This chapter covers Access Reviews in Microsoft Entra ID (formerly Azure AD), a critical identity governance feature for enforcing least privilege and compliance. Access Reviews allow you to periodically review and attest to user access to groups, applications, and roles, with automatic removal of stale access. On the AZ-104 exam, this topic appears in roughly 5-10% of questions, typically in scenario-based questions about managing user permissions, auditing, and compliance. You must understand how to create, configure, and interpret access reviews, including reviewer selection, recurrence settings, and auto-apply results.
Jump to a section
Imagine a large public library with thousands of employees. The library has a policy that every employee must have their access to the rare book vault reviewed annually. The review committee (access reviewers) receives a list of employees and their current access. For each employee, the committee must decide: 'Should this person still have access?' If they click 'Approve,' the employee keeps their badge. If they click 'Deny,' the badge is deactivated. If they don't respond within 30 days, the system automatically removes access. The library manager can delegate reviews to department heads, who only see their own team. The system sends reminder emails weekly for 30 days. This mirrors Entra ID Access Reviews: reviewers get a list of users and resources, they approve or deny, and after a specified duration, automatic removal occurs if no action is taken. Delegation and scheduled reminders ensure the process completes.
What Are Access Reviews?
Access Reviews in Microsoft Entra ID are a governance tool that enables organizations to periodically review and attest to user access to resources. They are part of Entra ID Identity Governance and help meet compliance requirements by ensuring that only the right people have access to sensitive data and applications. Access Reviews can be used for:
Group memberships (security groups, Microsoft 365 groups)
Application assignments (SaaS apps, enterprise apps)
Azure AD roles and administrative units
Privileged Identity Management (PIM) role activations
Why Access Reviews Exist
Without regular reviews, user access accumulates over time — employees change roles, leave the company, or no longer need certain permissions. This 'access creep' creates security risks and compliance violations. Access Reviews solve this by enforcing a recurring attestation cycle where designated reviewers (often managers) confirm or revoke access. The system can automatically remove access that is not approved, ensuring the principle of least privilege.
How Access Reviews Work Internally
An Access Review is defined by a policy that specifies: - What is being reviewed (scope: groups, apps, roles) - Who is being reviewed (users, groups) - Who reviews (reviewers: self-review, manager, delegated reviewers) - How often (one-time or recurring: weekly, monthly, quarterly, annually) - Duration (how long reviewers have to respond) - Auto-apply (whether to automatically remove access if not approved) - Reminder settings (email notifications before and after review starts)
When a review starts, the system creates review instances. Each user-resource pair appears as a review item. Reviewers access a portal (My Access or Azure portal) and for each item choose: - Approve – keep access - Deny – remove access - Not reviewed – no action (treated as deny if auto-apply is enabled after duration)
At the end of the review duration, if auto-apply is enabled, the system automatically revokes access for all denied or unreviewed items. Results are written to audit logs.
Key Components and Defaults
Review scope: Can be 'All users' or specific groups. For groups, you can review members or guest users only.
Reviewers: Options include:
- Self-review (users review their own access) - Manager (user's manager per HR attribute) - Selected users/groups (explicit list) - (Preview) Members of a group review each other - Recurrence: One-time or recurring with frequency (weekly, monthly, quarterly, annually). Recurrence count: default 0 (infinite) but can be set to a specific number. - Duration (days): Default 30 days. Range 1-180. After this, if auto-apply is on, results are applied. - Auto-apply results: Default off. If enabled, changes are applied automatically after duration ends. If disabled, an admin must manually apply results. - Justification required: Default on for reviewers. They must provide a reason for deny decisions. - Notifications: Default email notifications to reviewers when review starts and reminders halfway through. Admins can customize. - Advanced settings: You can enable 'No sign-in for 30 days' to automatically recommend removal for inactive users.
Configuration and Verification Commands
Access Reviews are configured via the Azure portal or Microsoft Graph API. Key PowerShell cmdlets (AzureAD module):
# Create a new access review
New-AzureADMSAccessReview -DisplayName "Quarterly App Review" -StartDate (Get-Date).AddDays(1) -EndDate (Get-Date).AddDays(31) -ReviewedEntityId "<app-object-id>" -ReviewerType "self" -ScopeType "group" -ScopeResourceId "<group-id>"
# Get all access reviews
Get-AzureADMSAccessReview
# Get review decisions
Get-AzureADMSAccessReviewDecision -AccessReviewId "<review-id>"
# Apply results manually
Start-AzureADMSAccessReviewApply -AccessReviewId "<review-id>"Using Microsoft Graph:
GET https://graph.microsoft.com/v1.0/identityGovernance/accessReviews/definitions
POST https://graph.microsoft.com/v1.0/identityGovernance/accessReviews/definitionsInteraction with Related Technologies
Entra ID Governance: Access Reviews are a core feature of Identity Governance, alongside entitlement management, PIM, and terms of use.
PIM: You can create access reviews for PIM role activations, requiring periodic re-approval.
Conditional Access: Access reviews do not directly enforce conditional access, but they can remove access that would otherwise be blocked by CA policies.
Audit Logs: All review decisions are logged in Entra ID audit logs for compliance reporting.
Exam-Relevant Details
Access Reviews require Azure AD Premium P2 license (for users being reviewed and reviewers).
You cannot create a review for a dynamic group; the group must be assigned (static).
Guest user reviews can be scoped to 'Guest users only' for groups.
The 'Auto-apply results' feature only applies after the review duration ends; until then, decisions are pending.
If a reviewer does not respond, the user's access is retained until duration ends, then removed if auto-apply is on.
Recurring reviews create new instances automatically; you cannot edit an in-progress instance directly.
Reviewers can delegate to others if they are managers (via My Access).
The 'No sign-in for 30 days' recommendation requires Azure AD Premium P2 and uses last sign-in data.
Step-by-Step: Creating an Access Review via Portal
Navigate to Azure portal > Identity Governance > Access Reviews.
Click + New access review.
Select what to review: Choose 'Groups' or 'Applications'. For groups, select the group (must be assigned). For apps, select the enterprise application.
Scope: Choose 'All users' or 'Guest users only'. For groups, you can also scope to 'Members'.
Select reviewers: Choose self, manager, or selected users/groups.
Recurrence: Set frequency (e.g., Quarterly) and duration (e.g., 30 days).
Advanced settings: Enable auto-apply, justification required, and inactivity recommendations.
Review + create.
Define Review Scope and Type
In the Azure portal, navigate to Identity Governance > Access Reviews and click 'New access review'. First, select the resource type: Groups or Applications. For groups, you must select an existing assigned (static) group; dynamic groups are not supported. For applications, select an enterprise application. Then define the scope: either all users or guest users only. This step determines what user-resource pairs will appear in the review. If you choose 'Guest users only', only guest members of the group or application will be reviewed. This is critical for B2B collaboration compliance.
Select Reviewers
Choose who will perform the review. Options include: Self-review (users review their own access), Manager (each user's manager from HR attributes), or Selected users/groups (you specify a list of reviewers). For manager reviews, Entra ID uses the 'Manager' attribute from the user profile; if missing, the review item is unassigned. You can also select multiple reviewers for a single item — the first to respond decides. Reviewers receive an email notification with a link to the My Access portal. They can also delegate to others if they are managers.
Configure Recurrence and Duration
Set the review to occur once or on a recurring schedule (weekly, monthly, quarterly, annually). For recurring, specify the number of recurrences (0 for infinite) and the duration in days (1-180, default 30). The duration defines how long each review instance remains open for input. After the duration ends, if auto-apply is enabled, results are automatically applied. Reminder emails are sent halfway through and at the end. The start date is typically set to a future date (e.g., next week).
Enable Advanced Settings
Under Advanced settings, you can enable: 'Auto-apply results' (automatically revoke denied/unreviewed access after duration), 'Justification required' (reviewers must provide a reason for deny decisions), 'No sign-in for 30 days' (recommends removal for users who haven't signed in for 30 days), and 'Mail notifications' (send emails to reviewers and users). You can also set 'Reminder frequency' (default 14 days). These settings affect the behavior of the review and user experience.
Review and Create
Review all settings on the summary page. Click 'Create' to start the review. The review becomes active on the start date. Reviewers will receive email notifications. You can monitor progress from the Access Reviews blade. After creation, you can edit settings only before the review starts. Once active, you cannot change the reviewer list or scope. You can manually apply results before the duration ends if needed.
Monitor and Apply Results
During the review, you can view decisions in the Azure portal under the review instance. After the duration ends, if auto-apply is enabled, results are applied automatically. If not, you must manually apply results by clicking 'Apply' on the review instance. Applied results trigger removal of denied access (e.g., user removed from group). All changes are logged in audit logs. You can also export results to CSV for compliance reporting.
Enterprise Scenario 1: Quarterly Group Membership Review
A large enterprise with 10,000 employees uses Azure AD Premium P2. They have a security group called 'Finance-App-Access' that grants access to a sensitive financial application. The compliance team requires quarterly attestation of membership. They create a quarterly access review with manager as reviewer, duration 30 days, auto-apply enabled. Each quarter, managers receive an email with a link to review their direct reports' membership. Managers approve or deny. After 30 days, denied users are automatically removed from the group. Misconfiguration: If the manager attribute is missing for some users, those reviews are unassigned; the admin must manually assign reviewers or enable self-review. Scale: With 10,000 users, the review creates 10,000 items, but reviewers only see their own team. Performance is not an issue.
Enterprise Scenario 2: Guest User Access Review
A company collaborates with 500 external partners via B2B guests. They want to review guest access to a SharePoint site via a group. They create a review scoped to 'Guest users only' with self-review. Guests review their own access and must justify why they need continued access. Duration 14 days, auto-apply on. After 14 days, guests who did not respond lose access. This ensures only active guests retain access. Common issue: Guests may not receive email notifications if their email is incorrect; admins should verify guest email addresses.
Enterprise Scenario 3: PIM Role Activation Review
An organization uses PIM for Azure AD roles (e.g., Global Administrator). They create an access review for eligible role assignments, requiring quarterly re-approval. The review is for the role 'Global Administrator', reviewers are selected security admins. After review, denied users lose eligibility. This adds a second layer of approval beyond PIM activation. Misconfiguration: If the review duration is too short (e.g., 1 day), reviewers may not respond in time, causing unintended removal of eligible users. Best practice: set duration to at least 14 days.
What AZ-104 Tests on Access Reviews
AZ-104 objective 1.1 (Manage Azure AD users and groups) includes 'Configure access reviews'. Expect scenario-based questions where you must choose the correct review settings. Specific codes: Manage user roles, manage groups, manage administrative units. The exam tests:
When to use self-review vs. manager review
How to scope reviews to guest users only
The effect of auto-apply
Licensing requirements (Azure AD Premium P2)
Recurrence settings and duration
How to handle missing manager attribute
Common Wrong Answers and Why Candidates Choose Them
Choosing 'All users' scope when only guests need review: Candidates often select 'All users' by default, but the question may specify 'guest users'. The correct answer is 'Guest users only' to reduce noise.
Selecting 'Dynamic group' for review: Dynamic groups cannot be reviewed; only assigned groups. Candidates confuse dynamic groups with assigned groups.
Enabling auto-apply without understanding its effect: Auto-apply removes access after duration. If the question implies manual approval, auto-apply should be off.
Setting recurrence to 'Weekly' when quarterly is required: Read carefully; the question may state 'compliance requires quarterly review'.
Assuming all users need Premium P2 license: Only the users being reviewed and reviewers need P2. If a user is not reviewed, they don't need the license.
Specific Numbers and Terms
Duration default: 30 days
Range: 1-180 days
Recurrence frequencies: weekly, monthly, quarterly, annually
No sign-in recommendation: 30 days
Reminder frequency default: 14 days
Licensing: Azure AD Premium P2 (or E5)
Review types: self, manager, selected users/groups
Edge Cases and Exceptions
If a user's manager attribute is empty, the review item is unassigned; you must manually assign a reviewer.
For group reviews, if the group is nested, only direct members are reviewed; nested group members are not automatically included.
You cannot edit a review once it is active; you must delete and recreate.
Access Reviews do not support reviewing Azure resource roles (e.g., Contributor) directly; those require PIM.
The 'No sign-in for 30 days' recommendation only works if the user has signed in at least once; new users are not flagged.
How to Eliminate Wrong Answers
Use the underlying mechanism: Access Reviews are about attestation, not automatic removal (unless auto-apply is on). If a question asks 'How to ensure access is removed after review?', the answer must include auto-apply or manual apply. If the question asks 'How to reduce reviewer workload?', choose self-review or manager review. Always check licensing: if the tenant does not have P2, Access Reviews cannot be created.
Access Reviews require Azure AD Premium P2 licensing for all reviewed users and reviewers.
Only assigned (static) groups can be reviewed; dynamic groups are not supported.
Auto-apply results will automatically remove denied/unreviewed access after the review duration ends.
Default review duration is 30 days; range is 1-180 days.
Recurrence can be weekly, monthly, quarterly, annually, or one-time.
Reviewers can be self, manager, or selected users/groups.
Guest-only scope allows reviewing only guest members of a group or app.
Access Reviews do not support Azure RBAC roles; use PIM for Azure resources.
Missing manager attribute results in unassigned review items; must be manually assigned.
All review decisions are logged in Azure AD audit logs for compliance.
These come up on the exam all the time. Here's how to tell them apart.
Self-Review
Users review their own access to resources.
Reduces burden on managers; users know their own needs.
Risk: users may approve access they no longer need.
Ideal for low-risk resources or when you want user attestation.
No dependency on manager attribute; works for all users.
Manager Review
Each user's manager reviews their access.
More authoritative; managers know their team's roles.
Requires manager attribute to be populated in Azure AD.
Better for high-risk resources or compliance-driven reviews.
Managers can delegate reviews to others if needed.
Mistake
Access Reviews can be created for any Azure AD object, including users directly.
Correct
Access Reviews can only be created for group memberships and application assignments, not for direct user objects. You cannot review a user's access to all resources in a single review; you must review each resource separately.
Mistake
Dynamic groups can be used in Access Reviews.
Correct
Dynamic groups are not supported because their membership is rule-based and changes automatically. Access Reviews require assigned (static) groups to ensure a stable set of members to review.
Mistake
Auto-apply results removes access immediately when a reviewer denies.
Correct
Auto-apply only applies after the review duration ends. Denied decisions are stored but not acted upon until the end of the duration (or manual apply). This allows for a grace period.
Mistake
All users in the organization need Azure AD Premium P2 license for Access Reviews.
Correct
Only users who are being reviewed or are reviewers need a P2 license. Users who are not part of any review do not require a license. However, to be safe, many organizations license all users.
Mistake
Access Reviews can be used to review Azure resource role assignments (e.g., Contributor on a VM).
Correct
Access Reviews only cover Azure AD roles (via PIM), group memberships, and enterprise application assignments. Azure RBAC roles on subscriptions/resource groups are not supported directly; use PIM for Azure resources.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Azure AD Premium P2 (or Microsoft 365 E5) is required for users who are being reviewed and for reviewers. The tenant must have at least one P2 license. If you only need to review a subset of users, only those users need P2 licenses. However, it is common to license all users to avoid complexity.
If auto-apply is enabled, the user's access is automatically removed (denied) after the review duration ends. If auto-apply is disabled, the access remains unchanged, and an admin must manually apply results or extend the review. The system treats unreviewed items as 'Not reviewed' and does not change access until applied.
No, once an access review is active (started), you cannot edit its settings (e.g., reviewer list, scope). You must delete the review and create a new one. However, you can still manually apply results or extend the review duration before it ends.
When creating the review, under 'Scope', select 'Guest users only'. This applies to both group and application reviews. Only guest members (user type = Guest) will appear as review items. This is useful for B2B collaboration compliance.
Access Reviews are periodic attestations of current access (who has access). PIM provides just-in-time activation and time-bound access. They can be used together: you can create an access review for PIM role assignments to periodically re-certify eligibility.
Access Reviews do not directly review Azure RBAC role assignments (e.g., Contributor on a VM). For that, you need to use PIM for Azure Resources (also requires P2). Access Reviews only cover Azure AD roles (via PIM), groups, and enterprise applications.
You've just covered Access Reviews in Entra ID — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?