Access Reviews: Plan, Create & Monitor
Plan, create, configure, and monitor access reviews to ensure users retain only the access they need — a core exam topic for identity governance.
What are Access Reviews?
Access reviews are like a spring clean for permissions.
Imagine every few months, someone walks through your office and asks: “Does Sarah still need the key to the server room? Does Marcus still need access to the finance folder?” If the answer is no, the key gets taken back.
That’s exactly what access reviews do — they systematically check whether people still need the access they have, and remove it if they don’t. Without them, access just piles up over time (we call this “access creep”) until everyone has access to everything.
What can you review?
Access reviews can target four types of resources:
| Review Target | What’s Being Reviewed | Example |
|---|---|---|
| Group membership | Who’s in this group — should they still be? | ”Review all members of the Clinical Data Access group” |
| Application assignment | Who has access to this app — should they still? | ”Review everyone assigned to the Research Portal” |
| Entra ID role | Who holds this role — do they still need it? | ”Review all Global Administrators” |
| Access package | Who has this access package — do they still need it? | ”Review all Research Analyst Access package holders” |
Exam tip: Review scope
When creating a review for a group, you can choose to review all members or only guest users. The “guest users only” option is particularly useful for B2B collaboration groups where you want to periodically verify that external users still need access.
Planning access reviews
Before creating reviews, plan these decisions:
1. Who reviews?
| Reviewer Type | When to Use |
|---|---|
| Self-review | Users attest to their own need for access (low-sensitivity resources) |
| User’s manager | Manager confirms their direct reports still need access |
| Specific users | Named reviewers (e.g., app owner, security team) |
| Group owners | The owner of the group being reviewed |
2. How often?
| Feature | One-Time Review | Recurring Review |
|---|---|---|
| Frequency | Runs once | Weekly, monthly, quarterly, semi-annually, or annually |
| Best for | Project-end cleanup, audit response | Ongoing governance, compliance |
| Auto-recurrence | No — must manually create again | Yes — new instances created automatically |
| Typical use | "Review all guests added during Project X" | "Quarterly review of admin role holders" |
| End date | Review completes and closes | Runs until you disable it or set an end date |
3. What happens when the review ends?
| Setting | Behaviour |
|---|---|
| Auto-apply results | Denied users automatically lose access when the review ends |
| If reviewers don’t respond | Choose: no change, remove access, approve access, or follow recommendations |
| Recommendations | Entra ID provides a recommendation (approve/deny) based on last sign-in activity |
Exam tip: Machine learning recommendations
Access review recommendations are heuristics based on sign-in activity — not deterministic rules. Generally, if a user hasn’t signed in to the resource in approximately the last 30 days, the recommendation leans toward “Deny.” Recent activity leans toward “Approve.”
For group membership reviews, recommendations also consider whether the user has accessed resources through that group. These are suggestions to help reviewers make data-driven decisions — reviewers can always override recommendations. Don’t memorise “30 days = deny” as an absolute rule.
Creating an access review — step by step
Scenario: Priya creates a quarterly review for Clinical App access
🔐 Priya creates a recurring access review for the “Clinical Apps Users” group at Meridian Health:
- Navigate to: Entra admin center → Identity Governance → Access reviews → New access review
- Review type: Groups and apps
- Scope: Select the “Clinical Apps Users” group → Review all members
- Reviewers: User’s manager (each member’s manager reviews their access)
- Frequency: Quarterly (every 3 months)
- Duration: 14 days for reviewers to respond
- Upon completion settings:
- Auto-apply results: Yes
- If reviewers don’t respond: Remove access (conservative approach for healthcare)
- Show recommendations: Yes
- Advanced settings:
- Require reason on approval: Yes
- Email notifications to reviewers: Yes
- Reminders: Yes (sent partway through the review period)
Every quarter, managers receive an email asking them to review their reports’ membership. They see recommendations based on sign-in data. After 14 days, anyone denied or not reviewed loses access automatically.
Monitoring access reviews
After creating reviews, you need to monitor them:
In the Entra admin center (Identity Governance → Access reviews):
- Status dashboard — see which reviews are in progress, completed, or pending
- Progress bar — shows how many reviewers have responded vs. how many haven’t
- Results — after completion, see all decisions (approved, denied, not reviewed)
Key monitoring actions:
- Send reminders to reviewers who haven’t responded
- Download results as a CSV for compliance reporting
- View audit logs for all review decisions
Scenario: Anika monitors review completion across clients
🛡️ Anika Weber at Sentinel Partners manages access reviews for multiple clients. She checks the access review dashboard weekly:
- Meridian Health quarterly review: 85% complete, 3 managers haven’t responded → she sends reminders
- Financial Services annual review: Completed last week → she downloads the CSV for the compliance audit
- Government client role review: Starting next Monday → she verifies reviewer assignments are correct
Anika can filter reviews by status (Active, Completed, Scheduled) and export results at any time.
Manually responding to access reviews
Reviewers respond through myaccess.microsoft.com or the email notification link:
For each user under review, the reviewer can:
- Approve — user keeps access (optionally with a reason)
- Deny — user loses access when the review completes
- Don’t know — escalates to the next reviewer or applies the “no response” action
Bulk actions: Reviewers can accept all recommendations with one click — useful when reviewing dozens of users and the sign-in-based recommendations look correct.
Exam tip: Multi-stage reviews
Access reviews support multi-stage reviews — a first-stage reviewer decides, then a second-stage reviewer validates. This is useful for sensitive resources where you want a manager to review first, then a security team to validate.
If the first-stage reviewer denies, the user is denied (no second stage needed). If the first-stage reviewer approves, it moves to the second stage for confirmation.
Video Lesson
🎬 Video coming soon
Access Reviews: Plan, Create & Monitor
Access Reviews: Plan, Create & Monitor
~10 minKey Concepts
Knowledge Check
Priya needs to ensure that guest users in the 'External Researchers' group are reviewed every 6 months. If a reviewer doesn't respond, guest access should be removed. What should she configure?
Anika notices that an access review for Entra admin roles has been running for 12 days with only 60% of reviewers responding. The review period is 14 days, and the no-response action is set to 'No change.' What should Anika do?
Which of the following is TRUE about access review recommendations in Entra ID?
Next up: PIM: Protect Your Privileged Roles — how to use Privileged Identity Management to secure admin roles with just-in-time activation, approvals, and time limits.