This chapter covers Entra ID Access Reviews, a critical security governance feature that helps organizations regularly audit and certify user access to groups, applications, and roles. For the MS-900 exam, this topic falls under Domain 3.3: 'Describe the identity and access management capabilities of Microsoft Entra ID.' Approximately 5-10% of exam questions touch on access reviews, focusing on use cases, reviewer types, review scope, and the automatic removal of access. You must understand when to use Access Reviews versus Privileged Identity Management (PIM) and how they enforce least-privilege principles.
Jump to a section
Imagine a large corporate building where every employee wears a badge that grants access to specific floors and rooms. The security team knows that employees change roles, leave the company, or simply forget to return badges. To prevent unauthorized access, they conduct a quarterly 'badge audit.' Each manager receives a list of their team members' current badges and must confirm which employees still need each badge. If a manager does not respond by the deadline, the badge is automatically deactivated. This is exactly how Entra ID Access Reviews work: a reviewer (manager) receives a list of users and their assigned access (roles, groups, apps) and must approve or deny each one. If they do not respond within the review's duration (e.g., 30 days), the access is automatically removed. The system also handles multi-stage reviews (e.g., first manager, then security officer) and can require guests to review their own access. Just like the badge system prevents old employees from entering the building, Access Reviews prevent stale permissions from remaining in the tenant.
What Are Entra ID Access Reviews?
Entra ID Access Reviews allow administrators to create recurring or one-time reviews of user access to groups, applications, and Azure AD roles. The goal is to ensure that only the right people have access to sensitive resources. Access Reviews are part of Microsoft's Identity Governance capabilities within Microsoft Entra ID (formerly Azure Active Directory). They help organizations meet compliance requirements (e.g., SOX, GDPR) by providing evidence of periodic access certification.
Why Access Reviews Exist
Over time, users accumulate access rights—they change roles, leave teams, or leave the organization. Without regular audits, former employees or contractors may retain access to critical systems. Access Reviews automate the certification process: a reviewer (typically a manager or resource owner) approves or denies each user's continued access. If denied or not responded to, access is automatically removed. This enforces the principle of least privilege and reduces the attack surface.
Key Components
Review scope: What is being reviewed? Options include:
- Azure AD roles (e.g., Global Administrator) - Azure AD groups (security groups, Microsoft 365 groups) - Application access (enterprise applications) - Reviewers: Who performs the review? Options:
- Group owner(s) - Selected users or groups (e.g., security team) - Users themselves (self-review) - Manager of each user (dynamic: the system identifies each user's manager) - Duration: How long does the reviewer have to respond? Default is 30 days, configurable from 1 to 180 days. - Recurrence: One-time or recurring (e.g., weekly, monthly, quarterly, annually). - Auto-apply: If set, decisions are applied automatically after the review ends. If not, an administrator must manually apply results. - Fallback reviewers: If a reviewer has not responded, a fallback reviewer can be assigned to handle outstanding decisions. - Decisions: Approve, Deny, or Not Reviewed. 'Not Reviewed' is treated as a denial if auto-apply is enabled.
How Access Reviews Work Internally
Creation: An administrator creates an access review in the Entra ID portal, specifying scope, reviewers, duration, recurrence, and auto-apply settings.
Notification: At the start of the review, reviewers receive an email with a link to the review dashboard. They can also access it via the My Access portal (https://myaccess.microsoft.com).
Review Process: Reviewers see a list of users and their access. For each user, they can:
- Approve (keep access) - Deny (remove access) - Skip (no decision, treated as Not Reviewed) - Add a reason (optional) Reviewers can also bulk approve/deny. 4. Reminders: The system sends periodic reminders (configurable) to reviewers who haven't completed their review. 5. End of Review: Once the duration expires, the review ends. If auto-apply is enabled, all 'Deny' and 'Not Reviewed' decisions result in access removal. If auto-apply is off, an administrator must manually apply the results. 6. Access Removal: When a decision is applied, the user is removed from the group, role, or application assignment. For Azure AD roles, this means the user loses the role's permissions. For groups, the user is removed from the group membership. For applications, the user's assignment to the enterprise application is removed.
Default Values and Timers
Default review duration: 30 days
Default recurrence: None (one-time)
Default auto-apply: Disabled
Default reminder frequency: Every 7 days
Maximum duration: 180 days
Minimum duration: 1 day
Maximum number of reviewers per review: 1000
Maximum number of users per review: 50,000 (for groups)
Configuration and Verification
Access Reviews are created via the Entra ID admin center under Identity Governance > Access Reviews. Alternatively, you can use Microsoft Graph API or PowerShell.
Example PowerShell snippet to create a one-time access review for a group:
New-MgIdentityGovernanceAccessReviewDefinition `
-DisplayName "Quarterly Sales Group Review" `
-DescriptionForAdmins "Review access to Sales group" `
-Scope @{"@odata.type"="#microsoft.graph.accessReviewQueryScope"; "query"="/groups/group-id/members"; "queryType"="MicrosoftGraph"} `
-Reviewers @(@{query="/users/user-id"; queryType="MicrosoftGraph"}) `
-Settings @{
mailNotificationsEnabled=$true;
reminderNotificationsEnabled=$true;
justificationRequiredOnApproval=$true;
defaultDecisionEnabled=$false;
autoApplyDecisionsEnabled=$false;
recommendationsEnabled=$true;
durationInDays=30;
recurrence=@{pattern=@{type="absoluteMonthly"; interval=3}; range=@{type="noEnd"}}
}Verification: After the review ends, check the results under Identity Governance > Access Reviews > Select the review > Review instances. You can see decisions, export a CSV report, and apply results.
Interaction with Related Technologies
Privileged Identity Management (PIM): PIM manages just-in-time activation of privileged roles, while Access Reviews certify ongoing access. They are complementary: PIM reduces standing access, Access Reviews ensure that eligible users still need the role.
Entitlement Management: Access Reviews can be part of an access package's lifecycle, requiring periodic certification for package assignments.
Conditional Access: Access Reviews do not enforce Conditional Access policies; they only manage assignments. However, removing access via a review can prevent users from meeting Conditional Access requirements (e.g., being in a required group).
Microsoft 365 Groups: Access Reviews can review membership of Microsoft 365 groups, which affect access to Teams, SharePoint, and other services.
Common Exam Traps
Reviewer types: The exam may ask who can be a reviewer. Remember: group owners, selected users, managers, or the users themselves (self-review). Not 'all users' or 'administrators only' unless specified.
Auto-apply vs. manual apply: If auto-apply is disabled, decisions are not applied automatically. An administrator must manually apply them. Many candidates assume automatic removal always happens.
Duration: The default is 30 days, not 7 or 90. The maximum is 180 days.
Scope: Access Reviews can review Azure AD roles, groups (including Microsoft 365 groups), and application assignments. They cannot review SharePoint site permissions directly (those are managed via groups).
Guest reviews: Access Reviews can include guest users, and reviewers can be guests themselves (if assigned).
Create Access Review Definition
Navigate to the Entra ID admin center > Identity Governance > Access Reviews. Click 'New access review.' Specify the review name, description, and scope: either 'Teams + Groups' (for Azure AD groups and Microsoft 365 groups) or 'Applications' (for enterprise applications) or 'Azure AD roles' (for privileged roles). For groups, you can choose to review all members, guest users only, or specific users. For roles, you select the role(s) to review. Then choose recurrence: one-time or recurring (weekly, monthly, quarterly, annually). Set the duration in days (default 30). Configure auto-apply (default disabled) and whether to require justification on approval. Finally, assign reviewers: group owner(s), selected users, manager of each user, or self-review. Optionally, assign fallback reviewers.
Notify Reviewers and Begin Review
Once saved, the review starts immediately (if one-time) or at the scheduled recurrence start date. Reviewers receive an email notification with a link to the My Access portal (https://myaccess.microsoft.com). The email includes the review name, duration, and a button to 'Review access.' If email notifications are disabled, reviewers must navigate to the portal manually. The system also sends reminder emails at the configured interval (default 7 days) to reviewers who have not completed their review. Reviewers can access the review on any device with a browser.
Reviewer Makes Decisions
In the My Access portal, the reviewer sees a list of users whose access is under review. For each user, the reviewer can select 'Approve' (keep access), 'Deny' (remove access), or 'Not reviewed' (skip). If recommendations are enabled (default), the system provides a recommendation based on sign-in activity: users who have not signed in for 30+ days get a 'Deny' recommendation. The reviewer can also add a justification (if required). For bulk actions, the reviewer can select multiple users and apply the same decision. The reviewer can also filter by decision status, user type, or recommendation.
Review Ends and Results Are Applied
After the duration expires, the review instance ends. If auto-apply was enabled, the system automatically applies decisions: 'Deny' and 'Not reviewed' result in removal of access; 'Approve' results in no change. If auto-apply was disabled, the administrator must go to the review instance and click 'Apply' to execute the decisions. During application, the system removes users from the group, role, or application assignment. For Azure AD roles, removal is immediate. For groups, removal from the group may take a few minutes to propagate. The administrator can also export a CSV report of decisions before applying.
Monitor and Report on Review History
After the review is completed and applied, administrators can view the history under Identity Governance > Access Reviews > Select the review > Review instances. Each instance shows the status, start and end dates, number of users, decisions breakdown, and applied status. Administrators can download a detailed CSV report that includes user names, decisions, reasons, and who reviewed. For recurring reviews, each instance is listed separately. The audit logs in Entra ID capture all review creation, modification, and decision actions. These logs can be used for compliance evidence.
Scenario 1: Quarterly Certification of Privileged Roles
A financial services company must comply with SOX by certifying all users with Global Administrator access every quarter. The security team creates a recurring quarterly access review for the 'Global Administrator' Azure AD role. The reviewer is the IT Director. The review duration is set to 14 days, with auto-apply enabled and recommendations on. Each quarter, the IT Director receives an email with a list of current Global Administrators. The system recommends denying access for any admin who hasn't signed in for 30 days. The director approves necessary users and denies others. After 14 days, denied users lose Global Admin rights automatically. This process reduces standing privileged access and provides auditable evidence. Common pitfalls: forgetting to set auto-apply (results not applied automatically) or setting too short a duration (reviewers may miss the window). Production scale: reviewing up to 50 Global Admins per review is typical.
Scenario 2: Guest Access Review for Microsoft Teams
A multinational corporation uses Microsoft Teams extensively with external partners. They need to ensure guest access is reviewed every month. They create a recurring monthly access review for all Microsoft 365 groups that contain guests. The reviewers are the group owners (each team's owner). Duration is set to 7 days, auto-apply enabled, and recommendations on. Each month, team owners review guest members and deny those who no longer need access. If a guest is denied, they are removed from the team. This prevents former partners from accessing sensitive channels. Common misconfiguration: not enabling 'Guest users only' scope, leading to review of all members (including employees) which increases reviewer workload. Also, if auto-apply is off, an admin must manually apply, which may be forgotten. Performance: reviewing thousands of guests across hundreds of groups is feasible; the system handles up to 50,000 users per review.
Scenario 3: Self-Review for Application Access
A SaaS company wants employees to confirm they still need access to a critical HR application. They create a one-time access review for the enterprise application 'HR Portal' with self-review as the reviewer type. Duration is 30 days. Auto-apply is enabled. Employees receive an email to approve or deny their own access. If an employee does not respond, their access is automatically removed. This empowers users to clean up their own access. However, a common issue is that employees may not understand the process and ignore the email, leading to unintended loss of access. To mitigate, the company sets a fallback reviewer (the HR director) who can re-approve if needed. Also, notifications are sent weekly. Production scale: up to 10,000 employees can be reviewed in a single review.
What MS-900 Tests on Access Reviews (Domain 3.3)
The MS-900 exam focuses on the purpose, use cases, and basic configuration of Access Reviews. You are not expected to create reviews via PowerShell or Graph API, but you must understand:
The difference between Access Reviews and Privileged Identity Management (PIM)
Who can be a reviewer (group owners, selected users, managers, self)
What can be reviewed (Azure AD roles, groups, applications)
The concept of auto-apply and default duration (30 days)
The purpose: periodic certification, least privilege, compliance
Common Wrong Answers and Why Candidates Choose Them
'Access Reviews can automatically revoke access to SharePoint sites.' Wrong. Access Reviews work on Azure AD groups and application assignments, not directly on SharePoint site permissions. SharePoint site permissions are managed via group membership if the site is connected to a group; otherwise, you need SharePoint permissions review (which is separate). Candidates confuse Access Reviews with SharePoint site collection admin reviews.
'Access Reviews require administrators to manually apply results by default.' Partially true, but many candidates think auto-apply is always on. The default is auto-apply disabled. The exam may state 'By default, decisions are automatically applied' which is false.
'Access Reviews can only be performed by global administrators.' Wrong. Reviewers can be group owners, managers, or even users themselves. The exam may include a distractor that says 'Only Global Administrators can conduct access reviews' — this is incorrect; any assigned reviewer can perform the review.
'Access Reviews are the same as PIM.' Wrong. PIM is about just-in-time activation and approval for privileged roles. Access Reviews are about periodic certification of existing access. They complement each other but are different features.
Specific Numbers and Terms That Appear on the Exam
Default review duration: 30 days
Maximum duration: 180 days
Default reminder interval: 7 days
Reviewer types: group owner, selected user, manager, self
Scope: Azure AD roles, Azure AD groups (including Microsoft 365 groups), enterprise applications
Auto-apply: disabled by default
Access Reviews are part of Identity Governance
Edge Cases and Exceptions
If a user is also a reviewer, they can review their own access only if self-review is enabled.
Guest users can be reviewers if they are assigned as selected reviewers.
If a reviewer is deleted from the directory before the review ends, the review becomes orphaned; an administrator must reassign reviewers.
For recurring reviews, each instance is independent; decisions from one instance do not carry over.
Access Reviews do not affect device or location-based policies; they only affect assignments.
How to Eliminate Wrong Answers
If the question mentions 'periodic certification' or 'recertification,' it's likely Access Reviews.
If the question mentions 'just-in-time' or 'activation,' it's PIM.
If the question mentions 'automatically remove access after review,' look for auto-apply being enabled.
If the question mentions 'review by manager,' it's Access Reviews.
If the question mentions 'approve requests for privileged roles,' it's PIM.
Access Reviews are used for periodic certification of access to Azure AD roles, groups, and applications.
Default review duration is 30 days; maximum is 180 days.
Auto-apply is disabled by default; administrators must manually apply decisions unless auto-apply is enabled.
Reviewers can be group owners, selected users, managers, or the users themselves (self-review).
Access Reviews are part of Microsoft Entra Identity Governance.
Reminders are sent every 7 days by default.
Access Reviews do not replace PIM; they complement it.
Non-response during auto-apply results in access removal (treated as denial).
Access Reviews support guest users as both subjects and reviewers.
The My Access portal (https://myaccess.microsoft.com) is used by reviewers to make decisions.
These come up on the exam all the time. Here's how to tell them apart.
Access Reviews
Periodic certification of existing access (groups, roles, apps).
Reviewer approves or denies continued access.
Can be one-time or recurring.
Auto-apply can remove access automatically.
Use case: compliance recertification, least privilege enforcement.
Privileged Identity Management (PIM)
Just-in-time activation of privileged roles.
User requests activation; approver approves or denies request.
Provides time-bound elevation of privileges.
Can require approval, MFA, and justification for activation.
Use case: reduce standing privileged access, provide audit trail for role activation.
Mistake
Access Reviews automatically remove access when a reviewer denies a user.
Correct
Access removal only happens automatically if auto-apply is enabled. By default, auto-apply is disabled, so an administrator must manually apply the decisions. The exam often tests this default setting.
Mistake
Access Reviews can review any resource in the tenant, including SharePoint Online site permissions.
Correct
Access Reviews can only review Azure AD roles, Azure AD group memberships (including Microsoft 365 groups), and enterprise application assignments. SharePoint site permissions are not directly reviewable unless they are tied to a group. For SharePoint, you must use SharePoint site collection access reviews (a separate feature).
Mistake
Only global administrators can create or perform access reviews.
Correct
Any user with the appropriate permissions (e.g., Global Administrator, Identity Governance Administrator, or User Administrator) can create access reviews. Reviewers can be any user, including non-admins, if assigned. The exam may try to trick you into thinking only admins can review.
Mistake
Access Reviews and Privileged Identity Management (PIM) are the same thing.
Correct
Access Reviews are for periodic certification of existing access. PIM is for just-in-time activation and approval of privileged roles. They are complementary but serve different purposes. The exam may ask you to differentiate them.
Mistake
If a reviewer does not respond, the user's access is automatically kept.
Correct
If auto-apply is enabled, a 'Not Reviewed' decision is treated as a denial, and access is removed. If auto-apply is disabled, no action is taken until an admin applies. The default is that non-response leads to removal if auto-apply is on, but many think it's the opposite.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Access Reviews are for periodic recertification of existing access (e.g., quarterly review of group membership). PIM is for just-in-time activation of privileged roles (e.g., requesting Global Admin for 1 hour). Access Reviews ensure ongoing need; PIM reduces standing access. Both are part of Identity Governance but serve different purposes. On the exam, if the question mentions 'periodic certification' or 'recertification,' it's Access Reviews. If it mentions 'activation' or 'approval to elevate,' it's PIM.
Yes, but only if auto-apply is enabled. By default, auto-apply is disabled. If auto-apply is enabled, any user whose access is 'Denied' or 'Not reviewed' will have their access removed automatically when the review ends. If auto-apply is disabled, an administrator must manually apply the decisions. The exam often tests that auto-apply is off by default, so non-response does not automatically remove access.
Access Reviews can review three types of resources: Azure AD roles (e.g., Global Administrator), Azure AD groups (including security groups and Microsoft 365 groups), and enterprise applications (application assignments). They cannot directly review SharePoint site permissions, Exchange mailboxes, or other non-Azure AD resources. For SharePoint, you would review the group that grants access to the site.
Reviewers can be: group owners (for group reviews), selected users or groups (e.g., a security team), the manager of each user (dynamically determined), or the users themselves (self-review). You can also assign fallback reviewers. Reviewers do not need to be administrators. Guest users can be reviewers if assigned.
The default review duration is 30 days. You can configure it from 1 to 180 days. The default reminder interval is 7 days. The exam may ask for the default duration, so remember 30 days.
If auto-apply is enabled, the user's access is removed automatically when the review ends. If auto-apply is disabled, the decision is recorded but not applied until an administrator manually applies the results. Until then, the user retains access.
Yes. You can scope a review to include only guest users (e.g., 'Guest users only' for a group). Guest users can also be assigned as reviewers if they are selected as reviewers. Self-review is often used for guests to confirm they still need access.
You've just covered Entra ID Access Reviews — now see how well it sticks with free MS-900 practice questions. Full explanations included, no account needed.
Done with this chapter?