with Privileged Identity Management).
• Access packages – Review assignments within Entitlement Management access packages.

Access reviews are part of Microsoft Entra ID Governance, which requires Microsoft Entra ID P2 (or Microsoft Entra ID Governance add-on) licensing.

How Access Reviews Work

The lifecycle of an access review involves the following stages:

1. Planning
Before creating a review, administrators must determine:
• What to review – Groups, apps, roles, or access packages.
• Who will review – Self-review (users attest their own access), managers, group owners, specific users, or application owners.
• Scope – All members, guest users only, or specific members.
• Frequency – One-time, weekly, monthly, quarterly, semi-annually, or annually.
• Duration – How many days reviewers have to complete the review.
• Auto-apply results – Whether denied access is automatically removed when the review ends.
• Fallback behavior – What happens if a reviewer does not respond (no change, remove access, approve access, or follow recommendations).

2. Creation and Configuration
Administrators create the access review in the Microsoft Entra admin center under Identity Governance → Access reviews. Key configuration options include:

• Review name and description – Descriptive information for reviewers.
• Start date and recurrence – When the review begins and how often it repeats.
• End date or number of occurrences – When the recurring series stops.
• Reviewers – One or more stages of review can be configured (multi-stage reviews). For example, Stage 1 could be the manager, and Stage 2 could be a resource owner.
• Decision helpers – Enable recommendations based on last sign-in activity. If a user has not signed in for 30 days (configurable), the system recommends denying access.
• Advanced settings – Require reason for approval, mail notifications, reminders, and additional recipient notifications.

3. Review Execution
Once started, reviewers receive email notifications with a link to the My Access portal (myaccess.microsoft.com). Reviewers can:
• Approve or deny each user's continued access.
• Accept system-generated recommendations.
• Provide justification for their decisions.
• Reviewers can also see sign-in activity details to make informed decisions.

4. Completion and Auto-Apply
When the review period ends:
• If auto-apply is enabled, denied users are automatically removed from the group, application, or role.
• If auto-apply is disabled, an administrator must manually apply results.
• If reviewers did not respond, the configured fallback action takes effect (e.g., remove access, no change, or approve).

5. Audit and Reporting
All decisions are logged in audit logs. Administrators can download results as CSV files for compliance evidence. Historical review data is retained for auditing.

Key Configuration Scenarios for the SC-300 Exam

Scenario 1: Reviewing Guest User Access
You can scope a review to Guest users only within a group or across all Microsoft 365 groups. This is commonly tested because organizations must govern external collaboration. Guest users who are denied access can be blocked from signing in or fully deleted after a configurable period.

Scenario 2: Reviewing Privileged Role Assignments
Access reviews integrate with Privileged Identity Management (PIM). You can create reviews for Azure AD roles (e.g., Global Administrator) or Azure resource roles. PIM allows configuring reviews directly from the PIM blade. This ensures that privileged access is periodically validated.

Scenario 3: Multi-Stage Reviews
For high-security scenarios, you can configure multiple review stages. For example:
• Stage 1: User self-attests their need for access.
• Stage 2: Manager validates the user's justification.
• Stage 3: Compliance team performs final review.
Only users who pass all stages retain access.

Scenario 4: Access Package Reviews
In Entitlement Management, access packages can have review policies that prompt users to reconfirm their need for the bundled resources. If a user fails the review, their access package assignment is removed, revoking all associated group memberships, app assignments, and SharePoint site access.

Licensing Requirements

• Microsoft Entra ID P2 is required for access reviews.
• Organizations can also use the Microsoft Entra ID Governance add-on license.
• Reviewers who are administrators do not need a separate license, but all reviewed users in scope must have appropriate licensing.

Important Concepts to Remember

• Recommendations are based on last sign-in data (default: 30 days of inactivity triggers a deny recommendation).
• Auto-apply must be explicitly enabled; it is not on by default.
• If no reviewers respond, the default behavior depends on the configured setting: No change, Remove access, Approve access, or Take recommendations.
• Access reviews for groups used for resource access (e.g., groups assigned to applications) can effectively govern application access indirectly.
• Delegated review creation: Users with the Identity Governance Administrator role, User Administrator role, or Privileged Role Administrator (for PIM reviews) can create access reviews.
• Reviews can send reminder emails to reviewers who have not yet completed their review.

Exam Tips: Answering Questions on Access Reviews Planning and Configuration

1. Know the reviewer types: Questions often ask who should be the reviewer. Remember the options—self, manager, group owner, specific users, or application owners. Manager-based reviews require that the manager attribute is populated in the user's profile.

2. Understand scope filtering: If a question says "review guest users only," know that you can filter the review scope to guest users. If it says "review all members," that includes both members and guests.

3. Auto-apply vs. manual apply: Pay close attention to whether the scenario requires automatic removal. If the question mentions compliance automation, auto-apply is likely the correct answer. If it mentions administrator oversight before removal, manual apply is correct.

4. Fallback/default behavior for non-responsive reviewers: This is a frequently tested topic. Know that you can configure what happens when reviewers don't respond. The safest option for security-sensitive scenarios is "Remove access."

5. PIM integration: If the question involves privileged roles, remember that access reviews for Azure AD roles and Azure resource roles are configured through PIM. Questions may ask where to create the review—the answer is the PIM blade or Identity Governance → Access reviews.

6. Licensing questions: If a question asks what is required to enable access reviews, the answer is Microsoft Entra ID P2 (Azure AD Premium P2). Do not confuse this with P1, which does not include access reviews.

7. Multi-stage reviews: Be aware that multi-stage reviews exist and understand that each stage can have different reviewers. If a question describes a layered approval process, multi-stage review is the answer.

8. Decision helpers and recommendations: Questions may describe a scenario where reviewers need guidance. The answer involves enabling decision helpers with sign-in-based recommendations. The inactive days threshold is configurable.

9. Recurring vs. one-time reviews: Compliance requirements that mandate quarterly or annual reviews should use recurring access reviews, not one-time. One-time reviews are for ad-hoc or project-based scenarios.

10. Read the question carefully for the resource type: Access reviews can target groups, applications, roles, and access packages. Make sure you identify what is being reviewed, as the configuration steps and reviewer options differ slightly for each.

11. Guest user lifecycle: When a guest user is denied in an access review, you can configure the review to block their sign-in or delete the guest account after 30 days. Know this distinction for exam scenarios involving external identity governance.

12. Principle of least privilege: Many exam questions frame access reviews as a solution to enforce least privilege. If a scenario describes users accumulating unnecessary permissions over time, access reviews are the primary governance tool.

By thoroughly understanding the planning, configuration, and operational aspects of access reviews, you will be well-prepared to tackle related questions on the SC-300 exam with confidence.