learn.microsoft.com Open in urlscan Pro
2a02:26f0:6c00:188::3544  Public Scan

Submitted URL: https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview
Effective URL: https://learn.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview
Submission: On May 30 via api from US — Scanned from DE

Form analysis 0 forms found in the DOM

Text Content

Skip to main content


This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security
updates, and technical support.

Download Microsoft Edge More info about Internet Explorer and Microsoft Edge

Table of contents Exit focus mode

Read in English Save
Table of contents Read in English Save Edit Print

Twitter LinkedIn Facebook Email
Table of contents


WHAT ARE ACCESS REVIEWS?

 * Article
 * 05/10/2023
 * 17 contributors

Feedback



IN THIS ARTICLE

Access reviews in Azure Active Directory (Azure AD), part of Microsoft Entra,
enable organizations to efficiently manage group memberships, access to
enterprise applications, and role assignments. User's access can be reviewed
regularly to make sure only the right people have continued access.

Here's a video that provides a quick overview of access reviews:




WHY ARE ACCESS REVIEWS IMPORTANT?

Azure AD enables you to collaborate with users from inside your organization and
with external users. Users can join groups, invite guests, connect to cloud
apps, and work remotely from their work or personal devices. The convenience of
using self-service has led to a need for better access management capabilities.

 * As new employees join, how do you ensure they have the access they need to be
   productive?
 * As people move teams or leave the company, how do you make sure that their
   old access is removed?
 * Excessive access rights can lead to compromises.
 * Excessive access right may also lead audit findings as they indicate a lack
   of control over access.
 * You have to proactively engage with resource owners to ensure they regularly
   review who has access to their resources.


WHEN SHOULD YOU USE ACCESS REVIEWS?

 * Too many users in privileged roles: It's a good idea to check how many users
   have administrative access, how many of them are Global Administrators, and
   if there are any invited guests or partners that haven't been removed after
   being assigned to do an administrative task. You can recertify the role
   assignment users in Azure AD roles such as Global Administrators, or Azure
   resources roles such as User Access Administrator in the Microsoft Entra
   Privileged Identity Management (PIM) experience.
 * When automation is not possible: You can create rules for dynamic membership
   on security groups or Microsoft 365 Groups, but what if the HR data is not in
   Azure AD or if users still need access after leaving the group to train their
   replacement? You can then create a review on that group to ensure those who
   still need access should have continued access.
 * When a group is used for a new purpose: If you have a group that is going to
   be synced to Azure AD, or if you plan to enable the application Salesforce
   for everyone in the Sales team group, it would be useful to ask the group
   owner to review the group membership prior to the group being used in a
   different risk content.
 * Business critical data access: for certain resources, such as business
   critical applications, it might be required as part of compliance processes
   to ask people to regularly reconfirm and give a justification on why they
   need continued access.
 * To maintain a policy's exception list: In an ideal world, all users would
   follow the access policies to secure access to your organization's resources.
   However, sometimes there are business cases that require you to make
   exceptions. As the IT admin, you can manage this task, avoid oversight of
   policy exceptions, and provide auditors with proof that these exceptions are
   reviewed regularly.
 * Ask group owners to confirm they still need guests in their groups: Employee
   access might be automated with some on premises Identity and Access
   Management (IAM), but not invited guests. If a group gives guests access to
   business sensitive content, then it's the group owner's responsibility to
   confirm the guests still have a legitimate business need for access.
 * Have reviews recur periodically: You can set up recurring access reviews of
   users at set frequencies such as weekly, monthly, quarterly or annually, and
   the reviewers will be notified at the start of each review. Reviewers can
   approve or deny access with a friendly interface and with the help of smart
   recommendations.

Note

If you are ready to try Access reviews take a look at Create an access review of
groups or applications


WHERE DO YOU CREATE REVIEWS?

Depending on what you want to review, you'll either create your access review in
access reviews, Azure AD enterprise apps (in preview), PIM, or entitlement
management.

Access rights of users Reviewers can be Review created in Reviewer experience
Security group members
Office group members Specified reviewers
Group owners
Self-review access reviews
Azure AD groups Access panel Assigned to a connected app Specified reviewers
Self-review access reviews
Azure AD enterprise apps (in preview) Access panel Azure AD role Specified
reviewers
Self-review PIM Azure portal Azure resource role Specified reviewers
Self-review PIM Azure portal Access package assignments Specified reviewers
Group members
Self-review entitlement management Access panel


LICENSE REQUIREMENTS

Using this feature requires Azure AD Premium P2 licenses. To find the right
license for your requirements, see Compare generally available features of Azure
AD.


NEXT STEPS

 * Prepare for an access review of users' access to an application
 * Create an access review of groups or applications
 * Create an access review of users in an Azure AD administrative role
 * Review access to groups or applications
 * Complete an access review of groups or applications






FEEDBACK

Submit and view feedback for

This product This page
View all page feedback

--------------------------------------------------------------------------------


ADDITIONAL RESOURCES





Theme
 * Light
 * Dark
 * High contrast

 * 
 * Previous Versions
 * Blog
 * Contribute
 * Privacy
 * Terms of Use
 * Trademarks
 * © Microsoft 2023


ADDITIONAL RESOURCES






IN THIS ARTICLE



Theme
 * Light
 * Dark
 * High contrast

 * 
 * Previous Versions
 * Blog
 * Contribute
 * Privacy
 * Terms of Use
 * Trademarks
 * © Microsoft 2023