Unit 2: Plan for access reviews

What is an Access Review?

An Access Review is a planned and structured evaluation of:

Who currently has access.
Whether that access is still required.
Whether access should continue, be removed, or be changed.

Access Reviews are a core identity governance control that help ensure:

The right people have the right access.
Access is time-appropriate and business-justified.
Stale, excessive, or risky access is identified and removed.

Why access reviews matter

Access Reviews help organizations:

Reduce security risk caused by unused or excessive access.
Maintain regulatory and audit compliance.
Enforce least privilege over time.
Protect sensitive business data.
Maintain productivity while ensuring governance.

Where access reviews are performed

Access Reviews are implemented using Microsoft Entra ID Governance.
A Microsoft Entra ID Premium P2 license is required.

Plan your access review strategy

Before enabling access reviews, you must define why, what, and how you will review access.

Key planning questions:

What resources must be reviewed?
Who should perform the reviews?
How often should reviews occur?
What actions should be taken after reviews complete?
What happens if no one responds?

Engage the right stakeholders

Access reviews are not just an IT task. They require collaboration across the organization.

Key stakeholder groups

Stakeholder	Responsibility
IT Administration	Manages infrastructure, identity, SaaS apps, and cloud services.
Development Teams	Build and maintain applications that require governed access.
Business Units	Own applications, projects, and data.
Corporate Governance	Ensures compliance with internal policies and regulations.

Why stakeholder planning matters

Poor planning leads to missed reviews, incorrect decisions, or review fatigue.
Reviews that are too frequent or poorly staffed reduce quality.
Clear ownership improves accuracy and accountability.

Important Manual reviews require sufficient reviewers and realistic timelines. Too many reviews or too few reviewers results in poor access decisions.

What is Microsoft Entra ID Governance?

Microsoft Entra Identity Governance helps organizations balance:

Security.
Compliance.
User productivity.

It provides visibility, controls, and auditing for access across:

Employees.
External users.
Partners and vendors.
Cloud and on-premises resources.

Identity Governance answers four critical questions

Which users should have access to which resources?
What are users doing with that access?
Are access controls effective?
Can auditors verify that controls are working?

Plan a pilot access review

Microsoft strongly recommends starting with a pilot.

Why start with a pilot?

Reduces risk.
Allows process tuning.
Improves reviewer familiarity.
Prevents accidental large-scale access removal.

Recommended pilot practices

Start with non-critical resources.
Disable automatic access removal initially.
Ensure all users have valid email addresses.
Track removed access so it can be restored quickly.
Monitor audit logs closely.

What resource types can be reviewed?

Once resources are integrated with Microsoft Entra ID, they can be reviewed.

Supported review targets

Applications
SaaS apps.
Line-of-business apps.
Enterprise applications.
Groups
Microsoft Entra security groups.
Microsoft 365 Groups.
Teams.
Access Packages
Bundles of groups, apps, and sites.
Privileged Roles
Microsoft Entra roles.
Azure resource roles (via PIM).

Who can create and manage access reviews?

The required role depends on what is being reviewed.

Access review permissions by resource type

Groups and Applications

Creators:

Global Administrator
User Administrator
Identity Governance Administrator
Privileged Role Administrator (limited scope)
Group Owner

Readers:

Global Reader
Security Reader
User Administrator

Microsoft Entra Roles

Creators:

Global Administrator
Privileged Role Administrator

Readers:

Global Reader
Security Reader
User Administrator

Azure Resource Roles

Creators:

Global Administrator
User Access Administrator
Resource Owner

Readers:

Reader (for the resource)
User Access Administrator

Access Packages

Creators:

Global Administrator
User Administrator
Identity Governance Administrator

Readers:

Global Reader
Security Reader
User Administrator

Who performs the review?

The reviewer is chosen at creation time and cannot be changed once the review starts.

Reviewer personas

Reviewer Type	Description
Resource Owners	Business owners of the resource.
Delegated Reviewers	Individually selected users or groups.
End Users	Users self-attest their own access.

Multiple reviewers can be assigned. The last decision submitted wins.

Components of an access review plan

Before creating a review, you must define the following.

Required planning inputs

What resource(s) will be reviewed?
Whose access is reviewed?
Review frequency.
Reviewers.
Notification method.
Review timelines.
Automatic actions.
Actions if no response.
Manual remediation steps.
Communication plan.

Example access review plan

Component	Example
Resource	Microsoft Dynamics access
Frequency	Monthly
Reviewers	Dynamics business program managers
Notification	Email 24 hours before review
Timeline	48 hours
Automatic Action	Remove access for inactive users
Manual Action	Optional reviewer approval
Communication	Notify removed users

Plan access reviews for access packages

Access Packages simplify governance by grouping resources.

Why use access packages for reviews?

Centralized review of multiple resources.
One review instead of many.
Clear business alignment.

Key points

Access Reviews are configured inside Access Package policies.
You can define:
Who requests access.
Approval workflow.
Re-request and expiration rules.
Review frequency.

Plan access reviews for groups

Group-based access is the recommended access model.

Why review groups instead of individual access?

One group can control access to many resources.
Easier governance.
Reduced operational overhead.

Who can review group membership?

Administrators.
Group owners.
Delegated reviewers.
Group members (self-review).

Group ownership considerations

Group Type	Ownership Guidance
Microsoft 365 / Entra groups	Owners defined; ideal reviewers.
Teams	Team creator is owner; best reviewer.
Script-created groups	Owners should be explicitly assigned.
On-prem synced groups	No Entra owner; select reviewers manually.

Best practice Define business rules for group creation and ownership to ensure accountability.

Review Conditional Access exclusion groups

Some users must be excluded from Conditional Access policies.

Example:

Sales team excluded from location-based restrictions.

These exclusion groups must be reviewed regularly, as they often contain high-risk exceptions.

Review external users’ group memberships

Best practices

Use Dynamic Groups for external users.
Assign an internal sponsor as reviewer.
Limit review scope to Guest users only where possible.

Review access to on-premises groups

Important limitation:

Access Reviews cannot modify on-premises group membership.
Microsoft Entra ID is not the source of authority.

How to handle this

Use Access Reviews to identify required changes.
Reviewers manually update on-premises groups.
Export results via CSV or Microsoft Graph.

Plan access reviews for applications

Application reviews focus on who can access a specific app.

Use application reviews when

Users are assigned directly to the app.
The app contains sensitive data.
Compliance requires attestation.
Suspicious access is suspected.

Application owners cannot be auto-selected as reviewers.

Plan reviews for privileged roles

Privileged Identity Management (PIM) integrates with access reviews.

Roles that should be reviewed regularly

Global Administrator
User Administrator
Privileged Authentication Administrator
Conditional Access Administrator
Security Administrator
Microsoft 365 and Dynamics admin roles

Monitor and deploy access reviews

After planning, deploy reviews across:

Access packages.
Groups.
Applications.
Microsoft Entra roles.
Azure resource roles.

Use Microsoft Graph for automation

Common automation tasks

Create and start access reviews.
End reviews early.
List running reviews.
Retrieve decisions.
Track deviations from recommendations.

Tip Use Graph Explorer to test queries before scripting.

Monitor access review activity

Access review actions are logged in Microsoft Entra Audit Logs.

Sample audit filters

Field	Value
Category	Policy
Activity	Create / Update / End / Apply review
Date	Last 7 days

For advanced monitoring:

Export logs to Azure Log Analytics or Event Hubs.
Build dashboards and alerts.

Plan communications

Communication is critical for success.

Communication best practices

Explain accountability changes to business owners.
Train reviewers.
Customize email messages.
Provide instructions and reference links.
Include escalation contacts.

Licensing requirements

Who needs Microsoft Entra ID Premium P2?

Reviewers (members and guests).
Self-review users.
Group owners performing reviews.
Application owners performing reviews.

Who does NOT need P2?

Global Administrators.
User Administrators creating and managing reviews.

SC‑300 Study Portal Path 5

Unit 2: Plan for access reviews