Entra ID Access Reviews

Entra ID Access Reviews are a feature of Microsoft Entra ID (formerly Azure AD) that enables organizations to periodically review and certify user access to resources such as groups, applications, and roles. The primary purpose is to ensure that only authorized users have access, reducing the risk of stale accounts, privilege creep, and security breaches. Access Reviews are part of the Identity Governance suite, which also includes entitlement management, Privileged Identity Management (PIM), and terms of use.

In any organization, users accumulate access over time through role changes, project assignments, and lateral moves. Manual audits are time-consuming and error-prone. Access Reviews automate the certification process by sending reviewers periodic requests to confirm or deny each user's access. The results can be automatically applied to remove access for denied users, or exported for further processing.

When an access review is created, the Azure AD provisioning service schedules a job that runs at the configured frequency (e.g., weekly, monthly, quarterly, annually). The job performs the following steps:

- Self-review (user reviews their own access) - Specific users or groups - Manager of the user (requires the user to have a manager attribute populated) - Fallback reviewers if the primary reviewer is unavailable 3. Notification: The system sends an email notification to each reviewer with a link to the Azure portal where they can see the list of users to review. The email is sent at the start of the review period. 4. Review Period: Reviewers have a configurable duration (default 30 days) to complete their reviews. During this period, they can log in, see each user, and choose 'Approve' or 'Deny' for each. They can also provide a justification. 5. Reminders: The system sends reminder emails at configurable intervals (default: halfway through, and 3 days before the end). 6. Auto-Apply: If the 'Auto apply results to resource' option is enabled, when the review period ends, the system automatically processes the decisions. Users who were denied have their access removed (e.g., removed from the group or role). Users who were approved remain. Users who were not reviewed by the deadline can be either treated as 'Approved' or 'Denied' based on the review's 'Action to apply on denied users' setting. 7. Audit Logging: Every decision and action is logged in the Azure AD audit logs. You can also export the results to a CSV file.

- Review Type: Choose between 'Groups & Apps' (review group memberships or application assignments) or 'Azure AD roles' (review role assignments). - Scope: Can be 'Guest users only', 'All users', or a specific set of users. - Reviewers: Options include: - 'Selected user(s) or group(s)' – you pick specific reviewers. - 'Members (self-review)' – users review their own access. - 'Manager of user' – the user's manager reviews. - 'Group owner(s)' – for group reviews, the group owners review. - Duration (in days): Default is 30 days. Minimum 1 day, maximum 180 days. - Reminders: Default reminder is sent at the midpoint and 3 days before end. You can customize via the 'Advanced settings'. - Auto-apply: Default is disabled. When enabled, decisions are applied automatically after the review ends. - Action to apply on denied users: Options are 'Remove membership' or 'Disable sign-in' (only for app assignments). - If reviewers don't respond: Options are 'Approve' (treat as approved) or 'Deny' (treat as denied). - Justification required: You can require reviewers to provide a reason for their decision. - Multi-stage review: You can add multiple stages (e.g., first stage self-review, second stage manager review).

Access Reviews are primarily configured via the Entra admin center at https://entra.microsoft.com under Identity Governance > Access Reviews. However, you can also use Microsoft Graph PowerShell or Microsoft Graph API.

Example PowerShell to create an access review:

Connect-MgGraph -Scopes "AccessReview.ReadWrite.All"

$params = @{
    displayName = "Quarterly Guest Review"
    descriptionForAdmins = "Review guest access to Marketing group"
    descriptionForReviewers = "Please confirm or deny access for each guest"
    scope = @{
        "@odata.type" = "#microsoft.graph.accessReviewQueryScope"
        query = "/groups/12345678-1234-1234-1234-123456789012/members"
        queryType = "MicrosoftGraph"
    }
    reviewers = @(
        @{
            query = "/users/87654321-4321-4321-4321-210987654321"
            queryType = "MicrosoftGraph"
        }
    )
    settings = @{
        mailNotificationsEnabled = $true
        reminderNotificationsEnabled = $true
        justificationRequiredOnApproval = $true
        defaultDecisionEnabled = $false
        autoApplyDecisionsEnabled = $false
        instanceDurationInDays = 30
        recurrence = @{
            pattern = @{
                type = "monthly"
                interval = 3
            }
            range = @{
                type = "noEnd"
                startDate = "2025-01-01"
            }
        }
    }
}

New-MgIdentityGovernanceAccessReviewDefinition -BodyParameter $params

Verification:

Get-MgIdentityGovernanceAccessReviewDefinition -Filter "displayName eq 'Quarterly Guest Review'"

This will create a one-time review (or recurring if configured). The system will send emails to each user's manager. After 14 days, any guest users not approved will be removed from the group.

| Setting | Default Value | |---------|---------------| | Duration | 30 days | | Auto-apply | Disabled | | If no response | Approve | | Justification required | Disabled | | Reminders | Midpoint and 3 days before end | | Max stages | 3 |

Always remember these defaults for the exam, as questions often test whether you know them.

A multinational company with 10,000 guest users (vendors, partners) needs to ensure that only active collaborators have access to internal SharePoint sites and Microsoft Teams. They create a quarterly access review for all guest users in the 'All Guests' group. Reviewers are the guest's manager (populated via HR system). The review is set to auto-apply with a duration of 14 days, and if no response, the guest is denied. This ensures that stale guest accounts are removed within 90 days. In production, the company configures a fallback reviewer (the IT security team) for guests without a manager. Common issues: managers ignore emails, so the IT team must follow up manually. The company also integrates with Azure Monitor to alert when a guest is denied, triggering a ticket to the sponsor.

A financial institution must certify all Azure AD role assignments (e.g., Global Administrator, Exchange Administrator) every six months to comply with internal audit policy. They create an access review for 'Azure AD roles' with scope 'All users'. Reviewers are the role owners (e.g., the CISO reviews Global Admins). The review has two stages: first, the user self-certifies, then the role owner approves. Duration is 30 days per stage. Auto-apply is enabled, and if no response, the role is removed. In production, the institution uses PIM for eligible roles, but Access Reviews are used for permanent active assignments. Mistakes include forgetting to configure fallback reviewers, leading to orphaned reviews. The institution also exports results to an SIEM for audit.

A healthcare organization uses a custom EHR application assigned via an Azure AD security group. They must annually review who has access to ensure HIPAA compliance. They create a review for that group, with reviewers being the application owner. Duration is 60 days (to accommodate vacation schedules). Auto-apply is disabled so the compliance team can manually approve after reviewing the results. Common misconfiguration: setting auto-apply to deny on no response without notifying reviewers, causing accidental removal of legitimate users. The organization also uses the Graph API to programmatically create reviews for hundreds of applications, using PowerShell scripts to automate the process.