Review access to groups or applications in Azure AD access reviews

Azure Active Directory (Azure AD) simplifies how enterprises manage access to groups and applications in Azure AD and other Microsoft Online Services with a feature called Azure AD access reviews.

This article describes how a designated reviewer performs an access review for members of a group or users with access to an application.

Open the access review

The first step to perform an access review is to find and open the access review.

  1. Look for an email from Microsoft that asks you to review access. Here is an example email to review the access for a group.

    Review access email

  2. Click the Start review link to open the access review.

If you don't have the email, you can find your pending access reviews by following these steps.

  1. Sign in to the MyApps portal at https://myapps.microsoft.com.

    MyApps portal

  2. In the upper-right corner of the page, click the user symbol, which displays your name and default organization. If more than one organization is listed, select the organization that requested an access review.

  3. Click the Access reviews tile to see a list of the pending access reviews.

    If the tile isn't visible, there are no access reviews to perform for that organization and no action is needed at this time.

    Access reviews list

  4. Click the Begin review link for the access review you want to perform.

Perform the access review

Once you have opened the access review, you see the names of users who need to be reviewed.

If the request is to review your own access, the page will look different. For more information, see Review access for yourself to groups or applications.

Perform access review

There are two ways that you can approve or deny access:

  • You can approve or deny each request individually, or
  • You can accept the system recommendations, which is the easiest and quickest way.

Approve or deny access for each request

  1. Review the list of users to decide whether to approve or deny their continued access.

  2. To approve or deny each request, click the row to open a window to specify the action to take.

  3. Click Approve or Deny. If you are unsure, you can click Don't know. Doing so will result in the user maintaining his/her access, but the selection will be reflected in the audit logs.

    Perform access review

  4. If necessary, enter a reason in the Reason box.

    The administrator of the access review might require that you supply a reason for approving continued access or group membership.

  5. Once you have specified the action to take, click Save.

    If you want to change your response, select the row and update the response. For example, you can approve a previously denied user or deny a previously approved user. You can change your response at any time until the access review has ended.

    If there are multiple reviewers, the last submitted response is recorded. Consider an example where an administrator designates two reviewers – Alice and Bob. Alice opens the access review first and approves access. Before the review ends, Bob opens the access review and denies access. The last deny response is what is recorded.

    Note

    If a user is denied access, they aren't removed immediately. They are removed when the review has ended or when an administrator stops the review.

Approve or deny access based on recommendations

To make access reviews easier and faster for you, we also provide recommendations that you can accept with a single click. The recommendations are generated based on the user's sign-in activity.

  1. In the blue bar at the bottom of the page, click Accept recommendations.

    Accept recommendations

    You see a summary of the recommended actions.

    Accept recommendations summary

  2. Click Ok to accept the recommendations.

Next steps