Identity Governance & ProtectionAccess Reviews

Access Reviews

25 mins

Understanding the Concept

Access reviews in Microsoft Entra ID Governance enable organizations to periodically verify that users still need access to resources. Reviewers can be managers, group owners, specific users, or the users themselves who self-attest their need for continued access.

Reviews can target group memberships, application assignments, Entra ID role assignments, or Azure resource role assignments. They can be one-time or recurring (weekly, monthly, quarterly), with automatic actions when reviewers do not respond.

Access review results can automatically remove access for denied users, or administrators can manually review results and take action. This ensures that access does not accumulate over time and that the principle of least privilege is maintained.

Key Points

  • Review types: Group membership, app access, role assignments
  • Reviewers: Managers, group owners, specific users, or self-review
  • Recurrence: One-time, weekly, monthly, quarterly, or semi-annual
  • Auto-apply: Automatically remove access for denied reviews
  • Requires Entra ID Governance or P2 licensing

Access Review Lifecycle

Step 1

Create Review

Admin configures scope, reviewers, and schedule

Step 2

Notify Reviewers

Email notifications sent to designated reviewers

Step 3

Review Period

Reviewers approve or deny each user's access

Step 4

Auto-Action

Non-responded reviews handled by fallback rules

Step 5

Apply Results

Access removed for denied users, audit trail created

Why This Matters in Real Organizations

Access accumulation is one of the biggest identity risks. Users change roles, projects end, and contractors finish engagements, but access is rarely removed proactively. Access reviews provide a systematic process to ensure access remains appropriate over time, meeting compliance requirements and reducing attack surface.

Common Mistakes to Avoid

Setting up reviews but not following up on results
Choosing reviewers who automatically approve everything without genuine review
Not configuring auto-apply for denied access, leaving manual follow-up
Running reviews too infrequently for high-risk resources

Interview Tips

  • Explain the business need for access reviews (compliance, least privilege)
  • Discuss reviewer selection strategies and their tradeoffs
  • Mention auto-apply and fallback reviewer configurations

Exam Tips (SC-300)

  • Know the types of resources that can be reviewed
  • Understand reviewer options and auto-apply behavior
  • Know the licensing requirements for access reviews

Course Complete!

You've finished all lessons

Previous|Next|HHome