Create an access review of an access package in Azure AD entitlement management

To reduce the risk of stale access, you should enable periodic reviews of users who have active assignments to an access package in Azure AD entitlement management. You can enable reviews when you create a new access package or edit an existing access package. This article describes how to enable access reviews of access packages.

Prerequisites

To enable reviews of access packages, you must meet the prerequisites for creating an access package:

  • Azure AD Premium P2
  • Global administrator, Identity Governance administrator, User administrator, Catalog owner, or Access package manager

For more information, see License requirements.

Create an access review of an access package

You can enable access reviews when creating a new access package or editing an existing access package policy. Follow these steps to enable access reviews of an access package:

  1. Open the Lifecycle tab for an access package and scroll down to Access Reviews.

  2. Move the Require access reviews toggle to Yes.

    Add the access review

  3. Specify the date the reviews will start next to Starting on.

  4. Next, set the Review frequency to Annually, Bi-annually, Quarterly or Monthly. This setting determines how often access reviews will occur.

  5. Set the Duration to define how many days each review of the recurring series will be open for input from reviewers. For example, you might schedule an annual review that starts on January 1st and is open for review for 30 days so that reviewers have until the end of the month to respond.

  6. Next to Reviewers, select Self-review if you want users to perform their own access review or select Specific reviewer(s) if you want to designate a reviewer. You can also select Manager if you want to designate the reviewee’s manager to be the reviewer. If you select this option, you need to add a fallback to forward the review to in case the manager cannot be found in the system.

  7. If you selected Specific reviewer(s), specify which users will do the access review: Select Add reviewers

    1. Select Add reviewers.
    2. In the Select reviewers pane, search for and select the user(s) you want to be a reviewer.
    3. When you've selected your reviewer(s), click the Select button.

    Specify the reviewers

  8. If you selected Manager, specify the fallback reviewer:

    1. Select Add fallback reviewers.
    2. In the Select fallback reviewers pane, search for and select the user(s) you want to be fallback reviewer(s) for the reviewee’s manager.
    3. When you've selected your fallback reviewer(s), click the Select button.

    Add the fallback reviewers

  9. Click Review + Create if you are creating a new access package or Update if you are editing an access package, at the bottom of the page.

View the status of the access review

After the start date, an access review will be listed in the Access reviews section. Follow these steps to view the status of an access review:

  1. In Identity Governance, click Access packages then select the access package with the access review status you'd like to check.

  2. Once you are on the access package overview, click Access reviews on the left menu.

    Select access reviews

  3. A list will appear that contains all of the policies that have access reviews associated with them. Click the review to see its report.

    List of access reviews

  4. When you view the report, it shows the number of users reviewed and the actions taken by the reviewer on them.

    View review status

Access reviews email notifications

You can designate reviewers, or users can review their access themselves. By default, Azure AD will send an email to reviewers or self-reviewers shortly after the review starts.

The email will include instructions on how to review access to access packages. If the review is for users to review their access, show them the instructions on how to perform a self-review of their access packages.

If you've assigned guest users as reviewers, and they haven't accepted their Azure AD guest invitation, they won't receive emails from Azure AD access reviews. They must first accept the invite and create an account with Azure AD before they can receive the emails.

Next steps