Access Reviews in Microsoft Entra

Access Reviews in Microsoft Entra: A Complete Guide for SC-900

Access Reviews in Microsoft Entra

Why Are Access Reviews Important?

In any organization, users are frequently granted access to resources such as groups, applications, SharePoint sites, and privileged roles. Over time, access needs change — employees move between departments, leave the organization, or no longer require certain permissions. Without a structured process to review and recertify access, organizations face significant security risks:

- Access creep: Users accumulate permissions over time that they no longer need, violating the principle of least privilege.
- Compliance violations: Regulatory frameworks such as SOX, GDPR, HIPAA, and ISO 27001 require organizations to periodically verify that access rights are appropriate.
- Insider threats: Excessive or stale permissions increase the attack surface and the potential damage from compromised accounts.
- Audit failures: Without documented evidence of access reviews, organizations may fail internal or external audits.

Access Reviews in Microsoft Entra provide an automated, governed mechanism to ensure that the right people have the right access at the right time — and that access is removed when it is no longer needed.

What Are Access Reviews in Microsoft Entra?

Access Reviews is a feature within Microsoft Entra ID Governance (formerly part of Azure AD Identity Governance) that allows organizations to systematically review and manage user access to resources. It enables designated reviewers to evaluate whether users still need access to specific groups, applications, roles, or access packages — and take action to approve or remove that access.

Key characteristics of Access Reviews include:

- Periodic or one-time reviews: Organizations can configure access reviews to occur on a recurring schedule (weekly, monthly, quarterly, annually) or as a one-time event.
- Multiple review targets: Access reviews can be configured for Azure AD groups, enterprise applications, Microsoft Entra roles (privileged roles via PIM), and access packages (via Entitlement Management).
- Flexible reviewer assignments: Reviews can be assigned to group owners, specific users, managers of the users being reviewed, or the users themselves (self-review).
- Automated actions: When a review completes, Microsoft Entra can automatically remove access for users who were denied or not reviewed, reducing manual administrative burden.

Access Reviews require a Microsoft Entra ID P2 (or Microsoft Entra ID Governance) license.

How Do Access Reviews Work?

Here is a step-by-step breakdown of how Access Reviews function in Microsoft Entra:

1. Creation and Configuration
An administrator creates an access review in the Microsoft Entra admin center (or Azure portal) under Identity Governance > Access Reviews. During creation, they specify:
- What to review: A group's membership, an application's user assignments, a Microsoft Entra role, or an access package.
- Scope: All users, guest users only, or specific users.
- Reviewers: Who will perform the review — group owners, selected users, managers, or self-review by the users themselves. Multi-stage reviews can also be configured where different reviewers evaluate in sequence.
- Duration and recurrence: How long the review period lasts and how often it repeats.
- Upon completion settings: What happens when the review ends — auto-apply results, remove access for denied users, or take no action.

2. Notification and Review Period
Once the access review starts, designated reviewers receive email notifications. They access the review through the My Access portal (myaccess.microsoft.com) or the Azure portal. For each user listed in the review, the reviewer can:
- Approve — confirm that the user still needs access.
- Deny — indicate that the user no longer needs access.
- Don't know — defer the decision.

Reviewers may also see recommendations from the system. Microsoft Entra can provide recommendations based on the user's last sign-in activity. For example, if a user has not signed in to the application in the last 30 days, the system may recommend denying their access.

3. Completion and Action
When the review period ends:
- If auto-apply is enabled, denied users automatically have their access removed (e.g., removed from the group, unassigned from the application, or role deactivated).
- If auto-apply is not enabled, an administrator manually reviews the results and applies changes.
- Results are logged for audit and compliance purposes.

4. Audit and Reporting
All access review activities are captured in Microsoft Entra audit logs. This provides a documented trail of who was reviewed, what decisions were made, and what actions were taken — critical for regulatory compliance and audit readiness.

Key Scenarios for Access Reviews

- Guest user access: Regularly review whether external (B2B) guest users still need access to your organization's resources. This is one of the most common use cases.
- Privileged role membership: Review users assigned to privileged Microsoft Entra roles (such as Global Administrator or Privileged Role Administrator) using integration with Privileged Identity Management (PIM).
- Group membership: Ensure that security groups and Microsoft 365 groups have only the members who should be in them.
- Application access: Verify that users assigned to enterprise applications still require that access.
- Access packages: Review assignments made through Entitlement Management access packages.

Integration with Other Microsoft Entra Features

- Privileged Identity Management (PIM): Access reviews can be used to review users with eligible or active privileged role assignments, ensuring that elevated permissions are periodically validated.
- Entitlement Management: Access reviews can be attached to access packages so that users' bundled access is reviewed periodically.
- Conditional Access: While not directly integrated, access reviews complement Conditional Access by ensuring that only appropriate users retain access that Conditional Access policies govern.

---

Exam Tips: Answering Questions on Access Reviews in Microsoft Entra

The SC-900 exam tests your understanding of security, compliance, and identity concepts. Here is how to approach questions about Access Reviews:

1. Know the Purpose
Access Reviews exist to periodically verify and recertify that users have appropriate access. If a question asks about ensuring users still need their current access, or removing stale access, Access Reviews is almost certainly the correct answer.

2. Licensing Requirement
Remember that Access Reviews require Microsoft Entra ID P2 (or the Microsoft Entra ID Governance add-on). If a question mentions P1 licensing only, Access Reviews would not be available.

3. Distinguish from Other Features
Be careful not to confuse Access Reviews with:
- Conditional Access: Conditional Access controls how and when users can access resources (based on conditions like location, device, risk). It does NOT review whether users should still have access.
- Entitlement Management: Entitlement Management governs requesting and assigning access packages. Access Reviews can be part of the lifecycle of those packages but serve a different function (reviewing, not granting).
- Privileged Identity Management (PIM): PIM manages just-in-time privileged access. Access Reviews can be triggered from within PIM to review privileged role holders, but PIM itself is about activation and time-limited access.

4. Key Terms to Watch For
When you see these keywords in a question, think Access Reviews:
- "Periodically review access"
- "Recertify access"
- "Remove stale or unnecessary access"
- "Review guest user access"
- "Attestation of access"
- "Governance of group membership"

5. Understand the Reviewer Options
The exam may test whether you know who can be a reviewer. Valid options include:
- Group owners
- Specific users or groups of users
- Managers of the users being reviewed
- The users themselves (self-attestation/self-review)
- Multi-stage reviewers (first and second-stage reviewers)

6. Auto-Apply and Recommendations
Know that Access Reviews can automatically remove access when the review completes if auto-apply is enabled. Also know that the system can provide sign-in activity-based recommendations to help reviewers make decisions.

7. It Falls Under Identity Governance
On the SC-900 exam, Access Reviews is categorized under the Identity Governance capabilities of Microsoft Entra. If a question asks what capabilities are part of Identity Governance, Access Reviews (along with Entitlement Management, PIM, and Lifecycle Workflows) is a correct component.

8. Common Question Formats
- "Your organization needs to ensure that guest users' access to a SharePoint site is reviewed every quarter. What should you use?" → Access Reviews
- "Which feature allows you to automatically remove users from a group if their access is not recertified?" → Access Reviews with auto-apply enabled
- "What license is required to use Access Reviews?" → Microsoft Entra ID P2
- "Which Identity Governance feature periodically validates that users still need their assigned roles?" → Access Reviews

Summary

Access Reviews in Microsoft Entra is a critical Identity Governance feature that helps organizations maintain the principle of least privilege, meet compliance requirements, and reduce security risks by systematically reviewing and recertifying user access. For the SC-900 exam, focus on understanding its purpose (periodic access validation), its licensing (P2), who can review (owners, managers, self, specific users), its automation capabilities (auto-apply, recommendations), and how it differs from Conditional Access, PIM, and Entitlement Management.