Unit 1: Introduction
Why access reviews are necessary
Once identity is deployed and users are granted access to applications, groups, and roles, access does not remain static. Over time:
- Employees change roles.
- Contractors leave.
- External partners complete projects.
- Privileged access remains longer than required.
- Users accumulate access they no longer need.
Without regular validation, access environments slowly become over-permissioned, which increases:
- Security risk.
- Insider threat exposure.
- Audit and compliance failures.
- Blast radius during compromise.
Access reviews exist to continuously validate access decisions after they are granted.
What problem access reviews solve
Access reviews help organizations answer these ongoing questions:
- Does this user still need this access?
- Is this access still aligned with their role?
- Has the user been inactive?
- Should access be removed, reduced, or retained?
Rather than relying on one-time approval, access reviews enforce continuous governance.
What access reviews provide
Access reviews allow organizations to:
- Periodically review access to:
- Groups.
- Applications.
- Access packages.
- Privileged roles.
- Delegate review responsibility to:
- Business owners.
- Group owners.
- Application owners.
- Automate decisions based on:
- Inactivity.
- Reviewer response.
- System recommendations.
- Produce auditable evidence for:
- Internal audits.
- Regulatory compliance.
- Zero Trust posture.
Where access reviews live
- Access reviews are implemented through Microsoft Entra ID Governance.
- A Microsoft Entra ID Premium P2 license is required for reviewers.
- Reviews integrate with:
- Groups.
- Enterprise applications.
- Access packages.
- Privileged Identity Management (PIM).
Access reviews and Zero Trust
Access reviews support Zero Trust by enforcing:
- Verify explicitly – validate access regularly.
- Least privilege – remove unnecessary access.
- Assume breach – reduce long-lived permissions.
They ensure access is earned repeatedly, not assumed indefinitely.
What you will learn in this module
In this module, you learn how to:
- Plan access reviews strategically.
- Create access reviews for:
- Groups.
- Applications.
- Monitor review progress and outcomes.
- Automate access review processes.
- Configure recurring access reviews.
- Integrate reviews into identity governance operations.
Learning objectives
By the end of this module, you will be able to:
- Plan for access reviews.
- Create access reviews for groups and apps.
- Monitor access review findings.
- Create and manage access review programs.
- Automate access review management tasks.
- Configure recurring access reviews.