Plan for access reviews
What is an access review?
An Access Review as the name implies, is a planned review of the access needs, rights, and history of user access. Access Reviews help users ensure that the right people have the right access to the right resources. They mitigate access risk by protecting, monitoring, and auditing access to critical assets—while ensuring employee and business partner productivity. Finally, the access review is performed in Microsoft Entra ID Governance. A Microsoft Entra ID premium P2 license is required.
Consider your organizational needs to determine the strategy for deploying access reviews in your environment.
Engage the right stakeholders
When technology projects fail, they typically do so due to mismatched expectations, outcomes, and responsibilities. To avoid these pitfalls, ensure that you're engaging the right stakeholders and that project roles are clear. For access reviews, you will likely include representatives from the following teams within your organization:
IT administration manages your IT infrastructure and administers your cloud investments and Software as a Service (SaaS) apps.
Development teams build and maintain applications for your organization
Business units manage projects and own applications.
Corporate governance ensures that the organization is following internal policy and complying with regulations.
Note
For reviews requiring manual evaluations, be sure to plan for adequate reviewers and review cycles that meet your policy and compliance needs. If review cycles are too frequent, or there are too few reviewers, quality is lost and too many or too few people have access.
What is Microsoft Entra ID Governance?
Microsoft Entra Identity Governance enables you to balance your organization's need for security and employee productivity with the right processes and visibility. It provides you with capabilities to ensure that the right people have the right access to the right resources. These and related Microsoft Entra ID and Enterprise Mobility + Security features allows you to mitigate access risk by protecting, monitoring, and auditing access to critical assets—while ensuring employee and business partner productivity.
Identity Governance gives organizations the ability to complete tasks across employees, business partners and vendors, and across services and applications both on-premises and in clouds. Specifically, it is intended to help organizations address these four key questions:
- Which users should have access to which resources?
- What are those users doing with that access?
- Are there effective organizational controls for managing access?
- Can auditors verify that the controls are working?
Plan a pilot
We encourage customers to initially pilot access reviews with a small group and target non-critical resources. Piloting can help you adjust processes and communications as needed and increase users’ and reviewers’ ability to meet security and compliance requirements.
In your pilot, we recommend that you:
- Start with reviews where the results are not automatically applied, and you can control the implications.
- Ensure that all users have valid email addresses listed in Microsoft Entra ID and that they receive email communication to take the appropriate action.
- Document any access removed as a part of the pilot in case you need to quickly restore it.
- Monitor audit logs to ensure all events are properly audited.
What resource types can be reviewed?
Once you integrate your organization’s resources with Microsoft Entra ID (such as users, applications, and groups), they can be managed and reviewed.
Typical targets for review include:
- User access to applications integrated with Microsoft Entra ID for single-sign-on (such as SaaS, line-of-business).
- Group membership (synchronized to Microsoft Entra ID, or created in Microsoft Entra ID or Microsoft 365, including Microsoft Teams).
- Access Package that groups resources (groups, apps, and sites) into a single package to manage access.
- Microsoft Entra roles and Azure Resource roles as defined in Privileged Identity Management (PIM).
Who will create and manage access reviews?
The administrative role required to create, manage, or read an Access Review depends on the type of resource being reviewed.
| Resource type | Create and manage access reviews (Creators) | Read Access Review results |
|---|---|---|
| Group or application | Global Administrator | Global administrator |
| User Administrator | Global reader | |
| Identity Governance administrator | User administrator | |
| Privileged Role administrator (only does review for Microsoft Entra assignable groups) | Identity Governance Administrator | |
| Group owner | Privileged Role Administrator | |
| Security reader | ||
| Group owner | ||
| Microsoft Entra role | Global Administrator | |
| Privileged Role Administrator | Global administrator | |
| Global reader | ||
| User administrator | ||
| Privileged Role Administrator | ||
| Security reader | ||
| Azure resource roles | Global Administrator | Global Administrator |
| User Access Administrator | User Access Administrator | |
| Resource Owner | Resource owner | |
| Reader (for the resource) | ||
| Access package | Global Administrator | Global Administrator |
| User Administrator | ||
| Identity Governance Administrator | Global reader | |
| User administrator | ||
| Identity Governance administrator | ||
| Security reader |
Who will review the access to the resource?
The creator of the access review decides at the time of creation who will perform the review. This setting can't be changed once the review is started. Reviewers are represented by three personas:
- Resource Owners, who are the business owners of the resource.
- A set of individually selected delegates, as selected by the access reviews administrator.
- End users who will each self-attest to their need for continued access.
When the administrator creates an Access Review, administrators can choose one or more reviewers. All reviewers can start and carry out a review, choosing to grant users continued access to a resource or removing them.
Components of an access review
Before implementing your access reviews, you should plan the types of reviews relevant to your organization. To do so, you will need to make business decisions about what you want to review and the actions to take based on those reviews.
To create an access review policy, you must have the following information.
- What resource(s) must be reviewed?
- Whose access is being reviewed?
- How often should the review occur?
- Who will perform the review?
- How will they be notified to review?
- What are the timelines to be enforced for review?
- What automatic actions should be enforced based on the review?
- What happens if the reviewer doesn't respond in time?
- What manual actions will be taken as a result based on the review?
- What communications should be sent based on actions taken?
Example Access Review plan
| Component | Value |
|---|---|
| Resources to review | Access to Microsoft Dynamics |
| Review frequency | Monthly |
| Who performs review | Dynamics business group program managers |
| Notification | Email 24 hours prior to review to alias Dynamics-Pms |
| Include encouraging custom message to reviewers to secure their buy-in | |
| Timeline | 48 hours from notification |
| Automatic actions | Remove access from any account that has no interactive sign-in within 90 days by removing the user from the security group dynamics-access |
| Perform actions if not reviewed within timeline | |
| Manual actions | Reviewers perform removals approval prior to automated action if desired |
| Communications | Send internal (member) users who are removed an email explaining they are removed and how to regain access |
Plan access reviews for access packages
Access packages can vastly simplify your governance and Access Review strategy. An Access Package is a bundle of all the resources with the access a user needs to work on a project or perform their task. For example, you might want to create an Access Package that includes all the applications that developers in your organization need, or all applications to which external users should have access. An administrator or delegated Access Package manager then groups the resources (groups or apps) and the roles the users need for those resources.
When creating an Access Package, you can create one or more access policies that set conditions for which users can request an Access Package, what the approval process looks like, and how often a person would have to re-request access. Access reviews are configured while creating or editing an Access Package policy.
Plan access reviews for groups
Besides Access Packages, reviewing group membership is the most effective way of governing access. We recommend that access to resources is assigned via security groups or Microsoft 365 groups, and that users are added to those groups to gain access.
A single group can be granted access to all appropriate resources. You can assign the group access to individual resources, or to an Access Package that groups applications and other resources. With this method, you can review access to the group rather than an individual’s access to each application.
Group membership can be reviewed by:
- Administrators
- Group owners
- Selected users, delegated review capability when the review is created
- Members of the group, attesting for themselves
Group ownership
We recommend that group owners review membership, as they're best situated to know who needs access. Ownership of groups differs with the type of group.
Groups that are created in Microsoft 365 and Microsoft Entra ID have one or more well-defined owners. In most cases, these owners make perfect reviewers for their own groups as they know who should have access. For example, Microsoft Teams uses Microsoft 365 Groups as the underlying authorization model to grant users access to resources that are in SharePoint, Exchange, OneNote, or other Microsoft 365 services. The creator of the team automatically becomes an owner and should be responsible for attesting to the membership of that group.
Groups created manually in the Microsoft Entra admin center portal or via scripting through Microsoft Graph might not necessarily have owners defined. We recommend that you define them either through the admin portal in the group’s “Owners” section or via Graph.
Groups that are synchronized from on-premises Active Directory cannot have an owner in Microsoft Entra ID. When creating an Access Review for them, you should select individuals who are best suited to decide on membership in them.
Note
We recommend defining business policies that define how groups are created to ensure clear group ownership and accountability for regular review of membership.
Review membership of exclusion groups in CA policies
There are times when Conditional Access policies designed to keep your network secure shouldn't apply to all users. For example, a CA policy that only allows users to sign in while on the corporate network might not apply to the sales team, which travels extensively. In that case, the sales team members would be put into a group and that group would be excluded from the CA policy.
Review external users' group memberships
To minimize manual work and associated potential errors, consider using Dynamic Groups to assign group membership based on a user’s attributes. You want to create one or more Dynamic Groups for external users. The internal sponsor can act as a reviewer for membership in the group.
Review access to on-premises groups
Access reviews can't change the group membership of groups that you synchronize from on-premises with Microsoft Entra Connect. This is because the source of authority is on-premises. You can still use access reviews to schedule and maintain regular reviews of on-premises groups. Reviewers will then take action in the on-premises group. This strategy keeps access reviews as the tool for all reviews. You can use the results from an Access Review on on-premises groups and process them further. The data is available in a CSV file or from Microsoft Graph.
Plan access reviews for applications
When you review access to an application, you're reviewing the access for employees and external identities to the information and data within the application. Choose to review an application when you need to know who has access to a specific application, instead of an Access Package or a group.
We recommend you plan reviews for applications in the following scenarios:
- Users are granted direct access to the application (outside of a group or Access Package).
- The application exposes critical or sensitive information.
- The application has specific compliance requirements to which you must attest.
- You suspect inappropriate access.
Reviewers for an application
Access reviews can be for the members of a group or for users who were assigned to an application. Applications in Microsoft Entra ID don't necessarily have an owner, which is why the option for selecting the application owner as a reviewer isn't possible. You can further scope a review to review only guest users assigned to the application, rather than reviewing all access.
Plan review of Microsoft Entra ID and Azure resource roles
Privileged Identity Management (PIM) simplifies how enterprises manage privileged access to resources in Microsoft Entra ID. This keeps the list of privileged roles, both in Microsoft Entra ID and Azure resources, much smaller and increases the overall security of the directory.
Access reviews allow reviewers to attest whether users still need to be in a role. Just like access reviews for Access Packages, reviews for Microsoft Entra roles and Azure resource are integrated into the PIM admin user experience. We recommend you review the following role assignments regularly:
- Global Administrator
- User Administrator
- Privileged Authentication Administrator
- Conditional Access Administrator
- Security Administrator
- All Microsoft 365 and Dynamics Service Administration roles
Deploy access reviews
After you've prepared a strategy and a plan to review access for resources integrated with Microsoft Entra ID, deploy and manage reviews by using the resources below.
Review access packages
To reduce the risk of stale access, administrators can enable periodic reviews of users who have active assignments to an access package. You can create access reviews, perform access reviews for others that are assigned to an Access Package, or perform a self-review of assigned Access Package(s).
Review groups and apps
Employees' and guests' access needs to groups and applications likely change over time. To reduce the risk associated with stale access assignments, administrators can create access reviews for group members or application access.
You can create access reviews for group members or application access, perform access reviews for members of a group or users with access to an application, allow members to review their own access to a group or an application, view access reviews, and take action for on-premises groups with PowerShell.
Review Microsoft Entra roles
To reduce the risk associated with stale role assignments, you should regularly review access of privileged Microsoft Entra roles.
Review Azure resource roles
To reduce the risk associated with stale role assignments, you should regularly review access of privileged Azure resource roles.
Use the access reviews API
The access reviews methods in the Microsoft Graph API are available for both application and user contexts. The scripts running in the application context, the account used to run the API (the service principle) must be granted the “AccessReview.Read.All” permission to query access reviews information.
Popular access reviews tasks to automate using the Graph API for access reviews are:
Create and start an Access Review.
Manually end an Access Review before its scheduled end.
List all running Access Reviews and their status.
See the history of a review series and the decisions and actions taken in each review.
Collect decisions from an Access Review.
Collect decisions from completed reviews where the reviewer took a different decision than what the system recommended.
Note
When creating new Graph API queries for automation, we recommend using the Graph Explorer. You can build and explore your Graph queries before putting them into scripts and code. This can help you quickly iterate your query so that you get exactly the results you're looking for, without changing the code of your script.
Monitor access reviews
Access reviews activities are recorded and available from the Microsoft Entra audit logs. You can filter the audit data on the category, activity type, and date range. Here is a sample query:
| Category | Policy |
|---|---|
| Activity type | Create access review |
| Update access review | |
| Access Review ended | |
| Delete access review | |
| Approve decision | |
| Deny decision | |
| Reset decision | |
| Apply decision | |
| Date range | Seven days |
For more advanced queries and analysis of access reviews, and to track changes and completion of reviews, we recommend you export your Microsoft Entra Audit Logs to Azure Log Analytics or Azure Event Hubs. When logs are stored in Azure Log Analytics, you can use the powerful analytics language and build your own dashboards.
Plan communications
Communication is critical to the success of any new business process. Proactively communicate to users how and when their experience will change and how to gain support if they experience issues.
Communicate changes in accountability: Access Reviews support shifting responsibility of reviewing and acting on continued access to business owners. Decoupling access decisions from IT drives more accurate access decisions. This is a cultural change in resource owners' accountability and responsibility. Proactively communicate this change and ensure resource owners are trained and able to use the insights to make good decisions.
Clearly, IT will want to stay in control for all infrastructure-related access decisions and privileged role assignments.
Customize email communication: When you schedule a review, you nominate users who will perform this review. These reviewers then receive an email notification of new reviews assigned to them, as well as reminders before a review assigned to them expires.
Administrators can choose to send this notification either halfway before the review expires or a day before it expires.
The email sent to reviewers can be customized to include a custom short message that encourages them to act on the review. We recommend you use the additional text to:
- Include a personal message to reviewers, so they understand it is sent by your Compliance or IT department.
- Include a hyperlink or reference to internal information on what the expectations of the review are and additional reference or training material.
- Include a link to instructions on how to perform a self-review of access.
Upon selecting Start review, reviewers will be directed to the MyAccess portal for group and application Access Reviews. The portal gives them an overview of all users who have access to the resource they're reviewing and system recommendations based on last sign-in and access information.
How many licenses must you have?
Your directory needs at least as many Microsoft Entra ID Premium P2 licenses as the number of employees who will be performing the following tasks:
- Member users who are assigned as reviewers
- Member users who perform a self-review
- Member users as group owners who perform an access review
- Member users as application owners who perform an access review
For guest users, licensing needs will depend on the licensing model you’re using. However, the below guest users’ activities are considered Microsoft Entra ID Premium P2 usage:
- Guest users who are assigned as reviewers
- Guest users who perform a self-review
- Guest users as group owners who perform an access review
- Guest users as application owners who perform an access review
Microsoft Entra ID Premium P2 licenses are not required for users with the Global Administrator or User Administrator roles who set up access reviews, configure settings, or apply the decisions from the reviews.