top of page

Microsoft Entra Identity Governance Fundamentals: Access Reviews

Writer's picture: Sebastian F. MarkdannerSebastian F. Markdanner

Updated: Dec 8, 2024

Today, we’re exploring a vital feature of Microsoft Entra Identity GovernanceAccess Reviews. This powerful tool ensures that permissions remain available only as long as they’re needed, helping organizations reduce risks, stay compliant, and adhere to Zero Trust principles.

A futuristic interface displaying the key features of Microsoft Entra Identity Governance with focus on Access Reviews, Identity Governance, and security.

While features like Privileged Identity Management (PIM) and Conditional Access help manage identities and enforce policies, Access Reviews take things further by validating whether permissions are still required over time. Whether it’s removing unused permissions, ensuring external contractors don’t linger in your tenant, or validating privileged roles, Access Reviews provide an automated and structured solution.


Table of Content

 

Why bother with Microsoft Entra Access Reviews?

Access Reviews ensure that users—whether internal or external—don’t retain access to roles, resources, or groups when they no longer need them. This is especially critical in scenarios like:


  1. External Partners: After a project concludes, external users no longer need access to your tenant.

  2. Role Transitions: When employees move to new roles, such as a Sales Rep becoming a Technical Writer, previous permissions may no longer be appropriate.

  3. Privileged Users: Helpdesk technicians or administrators may require periodic evaluations of their privileged roles to align access with their current responsibilities.


By managing access lifecycle, Access Reviews:


All in all Access Reviews, are yet another great feature that helps organizations on their Privileged Access Management journey, while keeping to the Zero Trust principals.


 

Requirements for Access Reviews

Access Reviews require specific roles and licenses depending on the resource being reviewed.


License requirements

Depending on the required features, there's a few different licenses that provides Access reviews:

  • Microsoft Entra P2: Basic Access Reviews (inactive user helper only).

  • Microsoft Entra Identity Governance: Includes advanced helpers like ML-based affiliation recommendations.

  • Microsoft A/E/F5

  • Microsoft A/E/F5 Security Add-on

  • Microsoft EMS E5


Required Roles

Depending on the resource type to be reviewed, there's a few different roles that can create the access reviews:

Resource type

Create and manage access reviews (creators)

Created in

Group or application

Global Administrator

User Administrator

Identity Governance Administrator

Privileged Role Administrator (only does reviews for Microsoft Entra role-assignable groups)

Group owner*

Entra Identity Governance - Access Reviews Microsoft Entra Group (at the overview or specific group) Microsoft Entra Enterprise Application (at the overview or specific app)

Microsoft Entra roles

Global Administrator

Privileged Role Administrator

Azure resource roles (at correct scope)

User Access Administrator

Resource owner

Custom roles with Microsoft.Authorization/* permission.

Access package

Global Administrator

Identity Governance Administrator

Catalog owner**

Access package manager**

Entitlement Management (Access package blade - creation or for existing)

Used with permission from Microsoft. Source: Microsoft Learn: What are access reviews?

*Needs to be enabled by an admin

**For the specific Access package


 

Microsoft Entra Access Reviews Capabilities

As mentioned Access Reviews can be a great help in a multitude of different scenarios, let's go through the different capabilities and features we can take advantage of.


Helpers

Access Reviews in Microsoft Entra Identity Governance offer helpers—recommendation tools designed to simplify the reviewer’s decision-making process. These tools use specific logic and data to evaluate user activity and organizational relevance, providing actionable insights. Let’s explore the key helpers and how they work in practice:

Helper

Inactive User

User-to-Group Affiliation

Purpose

Flags dormant accounts

Flags users with low group alignment

Logic

Evaluates the last sign-in date at the start of the Access Review

Uses ML to compare user attributes, organizational hierarchy, and reporting structure

Example

Jane hasn’t logged in for 45 days before the review begins and is flagged as “No sign-in for 30 days.”

Todd in Sales is in the Design group with no affiliation to other members, so a denial is recommended.

Limitations

Sign-ins after the review starts aren’t reflected.

Doesn’t support external users or groups >600 members.

These helpers enable smarter, faster reviews by leveraging data insights and automation, helping organizations maintain governance without burdening reviewers.


Multi-stage reviews

Multi-stage reviews distribute the workload across multiple reviewers, reducing fatigue and ensuring a well-rounded consensus on granting or denying access.


Example Flow

The process can be visualized as follows:

A funnel graphic showing the stages of a multi-stage access review, from self-review to final auditor approval, demonstrating the flow and reduction of access participants.

Used with permission from Microsoft. Source: Microsoft Learn: Multi-stage reviews


  1. Stage: Users perform a self-review, justifying their need for access.

  2. Stage: Managers evaluate the self-reviews and either approve or deny access.

  3. Stage: Auditors review the refined list, making final access decisions.


While this is one example, stages can be customized to include specific roles such as group owners, application owners, or C-suite members.


Why Use Multi-Stage Reviews?

Delegating roles across stages reduces reviewer fatigue and minimizes errors, such as unintentional approvals or denials. It also provides valuable insights if later reviewers can see prior justifications. Multi-stage reviews are especially useful for high-risk roles or critical applications.


 

How to configure Microsoft Entra Access Review

Below are step-by-step guides for configuring different types of Microsoft Entra Access Reviews, covering scenarios like external users, specific groups, multi-stage application reviews, and privileged roles.


Example 1: External users

Managing and reviewing external user access helps ensure collaborators only retain access for as long as needed. Here’s how to set up a multi-stage review for external users:

  1. Create a Dynamic Group for External Users: Note: Microsoft have provided this script to help analyze external users Use this syntax, to group all guest users: (user.userType -ne "Member")

    Screenshot of the “New Group” interface in Microsoft Entra, showing settings for creating a dynamic group of external users.

  2. Navigate to the Access Reviews Page:

    Navigate to Identity Governance > Access Reviews, and click New Access Review.

    The Identity Governance dashboard in Microsoft Entra admin center, highlighting the Access Reviews section.

  3. Configure Scope and Review Type:

    Choose Teams & Groups.

    1. Select either:

      • “All Microsoft 365 groups with guest users.”

      • “Select Teams + Groups,” then specify the dynamic group created earlier.

    2. Choose Guest users only

      • Optionally, select Inactive users to scope the review to those who haven’t signed in for a specified period

    Screenshot of the “New Access Review” configuration page with options for Teams & Groups, review scope, and inactive user settings.

  4. Set Review Stages and Assign Reviewers:

    1. Enable Multi-stage Review if desired. - It's enabled in this example

      Interface showing the option to enable multi-stage reviews while setting up access reviews in Microsoft Entra.

    2. Assign reviewers by one of the provided options:

      • Group Owner(s)

      • Selected users or groups

      • Self-review

      • Manager of user

      Detailed settings for first and second review stages, including stage duration and reviewer selection for multi-stage access reviews.

    3. Set the recurrence for how often the review repeats & configure which users proceed to later stages based on results from earlier stages.

      Configuring recurrence, start date, and review progression for reviewees in the final stages of a multi-stage access review.

  5. Define Actions Upon Review Completion:

    • Set actions to be taken after the review, such as:

    • Automatically blocking inactive users for 30 days.

    • Removing users from the tenant if they remain inactive.

    Configuring auto-apply results, reviewer decision helpers, and advanced settings like notifications and justifications for access reviews.

    For this specific case, where the goal is to remove unused external users, follow these steps to ensure the proper configuration:


    1. Enable Auto-apply Results to Resource:

      • This setting ensures that the results of the review (approved or denied) are automatically applied without requiring manual intervention.


    2. Set the Action for Denied Guest Users:

      • Under the Actions to Apply on Denied Guest Users option, select:

      • Block user from signing in for 30 days.

      • Then remove the user from the tenant.


    This configuration provides a grace period where denied users are blocked, giving administrators time to verify or undo actions if needed. After 30 days, the system automatically removes the user from the tenant.


    By enabling these settings, you can streamline the process of removing inactive or unnecessary external users while maintaining a controlled and automated workflow.


  6. Finalize and Save:

    Provide a meaningful name for the review, and review the configuration

    Overview page for an Access Review series in Microsoft Entra, showing settings and scheduling options.


 

Example 2: Single-Stage Group Access Review

Let’s consider a scenario where a specific group, such as the Design team’s Access Package, provides access to various applications, roles, and information. To ensure the group membership remains accurate and relevant, we can set up a Single-Stage Access Review with the following steps:


  1. Select the Target Group & Scope

    • Navigate to Identity Governance > Access Reviews, and select New Access Review.

    • Choose Teams & Groups.

    • Specify the Design group as the scope for the review.

    • Set the review to include all users in the group.

    Access Review details dashboard displaying results and reviewers’ actions.

  2. Assign Reviewers

    • Do not enable Multi-stage Review.

    • Set the reviewer to Group Owner(s).

    • Add fallback reviewers, such as organization Auditors, to handle cases where the group owner is non-existent or inactive.

    Access Review creation panel for application-based reviews, showing Salesforce as the target.

  3. Configure Settings:

    • Enable Auto-apply Results to Resource:

      • This ensures the results of the review are automatically implemented.

    • Set “If reviewers don’t respond”:

      • Specify what should happen if no action is taken by reviewers (e.g., deny access by default).

    • Disable the helper “No sign-in within 30 days”:

      • This avoids flagging users based solely on recent sign-ins.

    • Enable the helper “User-to-Group Affiliation”:

      • This provides reviewers with ML-driven insights about how closely aligned each user is to the group based on organizational hierarchy and reporting structure.

    Detailed settings for Salesforce Access Reviews including decision helpers and justification requirements.

  4. Finalize and Save:

    • Provide a meaningful name for the review.

    • Go over all configurations one last time to ensure accuracy.

    • Create the Access Review.

    • Once created, the review can be accessed and modified if needed by opening it from the Overview and selecting the Settings tab.

    Privileged Identity Management access review page for directory roles in Microsoft Entra.
    Access Review setup for service principal auditors in Microsoft Entra, highlighting frequency and reviewers.

  5. Evaluate Results

    • After the review is completed, navigate to the Overview tab to see the review’s status and summary.

    Lifecycle settings for access packages with expiration and review configurations in Microsoft Entra.

  6. Review Detailed Results

    • Open the Results blade to access detailed insights into the review, including user evaluations, recommendations, and actions taken.

    Microsoft Entra detailed settings for Access Review notifications and reminders.

 

Example 3: Multi-Stage Application Access Review

A multi-stage access review distributes the evaluation process among multiple reviewers, reducing fatigue while ensuring thorough validation. This method is especially useful for critical applications, as it incorporates roles like App Owners, Managers, C-Suite members, or dedicated auditors. Here’s how to set up a multi-stage review for a Salesforce application:


  1. Select the Target Application & Scope

    • Navigate to Identity Governance > Access Reviews, and select New Access Review.

    • Choose Applications, and specify Salesforce as the target application.

    • Set the scope of the review to include All Users.

    Results of an Access Review showing individual decisions and recommendations for users.

  2. Configure Multi-Stage Review

    1. Enable the Multi-stage Review option.

    2. Configure Reviewers for Each Stage:

      • Stage 1: Users (self-review) to justify their need for access.

      • Stage 2: Managers to evaluate the self-reviews and justifications.

      • Stage 3: C-Suite members or auditors to provide the final approval.

    3. Set Stage Duration:

      • Define how long each stage should last (e.g., 15 days per stage).

    4. Disable “Reveal Review Results”:

      • This ensures later stages don’t see decisions or justifications from earlier reviewers, enabling isolated decision-making.

    Microsoft Entra Access Review progression settings panel for approved and denied reviewees.

  3. Configure Recurrence

    • Set the review to recur based on your organization’s needs.

    • Example: Configure a yearly review for 10 years to maintain long-term oversight.

    Overview of Access Review recurrence settings including annual reviews and duration settings.

  4. Configuring Reviewee Progression Between Stages

    As part of the review settings, configure how reviewees move through the stages to align the review process with your organization’s needs - These are the most common configurations.


    1. All Reviewees Except Denied

      • Description: All reviewees, except those explicitly denied in earlier stages, proceed to subsequent stages.

      • Use Case: Ideal for sensitive scenarios where thorough validation of approved users is required.

      • Benefits:

        • Ensures all approved users are validated at each stage.

        • Denied users are excluded, reducing unnecessary re-evaluation.


    2. Denied Reviewees Only

      • Description: Only reviewees explicitly denied in earlier stages proceed to subsequent stages.

      • Use Case: Best for cases where contentious denials need further evaluation by managers or auditors.

      • Benefits:

        • Reduces unnecessary workload by skipping approved users.

        • Focuses later stages exclusively on contentious or high-risk cases.


    3. Best Practices

      • Use All Reviewees Except Denied for scenarios requiring thorough validation and alignment with sensitive policies.

      • Use Denied Reviewees Only to streamline reviews and focus efforts on cases requiring deeper scrutiny.


    By tailoring the progression, you create an Access Review process that is both comprehensive and efficient, reducing workload while maintaining governance standards.

    Review settings panel in Microsoft Entra showing multi-stage review configuration with reviewers and stage durations.

  5. Configure Settings

    1. Apply relevant helpers at specific stages:

      • Example: Use the No sign-in within 30 days helper for Stage 2 and Stage 3 to identify inactive users.

    2. Configure Auto-apply Results to Resource:

      • Automatically remove access for denied users or approve access for validated users.

      • Adjust settings to specify actions if reviewers don’t respond.

    Access Review recurrence settings showing annual reviews with specified end conditions.

  6. Finalize and Save

    • Provide a meaningful name for the review (e.g., “Salesforce Access Review 2024”).

    • Review all configurations to ensure they align with your requirements.

    • Create the Access Review.


By using a multi-stage review, you create a robust access governance process that leverages diverse perspectives while minimizing reviewer fatigue. This ensures access to critical applications like Salesforce is justified, secure, and aligned with organizational needs.


 

Example 4: Service Principal PIM Access Review

As we’ve discussed, Privileged Identity Management (PIM) is a powerful tool for managing privileged access. However, while PIM governs the assignment and activation of privileged roles, it doesn’t inherently review whether those roles remain justified over time. For this, we leverage Access Reviews.


Access Reviews for PIM roles operate slightly differently compared to other types of reviews:

  • They cannot be created via the general Access Review menu.

  • They must be configured directly within PIM.

  • They are limited in features and are only available for Microsoft Entra Roles, and Azure RBAC Roles.


  1. Navigate to PIM Access Reviews:

    • Go to Privileged Identity Management > Microsoft Entra Roles > Access Reviews.

    • This page provides an overview of all existing PIM Access Reviews, both current and previous.

    • Click New Access Review to open a single configuration blade.

    Access Review reviewer progression panel in Microsoft Entra, specifying which reviewees proceed to the next stage.

  2. Define Scope & Configure the Access Review:

    Fill out the necessary fields:

    • Name: Provide a meaningful name for the review.

    • (Optional) Description: Include details to guide reviewers about the review’s purpose.

    • Start Date: Set the date when the review will begin, which will also be the date when sign-ins are evaluated.

    • Frequency: Define how often the review will recur (e.g., monthly, quarterly, etc.).

    • Duration: Specify how long each review cycle will remain active.

    • End: Decide when the review should end or should continue indefinitely.

    • Scope: Select Service Principal assignments as the scope.

    • Assignment Type: Focus on active assignments for this example.

    • Reviewers: Assign users or roles responsible for reviewing the Service Principal assignments.

    Configuration screen for creating an Access Review in Microsoft Entra, detailing settings for Service Principals, frequency, duration, and reviewers.

  3. Configure Completion Actions and Notifications:

    1. Specify what actions should occur once the review concludes:

      • Auto-apply results to enforce decisions (e.g., revoke access for denied assignments).

      • Enable recommendations to guide reviewers by providing insights like activity levels or role usage.

    2. Configure email notifications to keep reviewers informed throughout the review.

    Advanced Access Review settings panel showing decision helpers and email notification configurations.

  4. Finalize and Save:

    1. Review the configurations for accuracy.

    2. Once saved, the new Access Review will appear in the PIM Access Reviews Overview, ready to monitor and manage.

    Privileged Identity Management Access Review interface in Microsoft Entra for managing roles and assignments.

 

Example 5: Access Reviews for Access Packages

Access Reviews can also be applied to Access Packages within Microsoft Entra Identity Governance. These reviews are tied directly to the Lifecycle policy of the access package and are relatively simple, offering limited configurability compared to other types of reviews.


When to Configure Access Reviews for Access Packages

  • You can configure Access Reviews:

    1. During the creation of an access package.

    2. After creation, via the Policy menu under the Access Package settings.


Key Features and Limitations

Access Reviews for Access Packages have the following characteristics:

  • Single-stage reviews only: Multi-stage or advanced reviewer delegation is not supported.

  • Configuration Options:

    • Start date: When the review begins.

    • Review frequency: Options include annually, bi-annually, quarterly, monthly, or weekly.

    • Review duration: Maximum of 80 days per cycle.

    • Reviewers: Options include:

      • Self-review: Users review their own access.

      • Specific reviewers: Assign individuals or groups.

      • Manager review: Assign the user’s manager.

  • Advanced settings:

    • Decision helpers: Show data like last sign-in activity.

    • Justifications: Require reviewers to justify decisions.

    • If reviewers don’t respond: Specify actions like “No change” or “Deny access.”


Steps to Configure Access Package Access Reviews

  1. Create or Edit an Access Package:

    • Access the Identity Governance portal.

    • Choose to create a new Access Package or edit an existing one.


  2. Navigate to the Lifecycle Settings:

    • During package creation, or under Policies in the Access Package menu, navigate to the Lifecycle section.


  3. Enable Access Reviews:

    • Turn on Require Access Reviews.

    • Specify the Start Date, Review Frequency, and Duration.

    Lifecycle configuration page for a new access package in Microsoft Entra, showing expiration settings, access review requirements, frequency, and advanced options.

  4. Assign Reviewers:

    • Choose the appropriate reviewer type, as explained previously.


  5. Configure Advanced Settings:

    • Enable or disable Decision helpers.

    • Decide whether to require justifications for reviewer decisions.

    • Set the action for if reviewers don’t respond (e.g., leave access unchanged, remove access).


  6. Finalize and Save:

    • Save the configuration and finalize the Access Package.


Benefits of Access Package Reviews

Although less flexible than other types of reviews, Access Package Access Reviews provide a straightforward way to periodically validate access. They’re particularly useful for environments with frequent onboarding/offboarding or temporary access needs, ensuring compliance and reducing over provisioning risks.


 

Reviewing: Conclusion

Microsoft Entra Access Reviews provide organizations with a comprehensive solution to manage access lifecycles effectively, ensuring permissions remain relevant and justified. By incorporating these reviews, you can reduce security risks, address over provisioned accounts, and streamline audit processes—all while aligning with Zero Trust principles.


Through this feature showcase, we’ve explored the diverse scenarios and powerful capabilities of Access Reviews. Whether it’s managing external user access, implementing multi-stage application reviews, or integrating with Privileged Identity Management, Access Reviews offer the flexibility and automation needed to meet today’s security and compliance challenges.


Key Takeaways

  1. Reduce Risks: Access Reviews help mitigate identity-based threats and eliminate excessive privileges.

  2. Streamline Decision-Making: Helpers and multi-stage workflows enhance efficiency, making access decisions smarter and more precise.

  3. Align with Policies: Proper configuration ensures that access management adheres to your organization’s security and compliance requirements.


Now to close out with another bad tech joke!


Have you heard of that new band “1023 Megabytes”?

They’re pretty good, but they don’t have a gig just yet! 😎


Stay tuned for more insights, subscribe to my blog, and take the next step in securing your access governance today—because every byte of security matters!


Comments

Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page