# Access review

> Source: Courseiva IT Certification Glossary — https://courseiva.com/glossary/access-review

## Quick definition

An access review is like a regular check-up for your digital permissions. It helps organizations ensure that only the right people have access to important files, systems, or data. During an access review, managers or owners review each user's access rights and decide whether to keep, change, or remove them. This process is critical for security and compliance in any IT environment.

## Simple meaning

Imagine you work in a large office building with many rooms, each requiring a special badge to enter. When you first join the company, you get a badge that opens the front door, your team’s office, the break room, and maybe the supply closet. Over time, you might change roles or leave certain teams, but your badge still works everywhere it originally did. That means you could walk into the supply closet even if you no longer work in that department. An access review is the process where a manager or security team periodically checks every employee’s badge to see if they still need access to each room. They review a list of who can go where and decide: should this person still have access? Should we add or remove a room? This prevents people from having unnecessary permissions that could be misused or cause data leaks. In the digital world, access reviews work the same way. Companies use them to regularly audit user accounts, roles, and permissions across systems like cloud platforms, databases, and applications. The goal is to enforce the principle of least privilege, meaning each user gets only the access they absolutely need to do their job. Access reviews also help organizations meet legal or industry compliance requirements like GDPR, HIPAA, or SOC 2, which demand proof that access rights are controlled and monitored. Without access reviews, permissions can accumulate over time, leading to security risks like insider threats or accidental data exposure. Think of it like spring cleaning for your digital keys, you sort through what you have, keep what’s necessary, and discard what’s no longer useful or safe.

## Technical definition

An access review is a systematic process within identity governance and administration (IGA) frameworks used to verify, certify, and manage user entitlements across an organization’s IT infrastructure. It involves the periodic or event-driven evaluation of user access rights against defined policies, roles, and business requirements. Access reviews are integral to the identity lifecycle, helping maintain least privilege, separation of duties, and compliance with regulatory standards such as SOX, HIPAA, GDPR, and NIST 800-53. Technically, access reviews operate through identity governance platforms like Microsoft Entra ID (formerly Azure AD) Identity Governance, Okta, or SailPoint. These platforms aggregate identity and access management (IAM) data from multiple sources, including Active Directory, cloud services like AWS IAM or Azure RBAC, SaaS applications, and on-premises systems. The process typically begins with the creation of a review campaign, where administrators define the scope, resources, users, and reviewers. Reviewers can be resource owners, managers, or automated systems. Each reviewer is presented with a list of access assignments, often with attributes such as last sign-in date, role, and access justification. The reviewer must certify each assignment, either approving or denying continued access. Certifications are documented for audit trails. Automated reviews can use policies, such as removing access for users who have not signed in for 90 days. Access reviews often leverage role-based access control (RBAC) and attribute-based access control (ABAC) models to group permissions logically. For example, in AWS, an access review might involve examining IAM policies attached to users, groups, or roles to ensure they align with current job functions. In Azure, reviewers might check Azure AD role assignments, enterprise app roles, or group memberships. The review outputs can trigger automated revocation, temporary suspension, or escalation for approval. Access reviews also support separation of duties (SoD) checks, preventing conflicts like the same user having both purchase order approval and payment processing rights. From an implementation standpoint, access reviews can be scheduled quarterly, annually, or triggered upon role changes. Integration with HR systems (HRIS) automates the creation and removal of accounts, feeding into review cycles. For example, when an employee is terminated, an access review can confirm that all their permissions are revoked. Access reviews are a cornerstone of zero trust architectures, continuously verifying that access is appropriate. In exam contexts, particularly for AZ-104, SC-900, and MS-102, access reviews are tied to Microsoft Entra ID Identity Governance features like entitlement management, access packages, and review campaigns. For CISSP and CySA+, access reviews are part of domain on identity and access management, emphasizing audit, compliance, and security control verification.

## Real-life example

Think about a public library membership system. When you first get a library card, you can check out up to ten books, use the computers, and access the digital archives. Over time, you might move to another city, but your card still works here. You might also start borrowing DVDs, so the librarian adds that privilege. After a few years, your card might have permissions you no longer use. Now picture a library committee that annually reviews every active cardholder. They pull up a list of each person’s borrowing history and current permissions. For each member, they ask: does this person still live in our area? Do they still need digital archive access? Should we limit them to five books instead of ten? They might notice that some cards belong to people who moved away years ago, but the card still allows book checkout. The committee then revokes access for those who no longer qualify, or adjusts limits for others. This annual review protects the library’s resources and ensures that only valid members have borrowing rights. In the tech world, your library card is like a user account, and each borrowing privilege is like a permission in an IT system. The library committee is the team of managers or application owners who perform access reviews. They examine a report of who has access to what, just like the committee reviews a list of members and their privileges. When they find that someone changed departments or left the company, they remove unnecessary permissions, just as the library cancels expired cards. The review also helps the library meet privacy laws by ensuring only local residents can check out materials. For a company, this process satisfies compliance audits, prevents data breaches from overprivileged accounts, and keeps the IT environment secure. The analogy works because both systems need regular, documented checks to confirm that access is still appropriate. Without these reviews, permissions linger, creating security holes and compliance risks.

## Why it matters

Access reviews matter because they are a primary control for reducing security risk and ensuring compliance in any IT environment. Without regular reviews, user permissions tend to accumulate over time, a phenomenon known as permission creep or entitlement creep. When employees change roles, move to new teams, or leave the company, their old access rights often remain active. This creates unnecessary exposure; if an account is compromised, the attacker gains access to a wide range of resources. For example, a former marketing intern might still have write access to a production database if no one revoked it. In a breach scenario, that could lead to data exfiltration or ransomware damage. Access reviews directly address this by forcing periodic validation of each permission. Another critical reason is compliance. Regulations like GDPR, HIPAA, SOX, and PCI-DSS require organizations to demonstrate that they have controls over who can access sensitive data. Access reviews provide documented evidence that the organization is actively managing access rights, that decisions are made by accountable parties, and that privilege escalation is controlled. Auditors often request access review reports to verify that access is appropriate. In cloud environments, where resources are dynamic and roles are easily assigned, access reviews are even more vital. For example, in AWS or Azure, a developer might have read-only access to a storage account for a project, but after the project ends, the permission persists. An access review would catch that and revoke it. Access reviews also support operational efficiency by ensuring that only the right people have access, reducing clutter and simplifying troubleshooting. From a governance perspective, they enforce separation of duties, preventing a single user from having conflicting permissions that could enable fraud. In practice, many organizations use automated access reviews integrated with identity providers (like Microsoft Entra ID, Okta, or AWS IAM Identity Center) to run reviews on a schedule, with email notifications to reviewers who can approve or deny with a click. The result is a cleaner, safer, and audit-ready identity environment. For IT professionals, understanding access reviews is essential for roles like system administrator, security analyst, identity engineer, and compliance officer. It is a foundational concept in identity governance and zero trust security.

## Why it matters in exams

Access reviews appear in several major certification exams because they are a core identity governance control. For the Microsoft SC-900 (Security, Compliance, and Identity Fundamentals), access reviews are covered under the Identity and Access Management domain. Questions often ask what access reviews are used for, how they differ from entitlement management, and which tools in Microsoft Entra ID support them. You might see a scenario where an organization must verify that only current employees can access sensitive HR files, and the correct answer is to set up an access review campaign in Azure AD Identity Governance. For the AZ-104 (Microsoft Azure Administrator), access reviews are part of managing Azure AD roles and resources. Exam questions can involve configuring access reviews for Azure RBAC roles, ensuring that administrators periodically certify their own access. For example, a question might describe a company that wants to review all Global Administrator assignments every 90 days, and you need to select the appropriate Azure AD blade or PowerShell command. The MS-102 (Microsoft 365 Administrator) exam includes access reviews for Microsoft 365 groups, Teams, and SharePoint sites, scenarios where you must remove external users from a team if they haven’t accessed it recently. The CySA+ (CompTIA Cybersecurity Analyst) exam covers access reviews in the context of vulnerability management and security operations. Questions may present a log showing excessive permissions and ask which control would prevent the situation, with access review being the correct answer. The CISSP (ISC² Certified Information Systems Professional) exam includes access reviews in Domain 5 (Identity and Access Management). Here, the focus is on the access review process as part of the identity lifecycle, including certification, revocation, and audit. You might face questions about the separation of duties principle and how access reviews enforce it. For the Security+ exam, access reviews appear as a security control under identity management, often in multiple-choice questions where you pick the best way to maintain least privilege. The AWS SAA (Solutions Architect Associate) exam touches on access reviews indirectly through IAM policies and the principle of least privilege but usually not as a dedicated process. However, understanding access reviews helps answer scenario questions about cross-account access and permission boundaries. Across these exams, expect scenario-based questions where you analyze a situation with overprivileged users and identify access reviews as the solution. Remember that for Microsoft exams, specific terminology like “Entra ID Identity Governance” and “access packages” is important. For security exams, know that access reviews are a detective and corrective control, not a preventive one.

## How it appears in exam questions

Exam questions about access reviews typically fall into several categories. Scenario-based questions might describe a company that has just completed a merger and needs to ensure that only current employees have access to shared resources. The question would ask which Microsoft Entra ID feature should be used, with the correct answer being access reviews. Another common pattern is configuration questions: for example, you are an Azure administrator and need to set up a quarterly review of all members in a specific Azure AD role. You would need to know where to configure this, such as in the Azure portal under Identity Governance, Access Reviews. Other questions require you to identify the purpose of access reviews: a question might list several security controls and ask which one specifically helps identify unnecessary permissions. The answer is access review. Multiple-choice questions sometimes present a list of actions-such as enabling MFA, requiring password changes, running an access review, and blocking legacy authentication-and ask which one directly addresses the scenario of a user who changed roles but still has old permissions. In troubleshooting questions, you might see a scenario where a security audit finds that a terminated employee still has access to sensitive data. The question then asks for the best solution to prevent this in the future, and setting up automated access reviews with a trigger on HR termination is the correct answer. For Microsoft-specific exams, questions may ask about the difference between entitlement management and access reviews, where the former focuses on automating access requests and the latter on periodic certification. For CySA+ or CISSP, you might face a question that presents a list of users who have not accessed a system in six months yet still have permissions; the correct action is to initiate an access review and then revoke those accounts. Architecture questions might ask which control should be included in an identity governance framework to ensure least privilege, and access review is an appropriate choice. Some questions test your understanding of the review workflow: who should be the reviewer (typically the resource owner or manager), what actions can be taken (approve, deny, don’t know), and how the results are audited. Be prepared for questions that combine access reviews with privileged identity management (PIM). For example, a scenario where a user has just-in-time access via PIM but also has standing access that should be reviewed. The correct approach is to run an access review on the standing assignments. Another pattern involves compliance: an auditor asks for proof that access rights are reviewed yearly, and your answer involves configuring recurring access reviews. For cloud exams like AWS SAA, a question might ask how to ensure that IAM roles are not over permissive; the answer would involve regularly reviewing IAM policies, but the specific term “access review” might not be used directly.

## Example scenario

Scenario: A mid-sized company named TechForward has 500 employees. They use Microsoft 365 and Azure for their cloud infrastructure. Recently, the IT team discovered that a former employee, Jane, who left the company three months ago, still has access to the company’s main SharePoint site containing confidential project plans. The security manager is alarmed and wants to prevent this from happening again. The IT director decides to implement a recurring access review for all Microsoft 365 groups, SharePoint sites, and Azure AD roles. They configure a monthly review campaign where each resource owner gets an email with a list of current access holders. For the SharePoint site, the site owner reviews the list of users. They see Jane still listed as a member and remove her. They also notice several other users who have not accessed the site in six months, and they revoke those permissions too. The access review records all changes for an audit log. Six months later, an external auditor asks for proof that access is controlled. The IT team provides the access review report showing each review cycle, decisions made, and revocations. This satisfies the compliance requirement. The access review also helps the company apply the principle of least privilege across all resources. Without this process, former employees and dormant accounts would continue to hold access, creating a serious security vulnerability. This scenario shows how a scheduled access review can transform a reactive, risky posture into a proactive, compliant one.

## Common mistakes

- **Mistake:** Thinking that access reviews are only for terminated employees or former users.
  - Why it is wrong: Access reviews are equally important for active employees who change roles, take on new responsibilities, or simply have outdated permissions. Permissions can linger for years without review, even for current staff.
  - Fix: Remember that access reviews should cover all users, not just departed ones. Review permissions for everyone on a regular schedule to catch permission creep early.
- **Mistake:** Confusing access reviews with privileged identity management (PIM) or just-in-time access.
  - Why it is wrong: PIM provides temporary, time-bound access, while an access review is a periodic audit of existing standing access. They serve different purposes and are often used together, but they are not the same control.
  - Fix: Understand that PIM is about granting access on demand, and access reviews are about verifying and certifying existing access after it has been granted.
- **Mistake:** Believing that access reviews are only manual, requiring reviewers to go through long lists each time.
  - Why it is wrong: Modern identity governance platforms support automated policies, such as auto-revoking access for users who haven't signed in for 90 days or who no longer meet certain attributes. Automation reduces manual burden.
  - Fix: Learn how to configure auto-approval rules and automated revocation based on inactivity or policy violations. Reviews can be both manual and automated.
- **Mistake:** Assuming access reviews are only relevant for on-premises Active Directory.
  - Why it is wrong: Access reviews are critical in cloud environments like Azure AD, AWS IAM, and SaaS applications. In fact, cloud environments change faster, making reviews even more important.
  - Fix: Recognize that access reviews apply across all identity sources, including cloud directories, federated identity providers, and application-specific roles.

## Exam trap

An exam question might ask: 'A security analyst discovers that a user has access to a resource they don't need. Which control should be implemented to prevent similar issues in the future?' The options might include 'Implement MFA', 'Run an access review', 'Enable logging', or 'Create a firewall rule'. Many learners incorrectly choose MFA because it is a common security control. However, MFA only verifies the user's identity at login, it does not address whether the user should have the permission in the first place. Read the question carefully to determine if the issue is about permissions or authentication. If it is about granting and maintaining appropriate permissions, the correct answer involves access control reviews, not authentication controls. Access reviews directly address the question of who should have access, whereas MFA addresses only how a user proves their identity.

## Commonly confused with

- **Access review vs Privileged identity management (PIM):** PIM is a feature that provides just-in-time privileged access, activating elevated roles for a limited time. An access review is a periodic audit of all existing access, including both standing and activated roles. PIM controls how access is granted; access reviews certify that it remains appropriate. (Example: With PIM, an admin requests temporary Global Admin rights for a task. An access review later checks if that admin still needs Global Admin standing access at all.)
- **Access review vs Entitlement management:** Entitlement management automates the process of requesting, approving, and provisioning access to resources, often using access packages. Access reviews are separate and focus on certifying existing access, not on the initial request flow. They are complementary but distinct processes. (Example: Entitlement management lets a user request access to a SharePoint site through a catalog. An access review later verifies that the user still needs that access.)
- **Access review vs Role-based access control (RBAC):** RBAC is a method of assigning permissions based on roles, while an access review is a process that evaluates those assignments. RBAC defines the framework, and access reviews are a governance mechanism to keep that framework up to date. RBAC doesn't automatically remove outdated assignments; access reviews do. (Example: An organization uses RBAC to define an 'IT Support' role with permissions to reset passwords. An access review every quarter checks all members of that role to see if they still belong.)

## Step-by-step breakdown

1. **Define the scope of the access review** — The administrator selects which resources, roles, groups, or applications will be reviewed. This could be all Azure AD roles, specific Microsoft 365 groups, or even custom applications. Defining the scope ensures that the review focuses on the most critical or risk-prone areas first.
2. **Select reviewers and configure settings** — The administrator designates who will perform the review, typically resource owners, managers, or group owners. They also set the frequency (monthly, quarterly, annually) and decide whether to use automatic actions like revoking access for inactive users. This step is key to aligning the review with business processes.
3. **Run the access review campaign** — The identity governance platform starts the review, sending notifications to each reviewer with a list of users and their current access. The reviewer views details such as last sign-in date and role justification. They then decide to approve or deny each access assignment. This is the core verification step.
4. **Process the review decisions** — After reviewers submit their decisions, the system applies the results. Approved assignments remain unchanged. Denied assignments can be automatically revoked or sent for secondary approval, depending on policy. The actions are logged for audit purposes. This step turns decisions into actual changes in the identity environment.
5. **Document and report the results** — The platform generates a detailed report showing which access items were reviewed, the decisions made, and any changes applied. This report serves as evidence for compliance auditors and helps security teams track improvements. It also helps identify trends, such as departments with frequent permission creep.
6. **Review and refine the process** — After the campaign, administrators analyze the outcomes to improve future reviews. They might adjust the scope, change the reviewer assignments, or add automation rules. This continuous improvement ensures that access reviews remain effective and efficient over time.

## Practical mini-lesson

Access reviews are a practical tool that every IT professional should understand and know how to implement. In a typical enterprise environment, the identity governance team works with the security and compliance teams to schedule access reviews. The first step is inventorying all identity sources: on-premises Active Directory, Azure AD, AWS IAM, SaaS applications like Salesforce or Workday, and any custom applications. Modern identity governance platforms, such as Microsoft Entra ID Governance, Okta Identity Governance, or SailPoint, can aggregate these sources into a single view. Once the inventory is complete, the team categorizes resources based on sensitivity. For example, access to systems containing financial data or personally identifiable information (PII) should be reviewed more frequently, perhaps monthly. Lower-risk resources like internal wikis might be reviewed annually. Administrators configure the review campaigns in the governance platform, setting the frequency, selecting reviewers, and defining fallback reviewers in case the primary reviewer is unavailable. An important best practice is to use data-driven insights to make reviews smarter. Many platforms allow you to surface inactive accounts or users who never signed in, flagging them as candidates for removal. For example, if a user has not used a specific application in six months, the review system can automatically recommend removal. Reviewers then simply confirm or override. This reduces the burden on reviewers and increases accuracy. Another common practice is to tie access reviews to the HR system. When an employee changes roles or leaves the company, a trigger can automatically start a mini-review to adjust their access. This is known as a just-in-time review. In cloud environments, access reviews can also detect external users (guests) who were added for collaboration and then forgotten. For instance, in Microsoft 365, external users who haven’t accessed a shared site in 90 days can be flagged in an access review and removed. Professionals should also understand that access reviews are not a one-size-fits-all solution. They must be tailored to the organization’s risk posture and regulatory requirements. An overly aggressive review schedule can overwhelm reviewers and lead to rubber-stamping, where they approve everything without scrutiny. On the other hand, infrequent reviews increase risk. Striking the right balance is key. Implementing automation, such as revoking access for accounts that have not been active for a defined period, can reduce manual effort. Finally, always ensure that review outcomes are recorded and stored securely. Auditors will request these reports to verify compliance. Access reviews are a vital mechanism for maintaining least privilege, reducing risk, and satisfying compliance. As an IT professional, you should be able to describe how to scope, configure, and execute access reviews in your organization’s identity platform.

## Memory tip

Think of access review as spring cleaning for digital keys: regularly emptying what you no longer need keeps your house safe and your keychain light.

## FAQ

**How often should access reviews be performed?**

The frequency depends on the sensitivity of the resource and regulatory requirements. Highly sensitive systems like financial databases or HR portals are often reviewed monthly or quarterly. Lower-risk resources might be reviewed annually. In practice, many organizations follow a quarterly schedule for most resources.

**Who should be the reviewer in an access review?**

The best practice is to assign the resource owner or the user’s direct manager as the reviewer. Resource owners understand what access is needed for their systems, and managers know whether their employees still require specific permissions. Some organizations also use automated rules to reduce the reviewer burden.

**Can access reviews be automated?**

Yes, modern identity governance platforms support automation. For example, you can configure a rule that automatically revokes access for users who have not signed in within the last 90 days. You can also set auto-approval for certain low-risk assignments. Automation helps scale reviews but should be combined with human oversight for critical resources.

**What is the difference between an access review and an audit?**

An access review is a proactive process where permissions are deliberately checked and certified by designated reviewers. An audit is a retrospective examination of controls and records, often by an external party or internal audit team. Access reviews produce evidence that can be used in an audit.

**Do access reviews apply to guest or external users?**

Absolutely. Guest users and external partners are often included in access reviews because they pose a higher risk. For example, a Microsoft 365 access review can flag external users who have access to internal SharePoint sites and require a manager to certify they still need it.

**What happens if a reviewer does not respond to an access review request?**

Most platforms allow administrators to configure escalation rules. If a reviewer does not act by a deadline, the system can send reminders, escalate to their manager, or apply a default action such as automatically revoking access. This prevents reviews from stalling due to unresponsive reviewers.

## Summary

Access reviews are a fundamental identity governance control that ensures only authorized individuals retain access to critical resources. By periodically auditing user permissions, organizations can enforce the principle of least privilege, reduce security risks from permission creep, and maintain compliance with regulations like GDPR and HIPAA. For IT certification exams, understanding access reviews is essential across many domains, including identity management, security operations, and cloud administration. Key points to remember: access reviews are distinct from PIM and entitlement management; they are both detective and corrective controls; and they can be automated and scaled with modern identity platforms. The process involves defining scope, selecting reviewers, running the campaign, processing decisions, and documenting results. Common mistakes include confusing access reviews with MFA or PIM, and assuming they are only for terminated employees. In exams, expect scenario questions that require you to choose access reviews as the solution for overly permissive accounts or compliance audits. With the right knowledge, you can confidently answer access review questions and apply this concept in real-world IT environments.

---

Practice questions and the full interactive page: https://courseiva.com/glossary/access-review
