L14. Access Reviews: Automated Recertification
Video generating
Check back soon for the video lesson on Access Reviews: Automated Recertification
Configure access reviews for the SC-300: create recurring reviews for group memberships, application access, and role assignments, configure reviewers and auto-apply settings, understand multi-stage reviews, and manage guest access recertification.
What Are Access Reviews?
Access reviews provide a systematic way to verify that users still need their assigned access. Reviewers examine memberships and assignments on a scheduled basis and approve or deny continued access. This is a core identity governance control for compliance frameworks like SOX, ISO 27001, and SOC 2. Licensing: Entra ID P2 is required for access reviews (or Entra ID Governance add-on).
What Can Be Reviewed?
| Review Target | What Is Checked |
|---|---|
| Group membership | Are members still appropriate? |
| Application access | Do users still need app access? |
| Entra ID roles | Are role assignments still valid? |
| Azure resource roles | Are resource permissions still needed? |
| Access packages | Are entitlement assignments current? |
Creating an Access Review
Key configuration parameters:
Reviewers
- Self-review: Users review their own access (least reliable)
- Group owners: Owners review their group members
- Selected users/groups: Designated reviewers (e.g., managers, security team)
- Managers of users: Each user's direct manager reviews their access
Recurrence
- One-time, weekly, monthly, quarterly, or annually
- Start date and end date
- Duration per review cycle (how long reviewers have to respond)
Upon Completion Settings
- Auto-apply results: Automatically remove denied access when the review ends
- If reviewers don't respond: Options include No change, Remove access, Approve access, or Take recommendations
Multi-Stage Reviews
Multi-stage access reviews allow different reviewers at each stage:
- Stage 1: Manager reviews their direct reports
- Stage 2: Security team reviews escalated or denied access
- Stage 3: Final approver or compliance officer
Only users approved at each stage proceed to the next. This creates a layered verification process.
Guest Access Reviews
Guest (B2B) access reviews are critical for organizations that collaborate with external partners. Recommended configuration:
- Scope: All guest users in a specific group or across the tenant
- Reviewer: Group owners or sponsoring employees
- Recurrence: Quarterly
- If no response: Remove access (guests should not retain access without active justification)
Review Decisions and History
Reviewers make one of these decisions for each user:
- Approve: User retains access
- Deny: User access is removed (or queued for removal)
- Don't know: Defers to the system's recommendation or next stage
All review decisions are logged in the audit trail for compliance reporting.
Programmatic Access
Access reviews can be created and managed programmatically via Microsoft Graph API:
POST https://graph.microsoft.com/v1.0/identityGovernance/accessReviews/definitionsThis enables integration with IT service management tools and automated governance workflows.
- ✓Access reviews require Entra ID P2 or Entra ID Governance add-on licensing
- ✓The "Take recommendations" option suggests deny for users with no recent sign-in activity
- ✓For guest access reviews, the recommended no-response action is to remove access
- ✓Multi-stage reviews allow different reviewers at each stage with layered verification
- ✓Access reviews can target group memberships, app access, Entra ID roles, Azure resource roles, and access packages
1. An organization needs quarterly reviews of guest user access. If the reviewer does not respond, what should happen?
2. What does the "Take recommendations" setting do in an access review?
3. How do multi-stage access reviews work?