Unit 3: Create access reviews for groups and apps
Why create access reviews for groups and apps
Access to groups and applications changes frequently due to:
- Job role changes.
- Project completion.
- External collaboration.
- Privileged access elevation.
Without review, these assignments often become stale.
Creating access reviews allows administrators to:
- Periodically validate access.
- Remove inactive or unnecessary users.
- Maintain compliance automatically.
- Reduce administrative overhead.
Prerequisites
Before creating access reviews, ensure:
- Microsoft Entra ID Premium P2 is assigned.
- You are signed in as one of the following:
- Global Administrator.
- User Administrator.
- Target groups or applications already exist.
Create an access review (step-by-step)
Step 1: Open Identity Governance
- Sign in to the Azure portal.
- Navigate to Identity Governance.
- In the left menu, select Access reviews.
- Select New access review.
Step 2: Select what to review
You must choose the resource type.
Available options
- Teams + Groups
- Applications
If you select Teams + Groups
You have two choices:
- All Microsoft 365 groups with guest users
- Reviews all guest users across all Teams and M365 groups.
- Optional exclusions available.
- Select teams + groups
- Manually choose specific groups to review.
Use the first option for broad guest cleanup.
Use the second option for targeted governance.
If you select Applications
- Choose one or more enterprise applications.
- The review will cover users assigned directly to the app.
Step 3: Select scope
Define who is reviewed.
Scope options
If “All Microsoft 365 groups with guest users” was selected, scope is automatically Guest users only.
Step 4: Select reviewers
Reviewers are responsible for approving or denying access.
Reviewer options
- Group owner(s)
(Available only for group reviews)
- Selected users or groups
- Users review own access (self-attestation)
- Managers of users (Preview)
- Optional fallback reviewers can be configured.
Important:
Reviewer selection cannot be changed after the review starts.
Step 5: Configure recurrence
Define how often the review runs.
Frequency options
- Weekly
- Monthly
- Quarterly
- Semi-annually
- Annually
Duration
- Determines how long the review stays open.
- Example:
- Monthly review → maximum duration 27 days.
- Shorter durations enforce faster decisions.
Start and end dates
- Define lifecycle of the review series.
- Supports long-term governance programs.
Step 6: Configure completion behavior
This determines what happens after the review ends.
Auto-apply results
- Enabled
- Microsoft Entra automatically removes or retains access.
- Disabled
- Admin must manually apply results.
If reviewers don’t respond
Choose what happens to unreviewed users:
- No change.
- Remove access.
- Approve access.
- Take system recommendations.
Guest user actions (if denied)
Options include:
- Remove membership from resource.
- Block sign-in for 30 days, then remove user.
Guest actions are limited when reviewing everyone or all groups.
Step 7: Enable decision helpers
Decision helpers provide recommendations based on:
- Last sign-in.
- Last access activity.
Reviewers can accept recommendations in bulk.
Step 8: Advanced settings
Available options
- Require justification – reviewers must explain decisions.
- Email notifications – notify reviewers and admins.
- Reminders – sent halfway through review duration.
- Custom email content – add instructions or context.
Step 9: Review and create
- Name the access review.
- Add an optional description.
- Review settings.
- Select Create.
Step 10: Start the access review
- Select Start review.
- Review status appears in the access reviews list.
- Emails are sent (if enabled).
Access review status lifecycle
| Status | Meaning |
|---|
| NotStarted | Waiting to begin |
| Initializing | Discovering users |
| Starting | Sending notifications |
| InProgress | Review active |
| Completing | Finalizing |
| Auto-Reviewing | System applying defaults |
| Auto-Reviewed | Decisions recorded |
| Applying | Changes applied |
| Applied | Completed |
| Failed | Review error |
Creating access reviews via APIs
All portal actions can also be performed via:
- Microsoft Graph API
- Microsoft Graph PowerShell
Used for:
- Automation.
- Large-scale governance.
- Integration with workflows.