This chapter covers Microsoft Entra Access Reviews, a critical identity governance feature for periodic certification of user access rights. On the SC-900 exam, questions about Access Reviews typically appear in Domain 2 (Identity Access) under objective 2.3, which focuses on capabilities of Microsoft Entra. Expect 2–4 questions on this topic, often testing your understanding of who can be a reviewer, auto-apply settings, and the purpose of reviews. Mastering Access Reviews is essential for demonstrating knowledge of identity governance and compliance.
Jump to a section
Imagine a large office building with 5,000 employees. Each employee has a badge that grants access to specific floors and rooms. Over time, people change roles, leave, or join new teams, but their badges often retain old permissions. The building security team periodically conducts a 'badge audit': they send a list to each department manager asking, 'Does Jane still need access to Floor 7 server room? Does Bob still work here?' The manager must review and either confirm or revoke each access. If the manager does not respond within 30 days, the system automatically revokes the access. This mirrors Microsoft Entra Access Reviews: administrators create reviews of group memberships, application roles, or privileged roles. Reviewers (e.g., managers) receive an email with a list of users and must approve or deny each. If they don't respond by the deadline, the system can auto-apply the decision (e.g., remove access). The review is recorded in an audit log for compliance. Just as the badge audit prevents ex-employees from entering the building, Access Reviews prevent stale access and ensure least-privilege security.
What Are Microsoft Entra Access Reviews?
Microsoft Entra Access Reviews (formerly Azure AD Access Reviews) are a feature of Microsoft Entra ID Governance that enables organizations to periodically review and certify user access to groups, applications, and privileged roles. The primary purpose is to ensure that only the right people have the right access, reducing the risk of stale permissions, insider threats, and compliance violations. Access Reviews are a key tool for achieving least-privilege security and meeting regulatory requirements such as SOX, HIPAA, and GDPR.
Why Access Reviews Exist
In any organization, users accumulate access over time—through role changes, project assignments, or temporary grants. Without periodic reviews, former employees, contractors, or users who changed roles may retain access to sensitive resources. This creates security vulnerabilities and compliance gaps. Access Reviews automate the certification process by prompting designated reviewers (e.g., managers, resource owners) to confirm or deny each user's access. The results can be automatically enforced, removing access for users who are not approved or whose reviewers did not respond.
How Access Reviews Work Internally
An Access Review is defined by a review policy that specifies: - What is being reviewed: A group, application, or privileged role (e.g., Azure AD roles, Azure resource roles). - Who is reviewed: All members or direct assignments within the scope. - Who reviews: One or more reviewers. Options include:
- Group owner(s) - Selected users or groups (e.g., managers) - Users review their own access (self-review) - Frequency: One-time or recurring (e.g., weekly, monthly, quarterly, annually). - Duration: How long reviewers have to respond (default 30 days, configurable from 1 to 180 days). - Auto-apply: If enabled, when the review ends, the system automatically removes access for denied users or users whose reviewers did not respond. If disabled, an administrator must manually apply the results. - Fallback reviewers: If the primary reviewer does not have a manager or is unavailable, a fallback reviewer is assigned.
When a review starts, the system sends an email to each reviewer with a link to the review dashboard. Reviewers see a list of users and can approve or deny each one. They can also provide a justification. The reviewer can also delegate the review to someone else. The review status is tracked in real-time. Once the review period ends, the system applies the decisions based on the auto-apply setting. All actions are logged in the Microsoft Entra audit log.
Key Components, Values, Defaults, and Timers
Review scope: Groups (security, Microsoft 365, distribution, mail-enabled security), applications (enterprise apps, application proxy apps), Azure AD roles (e.g., Global Administrator, User Administrator), and Azure resource roles (e.g., Contributor, Owner at subscription/resource group/resource level).
Reviewers: Group owners, selected users/groups, manager of each user, or self-review.
Duration: Default 30 days; configurable from 1 to 180 days. The duration must be set when creating the review and cannot be changed after the review starts.
Auto-apply: Enabled by default? No, it is disabled by default. You must explicitly enable it.
Recurrence: One-time or recurring with interval (weekly, monthly, quarterly, semi-annually, annually).
Fallback reviewers: Optional. If the primary reviewer cannot be determined (e.g., user has no manager), the fallback reviewer is assigned.
Justification required: Optionally require reviewers to provide a reason for their decision.
Notifications: Reviewers receive an email at the start of the review. They also receive reminders (by default, halfway through the review period and 3 days before the end).
Audit log: All review events (creation, decisions, auto-apply) are recorded in the Microsoft Entra audit log.
Configuration and Verification Commands
Access Reviews are configured through the Microsoft Entra admin center or Microsoft Graph API. There are no PowerShell cmdlets for creating reviews in the current release (as of 2025), but you can use Microsoft Graph API. However, for SC-900, you only need to know the admin center steps:
Go to Microsoft Entra admin center > Identity Governance > Access Reviews.
Click "New access review".
Select what to review (Group, Application, Azure AD role, or Azure resource role).
Configure scope, reviewers, recurrence, duration, auto-apply, etc.
Click "Start".
To verify review results:
Navigate to the review and view the "Results" tab.
Check the audit log for events like "AccessReviewCompleted" or "AccessReviewApplyAction".
Example Graph API call to list reviews:
GET https://graph.microsoft.com/v1.0/identityGovernance/accessReviews/definitionsInteraction with Related Technologies
Microsoft Entra ID Governance: Access Reviews are a core component of the Identity Governance suite, which also includes Entitlement Management, Privileged Identity Management (PIM), and Lifecycle Workflows.
Privileged Identity Management (PIM): PIM provides just-in-time privileged access, but Access Reviews can be used to periodically review and remove permanent privileged role assignments.
Entitlement Management: Access packages can include Access Reviews as part of their lifecycle. When an access package assignment expires, a review can be triggered.
Conditional Access: Access Reviews do not directly enforce Conditional Access policies, but they can be used to remove users who no longer meet policy requirements (e.g., after a review, a user's group membership is removed, which may affect Conditional Access policies).
Microsoft 365 Groups: Reviews can be applied to Microsoft 365 groups, ensuring that only active members retain access to group resources (e.g., Teams, SharePoint sites).
Example Scenario
A company wants to review all members of the "Finance - Sensitive Documents" group every quarter. They configure:
Review scope: The group.
Reviewers: Group owners.
Frequency: Quarterly.
Duration: 14 days.
Auto-apply: Enabled.
Fallback reviewer: The Finance Director.
When the review starts, the group owners receive an email. They review each member and approve or deny. After 14 days, the system automatically removes access for any denied members or members whose owners did not respond. The audit log records every decision.
Define Review Scope
The administrator selects what to review: a group, an application, an Azure AD role, or an Azure resource role. For groups, all direct members are included. For applications, all users assigned to the app are included. For Azure AD roles, all active (eligible and permanent) assignments are included. The scope cannot be changed once the review starts.
Assign Reviewers and Settings
The administrator chooses who will review: group owners, selected users/groups, the manager of each user, or self-review. They set the duration (default 30 days), recurrence (one-time or recurring), auto-apply (default off), and fallback reviewers. They can also require justification. These settings define the review policy.
Review Start and Notification
When the review starts (either immediately or on a scheduled date), the system sends an email to each reviewer with a link to the review dashboard. The email includes the review name, end date, and instructions. Reviewers can also access the review via the Microsoft Entra admin center under Identity Governance > Access Reviews.
Reviewers Make Decisions
Reviewers see a list of users and decide to approve or deny each. They can optionally provide a justification. If the reviewer is a manager, they see only their direct reports. If self-review, users see only their own access. Reviewers can delegate the review to someone else. Decisions can be changed until the review ends.
Auto-Apply or Manual Apply
When the review period ends, if auto-apply is enabled, the system automatically applies the results: denied users are removed from the group/app/role. If auto-apply is off, an administrator must manually click 'Apply' to enforce decisions. The auto-apply process can take up to 24 hours to complete. The results are logged.
Enterprise Scenario 1: Quarterly Access Certification for SOX Compliance
A large financial institution must comply with Sarbanes-Oxley (SOX) requirements, which mandate periodic certification of access to financial systems. They use Access Reviews to review membership in the 'SAP Finance' security group every quarter. The group has 500 members. The review is configured with:
Reviewers: The SAP application owner (a single user) and the finance manager as fallback.
Duration: 21 days.
Auto-apply: Enabled.
Justification required: Yes.
In production, the reviewer receives an email with a list of 500 users. To avoid overwhelming the reviewer, the organization also uses a 'self-review' phase before the manager review: users must first confirm they still need access. Only users who do not respond or deny themselves are forwarded to the manager. This is achieved by creating a two-stage review, though the standard Access Review only supports a single reviewer per user. In practice, the organization uses a custom workflow with Entitlement Management to achieve multi-stage reviews. Common issues: reviewers ignoring emails, leading to mass auto-removals and helpdesk calls. Mitigation: send reminder emails at day 7 and day 14, and train managers to delegate if on leave.
Enterprise Scenario 2: Privileged Role Review for Azure AD Roles
A tech company uses Privileged Identity Management (PIM) for Azure AD roles, but also has permanent assignments for some roles (e.g., User Administrator). To comply with internal security policy, they run a monthly Access Review of all Azure AD role assignments. The review scope includes both eligible and active assignments. Reviewers are the global administrators. Duration: 7 days. Auto-apply is disabled because the security team wants to manually verify before removing access. After the review, the security team exports the results to a CSV and runs a script to remove denied assignments via Graph API. They also use the audit log to track who approved or denied. Pitfall: if auto-apply is off and the administrator forgets to apply, stale access persists. Best practice: enable auto-apply with a sufficient duration to allow time for manual intervention if needed.
Enterprise Scenario 3: Self-Review for Guest Users
A multinational corporation uses Access Reviews to manage guest user access to Microsoft Teams. Every month, guest users are asked to self-review their access to a 'Vendor Collaboration' group. The review is configured with:
Review scope: The group.
Reviewers: Self-review.
Duration: 14 days.
Auto-apply: Enabled.
Fallback reviewer: The group owner.
In production, guests receive an email in their own mailbox. Many guests do not respond because they ignore the email or it goes to spam. The auto-apply removes their access after 14 days, causing disruption. To reduce false positives, the organization sets the duration to 30 days and sends a reminder after 15 days. They also require justification for self-approval to prevent guests from blindly approving. The audit log helps track compliance for GDPR data processing agreements.
What SC-900 Tests on Access Reviews
The SC-900 exam objective 2.3 states: 'Describe the capabilities of Microsoft Entra ID Governance.' Access Reviews are a core capability. Expect questions that ask:
What is the purpose of Access Reviews? (Answer: To periodically review and certify user access to groups, apps, and roles.)
Who can be a reviewer? (Options: group owners, selected users, manager, self-review.)
What happens if a reviewer does not respond? (Answer: If auto-apply is enabled, access is removed after the review duration ends.)
What is the default duration? (Answer: 30 days.)
What can be reviewed? (Groups, applications, Azure AD roles, Azure resource roles.)
Common Wrong Answers and Why Candidates Choose Them
1. Wrong answer: 'Access Reviews can automatically revoke access immediately when a user leaves the company.' Why wrong: Access Reviews are periodic, not real-time. Real-time revocation is done by disabling the account or removing group membership manually. Candidates confuse Access Reviews with Lifecycle Workflows or automatic user deprovisioning.
2. Wrong answer: 'Access Reviews only apply to on-premises Active Directory groups.' Why wrong: Access Reviews are a cloud feature for Microsoft Entra ID. They do not directly sync to on-prem AD. Candidates may think of AD group management.
3. Wrong answer: 'The reviewer must be a global administrator.' Why wrong: Reviewers can be any user or group, including the user themselves (self-review). Candidates assume only admins can review.
4. Wrong answer: 'Access Reviews require a P2 license.' Why wrong: Actually, Access Reviews require Microsoft Entra ID Governance licenses (formerly Azure AD Premium P2). The exam may refer to 'Azure AD Premium P2' or 'Microsoft Entra ID Governance'. Candidates might think it's included in P1.
Specific Numbers and Terms on the Exam
Default review duration: 30 days.
Auto-apply is OFF by default.
Recurrence options: weekly, monthly, quarterly, semi-annually, annually.
Reviewable resources: groups, applications, Azure AD roles, Azure resource roles.
Reviewer types: group owners, selected users/groups, manager, self-review, fallback.
Access Reviews are part of Identity Governance.
Edge Cases and Exceptions
If a user is a member of multiple groups under review, each group is reviewed separately.
For Azure AD role reviews, both eligible and active assignments are included.
If a reviewer is also a user being reviewed, they cannot review themselves (except in self-review).
The fallback reviewer is used only if the primary reviewer cannot be determined (e.g., user has no manager).
Access Reviews do not support nested groups; only direct members are reviewed.
How to Eliminate Wrong Answers
If the question mentions 'real-time' or 'immediate', it's not Access Reviews.
If the question mentions 'on-premises', it's likely wrong.
If the question asks for the default duration, it's 30 days.
If the question asks who can review, remember that managers and self-review are common options.
Access Reviews are used to periodically certify user access to groups, applications, and Azure AD/Azure resource roles.
Default review duration is 30 days (configurable 1–180 days).
Auto-apply is disabled by default; if enabled, denied or unresponded users are removed automatically.
Reviewers can be group owners, selected users, managers, or self-review.
Access Reviews require Microsoft Entra ID Governance (Premium P2) licenses.
Reviews can be one-time or recurring (weekly, monthly, quarterly, etc.).
All review actions are logged in the Microsoft Entra audit log.
These come up on the exam all the time. Here's how to tell them apart.
Access Reviews
Periodic certification of access to groups, apps, and roles.
Reviews are scheduled (one-time or recurring).
Reviewers approve or deny each user's access.
Auto-apply can remove access after review ends.
Focuses on 'who should have access?' over time.
Privileged Identity Management (PIM)
Just-in-time activation of privileged roles.
Activations are on-demand or via schedule.
Users activate roles for a limited time (e.g., 1 hour).
Approval workflow for activation requests.
Focuses on 'who can activate access when needed?'
Mistake
Access Reviews can automatically revoke access in real time when a user leaves the company.
Correct
Access Reviews are periodic certifications, not real-time. Real-time revocation is handled by disabling accounts or removing group memberships immediately via automated workflows like Lifecycle Workflows.
Mistake
Access Reviews require a Microsoft Entra ID P1 license.
Correct
Access Reviews require Microsoft Entra ID Governance (Premium P2) licenses. P1 does not include Access Reviews.
Mistake
The default auto-apply setting is enabled.
Correct
Auto-apply is disabled by default. Administrators must explicitly enable it when creating the review.
Mistake
Access Reviews can review on-premises Active Directory groups.
Correct
Access Reviews only review cloud-based groups, applications, and roles in Microsoft Entra ID. They do not directly review on-premises groups unless synced to Microsoft Entra ID.
Mistake
Only global administrators can be reviewers.
Correct
Reviewers can be any user or group, including the user themselves (self-review). Common options are group owners, managers, or selected users.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Access Reviews allow organizations to periodically review and certify user access to groups, applications, and roles. This ensures that only authorized users retain access, reducing the risk of stale permissions and helping meet compliance requirements. For example, a quarterly review of a finance group ensures that only current finance employees have access.
If the reviewer does not respond by the end of the review duration, the system treats the user as 'Not reviewed'. If auto-apply is enabled, the user's access is removed. If auto-apply is disabled, an administrator must manually apply the results. The default duration is 30 days.
Yes, Access Reviews can review Azure resource roles (e.g., Contributor, Owner) at the subscription, resource group, or resource level. This helps certify who has privileged access to Azure resources.
Yes, Access Reviews require Microsoft Entra ID Governance licenses (formerly Azure AD Premium P2). Each user who is reviewed or who performs a review needs a license.
Yes, Access Reviews can review membership in Microsoft 365 groups (including Teams-connected groups). This helps ensure that only active members have access to Teams, SharePoint, etc.
Access Reviews are for periodic certification of existing access. Entitlement Management manages access packages and automated assignment lifecycles. They are complementary: an access package can include an Access Review as part of its assignment policy.
When creating the Access Review, under 'Settings', toggle 'Auto apply results to resource' to Yes. This is disabled by default. Once enabled, after the review ends, the system automatically removes access for denied or unresponded users.
You've just covered Microsoft Entra Access Reviews — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?