Browse all topics
All guidesGlossary
Microsoft Entra (Identity)

Microsoft Entra ID Access Reviews

How access reviews keep group memberships and role assignments healthy over time — periodic recertification at scale.

Access reviews in Microsoft Entra ID are periodic recertification processes that force someone — the user themselves, their manager, a group owner, a named reviewer — to confirm whether each user still needs the access they currently have. Without access reviews, group memberships and role assignments accumulate forever, decoupled from actual need.

What can be reviewed

Access reviews can cover:

  • Microsoft 365 Group / security group membership — recertify each member.
  • Entra ID role eligibility in PIM — recertify who can activate Global Admin, etc.
  • Application user assignments — for SAML / OIDC apps integrated with Entra.
  • Guest user access — periodic review of external guests.
  • Privileged role assignments — separate from PIM eligibility, the actual active role holders.
  • Access package assignments (in Entitlement Management).
  • Microsoft 365 Group ownership — confirm owners are still active.

Each review is scoped to a specific population and recurs on a schedule.

How a review works

A typical access review:

  1. Admin configures the review — scope, reviewer, cadence.
  2. Review fires on schedule.
  3. Reviewer is notified — email, Teams notification, link to the review portal.
  4. Reviewer evaluates each access entry:
    • Approve — user still needs this access.
    • Deny — user doesn't need this access; remove it.
    • Don't know — defer to a more senior reviewer or self-attestation.
  5. Decisions apply — denials remove the access automatically.
  6. Audit log captures every decision and the eventual outcome.

For a 100-user group, reviewing 100 entries quarterly is a manageable task for the right reviewer.

Reviewer choices

The right reviewer depends on the scope:

  • Self-review — the user themselves attests they still need the access. Lightest weight. Works for low-risk access.
  • Manager review — the user's direct manager attests. Stronger oversight. Common for moderate-risk access.
  • Group owner review — for group memberships, the group owner is often the right reviewer (they know who should be in their group).
  • Named approvers — for high-risk access (privileged roles), specific named reviewers (security team).
  • Multi-stage — first the manager, then the security team. Stronger but slower.

Common access-review patterns

Quarterly review of group memberships

For every Microsoft 365 Group:

  • Group owner reviews quarterly.
  • Self-attestation for users who haven't logged in recently.
  • Removal of users not in the directory anymore.

Catches departed employees still in groups, mis-added members, etc.

Semi-annual review of privileged roles

For every PIM-eligible privileged role:

  • Security team reviews eligibility every 6 months.
  • Confirm continued need; remove the eligible if no longer needed.

Catches the "I needed this for a project that ended a year ago" pattern.

Guest user review

Every 6 months:

  • Review guest users in the tenant.
  • For each: still active in their home tenant? Still needed for collaboration? Sponsor still confirms?
  • Disable / remove guests no longer needed.

Catches orphaned guests accumulating in the tenant.

Application access review

For each SaaS app integrated via SSO:

  • App owner reviews assigned users annually.
  • Confirm continued business need.

Catches users who got access during a trial or pilot but never legitimately used it.

Operational considerations

  • Don't over-review — reviewing trivial groups quarterly is busy-work. Risk-tier the access; review high-risk frequently, low-risk less often.
  • Clear reviewer notification — the email / Teams notification should make the task obvious and time-bounded.
  • Default action on no response — typically "remove access" so passive non-response defaults to safer.
  • Self-attestation discipline — if users always approve themselves without thought, the review is ceremonial. Require justification text, audit randomly.
  • Audit the decisions — track approval rates over time; very-high or very-low rates suggest the review isn't honest.

Licensing

Access reviews require Microsoft Entra ID Governance licensing (formerly part of Entra ID P2, now part of the broader Identity Governance SKU).

For organisations with serious identity governance maturity, access reviews are the discipline that prevents identity sprawl. Without them, today's reasonable access list is next year's audit-failing mess.