Review access to groups and applications in Azure AD access reviews
Azure Active Directory (Azure AD) simplifies how enterprises manage access to groups and applications in Azure AD and other Microsoft Online Services with a feature called Azure AD access reviews.
This article describes how a designated reviewer performs an access review for members of a group or users with access to an application.
Open the access review
The first step to perform an access review is to find and open the access review.
Look for an email from Microsoft that asks you to review access. Here is an example email to review the access for a group.
Click the Start review link to open the access review.
If you don't have the email, you can find your pending access reviews by following these steps.
Sign in to the MyApps portal at https://myapps.microsoft.com.
In the upper-right corner of the page, click the user symbol, which displays your name and default organization. If more than one organization is listed, select the organization that requested an access review.
Click the Access reviews tile to see a list of the pending access reviews.
If the tile isn't visible, there are no access reviews to perform for that organization and no action is needed at this time.
Click the Begin review link for the access review you want to perform.
Perform the access review
Once you have opened the access review, you see the names of users who need to be reviewed.
If the request is to review your own access, the page will look different. For more information, see Review access for yourself to groups or applications.
There are two ways that you can approve or deny access:
- You can approve or deny access for one or more users, or
- You can accept the system recommendations, which is the easiest and quickest way.
Approve or deny access for one or more users
Review the list of users to decide whether to approve or deny their continued access.
To approve or deny access for a single user, click the row to open a window to specify the action to take. To approve or deny access for multiple users, add check marks next to the users and then click the Review X user(s) button to open a window to specify the action to take.
Click Approve or Deny. If you are unsure, you can click Don't know. Doing so will result in the user maintaining their access, but the selection will be reflected in the audit logs.
If necessary, enter a reason in the Reason box.
The administrator of the access review might require that you supply a reason for approving continued access or group membership.
Once you have specified the action to take, click Save.
If you want to change your response, select the row and update the response. For example, you can approve a previously denied user or deny a previously approved user. You can change your response at any time until the access review has ended.
If there are multiple reviewers, the last submitted response is recorded. Consider an example where an administrator designates two reviewers – Alice and Bob. Alice opens the access review first and approves access. Before the review ends, Bob opens the access review and denies access. The last deny response is what is recorded.
If a user is denied access, they aren't removed immediately. They are removed when the review has ended or when an administrator stops the review.
Approve or deny access based on recommendations
To make access reviews easier and faster for you, we also provide recommendations that you can accept with a single click. The recommendations are generated based on the user's sign-in activity.
In the blue bar at the bottom of the page, click Accept recommendations.
You see a summary of the recommended actions.
Click Ok to accept the recommendations.