This chapter covers Azure AD Access Reviews, a critical governance tool for managing identity lifecycles and ensuring least privilege. Access Reviews are a core component of Azure AD Identity Governance and appear on approximately 15-20% of AZ-500 exam questions, often in scenario-based formats. You will learn how to create, configure, and interpret access reviews, understand the underlying mechanisms, and master the exam's focus on reviewer assignment, auto-apply settings, and remediation actions. This knowledge is essential for passing the Identity Access domain (objective 1.4).
Jump to a section
Imagine a large office building where every employee has an access badge that lets them through certain doors. Over time, people change roles, leave, or get promoted, but their badges might still grant old permissions. The building manager must periodically audit each badge: she reviews a list of all badges, asks each employee's manager to confirm whether the badge's access is still appropriate, and revokes any that shouldn't work anymore. This audit is like Azure AD Access Reviews. The building manager (the review creator) selects a set of badges (users/groups) and specific doors (roles/groups/apps). She assigns reviewers (managers) who go through a list and approve or deny each badge. After the review period ends, the system automatically removes access for denied badges. Just as the building manager can make the audit recurring monthly or quarterly, Azure AD access reviews can be configured to run automatically on a schedule. The key point: the audit is not about checking if badges are valid at a single moment; it's about ongoing governance to ensure that only the right people have access to the right areas.
What Are Access Reviews and Why Do They Exist?
Azure AD Access Reviews are a feature of Azure AD Identity Governance that enables organizations to periodically review and certify user access to groups, applications, and Azure AD roles. The primary purpose is to enforce the principle of least privilege and comply with regulatory requirements (e.g., SOX, GDPR, HIPAA) by ensuring that only authorized users retain access. Without access reviews, permissions can accumulate over time, leading to security risks such as privilege creep, dormant accounts, and insider threats.
Access Reviews are part of a broader identity governance strategy that includes entitlement management, privileged identity management (PIM), and terms of use. The exam expects you to understand how access reviews fit into this ecosystem, particularly how they can be used to review PIM-eligible roles and dynamic group memberships.
How Access Reviews Work Internally
An access review is essentially a workflow that consists of the following components:
Review scope: Defines what is being reviewed. This can be:
- A single Azure AD group (security or Microsoft 365) - An application assigned to users via Azure AD Enterprise Applications - Azure AD roles (including PIM-eligible roles) - All users with guest access to a tenant (the "Guest users" scope) - Reviewers: The people who perform the review. Options include:
- Group owners (for group reviews) - User's manager (requires Azure AD Premium P2) - Selected users or groups (e.g., a security team) - Self-review (users review their own access) - Review cycle: A single review or recurring (weekly, monthly, quarterly, semi-annually, annually). - Auto-apply settings: Determines whether denied access is automatically removed after the review ends, or if manual action is required. - Remediation actions: What happens to denied users: remove from group, remove app assignment, or deactivate role.
When a review starts, Azure AD generates a list of users and their access. Reviewers receive an email notification and can access the review via the Azure portal or the My Access portal (https://myaccess.microsoft.com). Each reviewer must decide to "Approve" or "Deny" for each user. Optionally, reviewers can provide a justification. The review runs for a defined duration (default 30 days, configurable from 1 to 90 days). After the review period ends, if auto-apply is enabled, Azure AD automatically executes the remediation actions for denied users. If auto-apply is disabled, an administrator must manually apply the results.
Key Components, Values, Defaults, and Timers
Review duration: Default 30 days. Can be set between 1 and 90 days. If a reviewer does not respond within the duration, the user's access can be automatically denied (if the "Auto apply" setting is enabled and "If reviewers don't respond" is set to "Deny").
Auto apply: Boolean. If enabled, results are applied automatically after the review ends. If disabled, an admin must manually apply.
If reviewers don't respond: Options: "Approve", "Deny", "Recommendation". The default is "Approve" for most review types, but exam questions often test the scenario where you want to automatically remove access for non-responsive reviewers — you must set this to "Deny".
Review recurrence: Can be weekly, monthly, quarterly, semi-annually, or annually. Each recurrence creates a new review instance.
Duration of recurrence: How long each instance lasts (same as review duration).
End date: Optionally set an end date for recurring reviews.
Guest user reviews: A special scope that reviews all guest users in the tenant. This is a common exam scenario.
Access review of Azure AD roles: Can review both active and eligible assignments (requires P2).
Configuration and Verification Commands
Access reviews are configured primarily through the Azure portal under Azure Active Directory > Identity Governance > Access Reviews. However, you can also use Microsoft Graph API and PowerShell.
PowerShell example to create a new access review:
# Connect to Azure AD
Connect-AzureAD
# Create a new access review for a group
New-AzureADMSAccessReview `
-DisplayName "Quarterly Sales Group Review" `
-Scope @{"query"="/groups/12345678-1234-1234-1234-123456789012"} `
-ReviewerType "manager" `
-StartDateTime (Get-Date).ToString("yyyy-MM-ddTHH:mm:ssZ") `
-DurationInDays 30 `
-AutoApplyDecisionsEnabled $true `
-DefaultDecisionEnabled $true `
-DefaultDecision "Deny" `
-InstanceDurationInDays 30 `
-RecurrenceSettings @{
recurrenceType = "monthly"
recurrenceEndType = "never"
} `
-JustificationRequired $trueVerification: You can list active reviews with:
Get-AzureADMSAccessReview | Format-List Id, DisplayName, StatusInteraction with Related Technologies
Entitlement Management: Access reviews can be used to review access packages. When an access package includes a group, app, or site, you can require periodic reviews as part of the package lifecycle.
Privileged Identity Management (PIM): Access reviews can be configured for Azure AD roles (both active and eligible). This is a key exam topic: you can create an access review for PIM-eligible roles to ensure that only users who still need the role maintain eligibility.
Conditional Access: While not directly integrated, access reviews can be used to remediate users who fail conditional access policies (e.g., by removing them from a group that grants access).
Azure AD Identity Protection: Access reviews can be used to review users flagged for risky behavior.
Exam Focus: Trap Patterns
Common wrong answers on the exam:
Selecting "Approve" as the default for non-responsive reviewers when the goal is to remove stale access. The correct default for security-focused reviews is "Deny".
Assuming access reviews can be applied to individual users directly — they must be scoped to a group, app, or role.
Confusing access reviews with PIM activation approvals: Access reviews are periodic certifications, not just-in-time approvals.
Thinking that access reviews remove access immediately upon a reviewer denying — only after the review period ends and auto-apply is enabled.
Edge Cases
Guest user reviews: When reviewing all guests, the review includes all guest users in the tenant. If you deny a guest, they are removed from all groups and applications.
Multi-stage reviews: Not supported natively in Azure AD Access Reviews; for multiple approvers, you might need to use separate reviews or entitlement management.
Reviewer delegation: A reviewer can delegate their review to someone else via the My Access portal.
Historical data: Access review results are stored for 30 days after the review ends. You can export them to CSV.
Summary of Key Exam Numbers
Default review duration: 30 days
Minimum duration: 1 day
Maximum duration: 90 days
Default decision for non-responsive: Approve (but exam expects you to change to Deny for security)
Auto-apply: Must be enabled for automatic remediation
P2 license required for manager as reviewer and recurring reviews
Guest review scope: all guest users in the tenant
Define Review Scope
First, you must decide what access you want to review. In the Azure portal, navigate to Azure Active Directory > Identity Governance > Access Reviews > New access review. Choose whether to review groups, applications, Azure AD roles, or guest users. For groups, you can select a specific group or all groups. For applications, you select an enterprise application. For Azure AD roles, you choose which roles to review. The scope determines which users are included in the review. For example, if you select a group named 'Sales Team', only members of that group will be reviewed. Note: Dynamic group memberships are evaluated at review time, so if a user is no longer a member due to a dynamic rule, they won't appear in the review.
Select Reviewers
You must choose who will perform the review. Options depend on the scope. For group reviews, you can select group owners (if the group has owners), the user's manager (requires P2 license), selected users/groups (e.g., a security team), or self-review. For application reviews, you can select the application owner or a specific set of reviewers. For Azure AD roles, you can select the role assignable groups or specific users. For guest reviews, you can select the guest's manager or self-review. The exam often tests that 'manager' as reviewer requires Azure AD Premium P2. Also, you can set multiple reviewers, but they all act independently; there is no sequential approval.
Configure Settings
Now configure review settings: name, description, start date, duration (default 30 days), recurrence (if any), and end date for recurrence. Under Settings, you must decide auto-apply (yes/no) and what to do if reviewers don't respond: Approve, Deny, or Recommendation. The 'Recommendation' option uses Azure AD's machine learning to suggest approval or denial based on sign-in activity. You can also require justification from reviewers. For security-critical reviews, set auto-apply to Yes and default decision to Deny. This ensures that any user not explicitly approved loses access after the review ends. The exam loves to test this: if you want to automatically remove access for users whose manager doesn't respond, you must set 'If reviewers don't respond' to Deny and enable auto-apply.
Start the Review
After configuring, click 'Create' to start the review. Reviewers receive an email notification with a link to the My Access portal. The review runs for the specified duration. During this time, reviewers can log in, see the list of users, and approve or deny each one. They can also delegate to another user if needed. Administrators can monitor the review progress in the Azure portal, viewing how many decisions have been made. The review status shows as 'InProgress'. If the review is recurring, a new instance starts after the previous one ends (with a configurable gap).
Apply Results
When the review period ends, if auto-apply is enabled, Azure AD automatically applies the decisions: denied users are removed from the group, application assignment, or role. If auto-apply is disabled, an administrator must manually click 'Apply' to execute the remediation. After application, the review status changes to 'Applied'. You can then export the results to a CSV file for auditing. Note: If a reviewer denies a user but auto-apply is off, the user retains access until an admin applies. This is a common exam trap: always check whether auto-apply is enabled. Also, if the review is recurring, the next instance may start immediately after the previous one ends, depending on the recurrence settings.
In a large enterprise with thousands of employees, access reviews are a critical governance process. For example, consider a multinational corporation that uses Azure AD to manage access to its ERP application. The ERP team creates an Azure AD group named 'ERP-Users' and assigns the application to that group. Over time, employees move between departments, but their membership in the ERP group is not automatically updated. To enforce least privilege, the identity team creates a quarterly access review for the ERP-Users group. They select the user's manager as the reviewer (requiring P2 licenses for all users) and set the default decision to 'Deny' with auto-apply enabled. This ensures that if a manager does not respond within 30 days, the user loses access. In production, this review covers 5,000 users across 200 managers. The identity team uses the 'Recommendation' feature to help managers decide: Azure AD analyzes each user's recent sign-ins to the ERP app and suggests approval only if the user has logged in within the last 90 days. This reduces the manual effort by 40%.
Another scenario involves reviewing guest access. A company collaborates with external partners and has thousands of guest users. They create an access review scoped to 'Guest users' with self-review: each guest must confirm they still need access. The default decision is set to 'Deny' and auto-apply enabled. Guests who do not respond within 30 days are automatically removed from all Azure AD resources. This prevents orphaned guest accounts from becoming a security risk. A common misconfiguration is setting the default to 'Approve', which would allow stale guests to retain access.
A third scenario is reviewing Azure AD roles. A company uses PIM to grant eligible assignments to the Global Administrator role. To ensure that only necessary users maintain eligibility, they create a monthly access review for the Global Administrator role, with the security team as reviewers. They set 'If reviewers don't respond' to 'Deny' and auto-apply enabled. This ensures that any administrator who is not explicitly approved loses eligibility. A common pitfall is not enabling auto-apply, leaving the review results unapplied and the role assignments unchanged. The identity team monitors the review using PowerShell scripts to export results and audit compliance.
Scale considerations: For large reviews (over 10,000 users), the review portal may experience latency. Microsoft recommends breaking reviews into smaller scopes (e.g., by department). Also, reviewer fatigue can lead to inaccurate decisions; using recommendations helps. Performance-wise, the auto-apply process can take up to 24 hours for large reviews. Misconfigurations often occur when setting the recurrence: if you set a monthly recurrence with a 30-day duration, the next instance starts immediately after the previous ends, which may not leave time for analysis. Best practice is to set a gap by using a shorter duration or a longer recurrence interval.
The AZ-500 exam tests Access Reviews under objective 1.4: Configure and manage Azure AD Identity Governance. Specifically, you need to know how to create and manage access reviews, configure reviewer settings, and understand the impact of auto-apply and default decisions. The exam typically presents a scenario where a company needs to periodically certify access to a group or app, and you must choose the correct configuration.
Common wrong answers: 1. Selecting 'Approve' as the default decision when the goal is to remove stale access. Candidates mistakenly think that non-responsive reviewers imply approval, but for security, you want to deny by default if no response. 2. Choosing 'Selected users' as reviewers without specifying who, or confusing group owners with user's manager. The exam tests that manager as reviewer requires P2. 3. Forgetting to enable auto-apply when the requirement is automatic removal. Candidates pick auto-apply = No, thinking they need manual oversight, but the question often says 'automatically remove'. 4. Confusing access reviews with PIM activation: Access reviews are periodic certifications, not just-in-time elevation. A question might ask about reviewing eligible role assignments, and the answer is an access review, not PIM settings.
Specific numbers to memorize:
Default review duration: 30 days (configurable 1-90)
Auto-apply: must be Yes for automatic remediation
Default decision for non-responsive: Approve (but change to Deny for security)
Recurrence options: weekly, monthly, quarterly, semi-annually, annually
Guest review scope: all guest users
License requirement: Azure AD Premium P2 for manager as reviewer and recurring reviews
Edge cases the exam loves:
Reviewing dynamic groups: membership is evaluated at review time; users who no longer meet the dynamic rule are not included.
Reviewing PIM roles: you can review both active and eligible assignments. The review applies to the role assignments, not the role itself.
Multiple reviewers: all reviewers see the same list; they don't have to agree; the first decision counts? No, each reviewer makes an independent decision; the system uses the most restrictive? Actually, each reviewer's decision is recorded, but the review result for a user is based on the reviewer's decision. If multiple reviewers are assigned, each user is assigned to one reviewer? Wait: In Azure AD Access Reviews, if you select multiple reviewers (e.g., group owners), each user in the review is assigned to one of the reviewers based on a load-balancing algorithm. So only one reviewer decides per user. This is a common misconception: candidates think all reviewers must approve. Actually, each user is assigned to a single reviewer. So the system does not combine decisions.
How to eliminate wrong answers: If the scenario says 'automatically remove access for users whose manager does not respond', look for options that include auto-apply = Yes and default decision = Deny. If the scenario says 'manually review before applying', choose auto-apply = No. Always check the license requirement: if the scenario says 'manager as reviewer', the answer must include P2. For guest reviews, the scope is 'Guest users' not a specific group.
Access reviews are used to periodically certify user access to groups, applications, and Azure AD roles.
Default review duration is 30 days (configurable 1-90).
Auto-apply must be enabled for automatic removal of denied users.
For security, set 'If reviewers don't respond' to 'Deny' to remove stale access.
Manager as reviewer requires Azure AD Premium P2 license.
Recurring reviews can be weekly, monthly, quarterly, semi-annually, or annually.
Guest user access review scopes all guest users in the tenant.
Access reviews can be used to review PIM-eligible role assignments.
Each user is assigned to a single reviewer (not multiple).
Review results can be exported to CSV for audit.
These come up on the exam all the time. Here's how to tell them apart.
Access Review for Groups
Reviews membership of Azure AD security or Microsoft 365 groups.
Can use group owners as reviewers without P2 license.
Remediation removes user from group.
Supports dynamic group membership evaluation at review time.
Commonly used for access to multiple resources via group-based assignment.
Access Review for Applications
Reviews users assigned to an enterprise application.
Reviewers can be application owners (requires assignment) or selected users.
Remediation removes the user's application assignment.
Does not evaluate dynamic membership; only direct assignments.
Typically used for single application access certification.
Mistake
Access reviews can be used to review individual user accounts directly.
Correct
Access reviews must be scoped to a group, application, or Azure AD role. You cannot create a review for a single user without putting them in a group first.
Mistake
If a reviewer denies a user, access is removed immediately.
Correct
Access is only removed after the review period ends and if auto-apply is enabled. Until then, the user retains access.
Mistake
All reviewers must approve for a user to keep access.
Correct
Each user is assigned to a single reviewer (unless self-review). Only that reviewer's decision matters for that user.
Mistake
Access reviews require Azure AD Premium P1 license.
Correct
Access reviews require Azure AD Premium P2 for advanced features like manager as reviewer and recurring reviews. Basic reviews (e.g., self-review for guests) may work with P1, but the exam focuses on P2.
Mistake
Once an access review is created, you cannot modify it.
Correct
You can modify an access review before it starts. Once it is in progress, you can still change settings like duration and default decision, but changes only apply to new instances if recurring.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
An access review is a periodic certification of existing access (e.g., quarterly review of group membership). PIM activation approval is a just-in-time approval process for role activation. Access reviews are about ongoing governance; PIM approvals are about granting temporary elevated access. Both are part of Identity Governance but serve different purposes.
Yes, you can create an access review for a dynamic group. However, the membership is evaluated at the time of review. Users who no longer meet the dynamic rule are not included in the review. The review will only show current members.
The outcome depends on the 'If reviewers don't respond' setting. If set to 'Approve', the user keeps access. If set to 'Deny', the user is denied. If set to 'Recommendation', Azure AD uses sign-in activity to suggest approval or denial. The default is 'Approve'.
You must enable 'Auto apply' when creating the review. After the review period ends, Azure AD will automatically remove the denied users from the group, application, or role. If auto-apply is disabled, an administrator must manually apply the results.
Azure AD Premium P2 is required for advanced features such as using manager as reviewer, recurring reviews, and reviews of Azure AD roles. Basic access reviews (e.g., self-review for guests) may work with P1, but the exam focuses on P2.
Yes, there is a built-in scope called 'Guest users' that reviews all guest users in the tenant. When you create a new access review, you can select 'Guest users' as the scope. This is a common exam scenario.
When creating the review, you can select 'Selected users/groups' as the reviewer type and then choose multiple users or groups. However, each user in the review is assigned to only one of those reviewers (load-balanced). They do not all review the same users.
You've just covered Access Reviews and Governance — now see how well it sticks with free AZ-500 practice questions. Full explanations included, no account needed.
Done with this chapter?