learn.microsoft.com
Open in
urlscan Pro
2a02:26f0:280:19f::3544
Public Scan
Submitted URL: https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview
Effective URL: https://learn.microsoft.com/en-us/entra/id-governance/access-reviews-overview
Submission: On March 12 via api from US — Scanned from DE
Effective URL: https://learn.microsoft.com/en-us/entra/id-governance/access-reviews-overview
Submission: On March 12 via api from US — Scanned from DE
Form analysis 5 forms found in the DOM
Name: site-header-search-form — GET /en-us/search/
<form class="flex-grow-1" method="GET" role="search" id="ms--site-header-search-form" data-bi-name="site-header-search-form" name="site-header-search-form" aria-label="Search" action="/en-us/search/">
<div class="autocomplete display-block" data-bi-name="autocomplete"><!---->
<div class="field-body control ">
<input role="combobox" maxlength="100" aria-autocomplete="list" autocapitalize="off" autocomplete="off" autocorrect="off" spellcheck="false" id="site-header-search-autocomplete-input" data-test-id="site-header-search-autocomplete-input" class="autocomplete-input input input-sm
width-full" type="search" name="terms" aria-expanded="false" aria-owns="ax-0-listbox" aria-controls="ax-0-listbox" aria-activedescendant="" aria-label="Search" aria-describedby="ms--site-header-search-autocomplete-input-description"
placeholder="Search" data-bi-name="site-header-search-autocomplete-input" pattern=".*">
<span aria-hidden="true" class="autocomplete-loader loader has-text-primary " hidden=""></span>
<span hidden="" id="ms--site-header-search-autocomplete-input-description"> Suggestions will filter as you type </span>
</div>
<ul role="listbox" id="ax-0-listbox" data-test-id="site-header-search-autocomplete-input-listbox" class="autocomplete-suggestions is-vertically-scrollable padding-xxs " aria-label="Suggestions" hidden="">
</ul>
<!---->
</div>
<!-- mobile safari will not dispatch submit event unless there's a submit button that is not display:none -->
<button type="submit" class="visually-hidden" tabindex="-1" aria-hidden="true"></button>
<input name="category" hidden="" value="">
</form>Name: site-header-search-form-mobile — GET /en-us/search/
<form class="flex-grow-1" method="GET" role="search" id="ms--site-header-search-form-mobile" data-bi-name="site-header-search-form-mobile" name="site-header-search-form-mobile" aria-label="Search" action="/en-us/search/">
<div class="autocomplete display-block" data-bi-name="autocomplete"><!---->
<div class="field-body control ">
<input role="combobox" maxlength="100" aria-autocomplete="list" autocapitalize="off" autocomplete="off" autocorrect="off" spellcheck="false" id="site-header-search-autocomplete-input-mobile"
data-test-id="site-header-search-autocomplete-input-mobile" class="autocomplete-input input
width-full" type="search" name="terms" aria-expanded="false" aria-owns="ax-1-listbox" aria-controls="ax-1-listbox" aria-activedescendant="" aria-label="Search" aria-describedby="ms--site-header-search-autocomplete-input-mobile-description"
placeholder="Search" data-bi-name="site-header-search-autocomplete-input-mobile" pattern=".*">
<span aria-hidden="true" class="autocomplete-loader loader has-text-primary " hidden=""></span>
<span hidden="" id="ms--site-header-search-autocomplete-input-mobile-description"> Suggestions will filter as you type </span>
</div>
<ul role="listbox" id="ax-1-listbox" data-test-id="site-header-search-autocomplete-input-mobile-listbox" class="autocomplete-suggestions is-vertically-scrollable padding-xxs " aria-label="Suggestions" hidden="">
</ul>
<!---->
</div>
<!-- mobile safari will not dispatch submit event unless there's a submit button that is not display:none -->
<button type="submit" class="visually-hidden" tabindex="-1" aria-hidden="true"></button>
<input name="category" hidden="" value="">
</form>Name: nav-bar-search-form — GET /en-us/search/
<form class="nav-bar-search-form" method="GET" name="nav-bar-search-form" role="search" id="nav-bar-search-form" aria-label="Search" action="/en-us/search/">
<div class="autocomplete" data-bi-name="autocomplete"><!---->
<div class="field-body control ">
<input role="combobox" maxlength="100" aria-autocomplete="list" autocapitalize="off" autocomplete="off" autocorrect="off" spellcheck="false" id="site-search-input" data-test-id="site-search-input" class="autocomplete-input input input-sm
" type="search" name="terms" aria-expanded="false" aria-owns="ax-76-listbox" aria-controls="ax-76-listbox" aria-activedescendant="" aria-label="Search" aria-describedby="ms--site-search-input-description" placeholder="Search" pattern=".*">
<span aria-hidden="true" class="autocomplete-loader loader has-text-primary " hidden=""></span>
<span hidden="" id="ms--site-search-input-description"> Suggestions will filter as you type </span>
</div>
<ul role="listbox" id="ax-76-listbox" data-test-id="site-search-input-listbox" class="autocomplete-suggestions is-vertically-scrollable padding-xxs " aria-label="Suggestions" hidden="">
</ul>
<!---->
</div>
<!-- mobile safari will not dispatch submit event unless there's a submit button that is not display:none -->
<button type="submit" class="visually-hidden" tabindex="-1" aria-hidden="true"></button>
<input name="category" hidden="" value="">
</form>Name: nav-bar-search-form — GET /en-us/search/
<form class="nav-bar-search-form" method="GET" name="nav-bar-search-form" role="search" id="nav-bar-search-form-desktop" aria-label="Search" action="/en-us/search/">
<div class="autocomplete" data-bi-name="autocomplete"><!---->
<div class="field-body control has-icons-left">
<input role="combobox" maxlength="100" aria-autocomplete="list" autocapitalize="off" autocomplete="off" autocorrect="off" spellcheck="false" id="site-search-input-desktop" data-test-id="site-search-input-desktop" class="autocomplete-input input input-sm
control has-icons-left
" type="search" name="terms" aria-expanded="false" aria-owns="ax-77-listbox" aria-controls="ax-77-listbox" aria-activedescendant="" aria-label="Search" aria-describedby="ms--site-search-input-desktop-description" placeholder="Search"
pattern=".*">
<span aria-hidden="true" class="icon is-small is-left">
<span class="has-text-primary docon docon-search"></span>
</span>
<span aria-hidden="true" class="autocomplete-loader loader has-text-primary " hidden=""></span>
<span hidden="" id="ms--site-search-input-desktop-description"> Suggestions will filter as you type </span>
</div>
<ul role="listbox" id="ax-77-listbox" data-test-id="site-search-input-desktop-listbox" class="autocomplete-suggestions is-vertically-scrollable padding-xxs " aria-label="Suggestions" hidden="">
</ul>
<!---->
</div>
<!-- mobile safari will not dispatch submit event unless there's a submit button that is not display:none -->
<button type="submit" class="visually-hidden" tabindex="-1" aria-hidden="true"></button>
<input name="category" hidden="" value="">
</form>javascript:
<form action="javascript:" role="search" aria-label="Search" class="margin-bottom-xxs"><label class="visually-hidden" for="ax-79">Search</label>
<div class="autocomplete display-block" data-bi-name="autocomplete"><!---->
<div class="field-body control has-icons-left">
<input role="combobox" maxlength="100" aria-autocomplete="list" autocapitalize="off" autocomplete="off" autocorrect="off" spellcheck="false" id="ax-79" data-test-id="ax-79" class="autocomplete-input input input-sm
control has-icons-left
width-full" type="text" aria-expanded="false" aria-owns="ax-80-listbox" aria-controls="ax-80-listbox" aria-activedescendant="" aria-describedby="ms--ax-79-description" placeholder="Filter by title" pattern=".*">
<span aria-hidden="true" class="icon is-small is-left">
<span class="has-text-primary docon docon-filter-settings"></span>
</span>
<span aria-hidden="true" class="autocomplete-loader loader has-text-primary " hidden=""></span>
<span hidden="" id="ms--ax-79-description"> Suggestions will filter as you type </span>
</div>
<ul role="listbox" id="ax-80-listbox" data-test-id="ax-79-listbox" class="autocomplete-suggestions is-vertically-scrollable padding-xxs " aria-label="Suggestions" hidden="">
</ul>
<!---->
</div>
</form>Text Content
Skip to main content
We use optional cookies to improve your experience on our websites, such as
through social media connections, and to display personalized advertising based
on your online activity. If you reject optional cookies, only cookies necessary
to provide you the services will be used. You may change your selection by
clicking “Manage Cookies” at the bottom of the page. Privacy Statement
Third-Party Cookies
Accept Reject Manage cookies
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security
updates, and technical support.
Download Microsoft Edge More info about Internet Explorer and Microsoft Edge
Learn
* Discover
* Documentation
In-depth articles on Microsoft developer tools and technologies
* Training
Personalized learning paths and courses
* Credentials
Globally recognized, industry-endorsed credentials
* Q&A
Technical questions and answers moderated by Microsoft
* Code Samples
Code sample library for Microsoft developer tools and technologies
* Assessments
Interactive, curated guidance and recommendations
* Shows
Thousands of hours of original programming from Microsoft experts
Featured assessment
It's your AI learning journey
Wherever you are in your AI journey, Microsoft Learn meets you where you are
and helps you deepen your skills.
* Product documentation
* ASP.NET
* Azure
* Dynamics 365
* Microsoft 365
* Microsoft Edge
* Microsoft Entra
* Microsoft Graph
* Microsoft Intune
* Microsoft Purview
* Microsoft Teams
* .NET
* Power Apps
* Power Automate
* Power BI
* Power Platform
* PowerShell
* SQL
* Sysinternals
* Visual Studio
* Windows
* Windows Server
View all products
Featured assessment
It's your AI learning journey
Wherever you are in your AI journey, Microsoft Learn meets you where you are
and helps you deepen your skills.
* Development languages
* C++
* DAX
* Java
* OData
* OpenAPI
* Power Query M
* VBA
Featured assessment
It's your AI learning journey
Wherever you are in your AI journey, Microsoft Learn meets you where you are
and helps you deepen your skills.
* Topics
* Artificial intelligence
* Compliance
* DevOps
* Platform engineering
* Security
Featured assessment
It's your AI learning journey
Wherever you are in your AI journey, Microsoft Learn meets you where you are
and helps you deepen your skills.
Suggestions will filter as you type
Sign in
* Profile
* Settings
Sign out
Learn
Suggestions will filter as you type
Sign in
* Profile
* Settings
Sign out
Learn
* Learn
* Documentation
* Training
* Credentials
* Q&A
* Code Samples
* Assessments
* Shows
* More
* Documentation
* Training
* Credentials
* Q&A
* Code Samples
* Assessments
* Shows
Suggestions will filter as you type
Suggestions will filter as you type
Search
Sign in
* Profile
* Settings
Sign out
Microsoft Entra
* Microsoft Entra ID
* External ID
* Global Secure Access
* ID Governance
* Permissions Management
* Microsoft Security documentation
* More
* Microsoft Entra ID
* External ID
* Global Secure Access
* ID Governance
* Permissions Management
* Microsoft Security documentation
1. Admin center
Table of contents Exit focus mode
Search
Suggestions will filter as you type
* Microsoft Entra ID Governance documentation
* Overview
* What is Identity Governance?
* What is entitlement management?
* What are access reviews?
* What is identity lifecycle management?
* What is provisioning?
* What are Lifecycle Workflows?
* What is the My Access portal?
* Tutorials
* Govern access to applications
* Entitlement Management
* Access Reviews
* Lifecycle Workflows
* Concepts
* Entitlement management
* Access reviews
* Lifecycle Workflows
* How-to guides
* Govern access to applications
* Entitlement management
* Access reviews
* Lifecycle Workflows
* Reference
* Identity Governance Dashboard
* Identity Governance service limits
* Licensing fundamentals
* Services and integration partners
* Identity Governance - PowerShell
* Access reviews - Microsoft Graph API
* Entitlement management - Microsoft Graph API
* Lifecycle Workflows
Download PDF
1. Learn
2. Microsoft Entra
3. Microsoft Entra ID Governance
1. Learn
2. Microsoft Entra
3. Microsoft Entra ID Governance
Read in English Add
Table of contents Read in English Add Edit Print
Twitter LinkedIn Facebook Email
Table of contents
WHAT ARE ACCESS REVIEWS?
* Article
* 10/23/2023
* 25 contributors
Feedback
IN THIS ARTICLE
1. Why are access reviews important?
2. When should you use access reviews?
3. Where do you create reviews?
4. License requirements
5. Next steps
Access reviews in Microsoft Entra ID, part of Microsoft Entra, enable
organizations to efficiently manage group memberships, access to enterprise
applications, and role assignments. User's access can be reviewed regularly to
make sure only the right people have continued access.
Here's a video that provides a quick overview of access reviews:
WHY ARE ACCESS REVIEWS IMPORTANT?
Microsoft Entra ID enables you to collaborate with users from inside your
organization and with external users. Users can join groups, invite guests,
connect to cloud apps, and work remotely from their work or personal devices.
The convenience of using self-service has led to a need for better access
management capabilities.
* As new employees join, how do you ensure they have the access they need to be
productive?
* As people move teams or leave the company, how do you make sure that their
old access is removed?
* Excessive access rights can lead to compromises.
* Excessive access right may also lead audit findings as they indicate a lack
of control over access.
* You have to proactively engage with resource owners to ensure they regularly
review who has access to their resources.
WHEN SHOULD YOU USE ACCESS REVIEWS?
* Too many users in privileged roles: It's a good idea to check how many users
have administrative access, how many of them are Global Administrators, and
if there are any invited guests or partners that haven't been removed after
being assigned to do an administrative task. You can recertify the role
assignment users in Microsoft Entra roles such as Global Administrators, or
Azure resources roles such as User Access Administrator in the Microsoft
Entra Privileged Identity Management (PIM) experience.
* When automation is not possible: You can create rules for dynamic membership
on security groups or Microsoft 365 Groups, but what if the HR data isn't in
Microsoft Entra ID or if users still need access after leaving the group to
train their replacement? You can then create a review on that group to ensure
those who still need access should have continued access.
* When a group is used for a new purpose: If you have a group that is going to
be synced to Microsoft Entra ID, or if you plan to enable the application
Salesforce for everyone in the Sales team group, it would be useful to ask
the group owner to review the group membership prior to the group being used
in a different risk content.
* Business critical data access: for certain resources, such as business
critical applications, it might be required as part of compliance processes
to ask people to regularly reconfirm and give a justification on why they
need continued access.
* To maintain a policy's exception list: In an ideal world, all users would
follow the access policies to secure access to your organization's resources.
However, sometimes there are business cases that require you to make
exceptions. As the IT admin, you can manage this task, avoid oversight of
policy exceptions, and provide auditors with proof that these exceptions are
reviewed regularly.
* Ask group owners to confirm they still need guests in their groups: Employee
access might be automated with other identity and access management features
such lifecycle workflows based on data from an HR source, but not invited
guests. If a group gives guests access to business sensitive content, then
it's the group owner's responsibility to confirm the guests still have a
legitimate business need for access.
* Have reviews recur periodically: You can set up recurring access reviews of
users at set frequencies such as weekly, monthly, quarterly or annually, and
the reviewers are notified at the start of each review. Reviewers can approve
or deny access with a friendly interface and with the help of smart
recommendations.
Note
If you are ready to try Access reviews take a look at Create an access review of
groups or applications
WHERE DO YOU CREATE REVIEWS?
Depending on what you want to review, you'll either create your access review in
access reviews, Microsoft Entra enterprise apps, PIM, or entitlement management.
Expand table
Access rights of users Reviewers can be Review created in Reviewer experience
Security group members
Office group members Specified reviewers
Group owners
Self-review access reviews
Microsoft Entra groups Access panel Assigned to a connected app Specified
reviewers
Self-review access reviews
Microsoft Entra enterprise apps Access panel Microsoft Entra role Specified
reviewers
Self-review PIM Microsoft Entra Admin Center Azure resource role Specified
reviewers
Self-review PIM Microsoft Entra Admin Center Access package assignments
Specified reviewers
Group members
Self-review entitlement management Access panel
LICENSE REQUIREMENTS
Using this feature requires Microsoft Entra ID Governance subscriptions for your
organization's users. Some capabilities within this feature may operate with a
Microsoft Entra ID P2 subscription, see the articles of each capability for more
details. To find the right license for your requirements, see Microsoft Entra ID
Governance licensing fundamentals.
Note
Creating a review on inactive users and with user-to-group affiliation
recommendations requires a Microsoft Entra ID Governance license.
NEXT STEPS
* Prepare for an access review of users' access to an application
* Create an access review of groups or applications
* Create an access review of users in a Microsoft Entra administrative role
* Review access to groups or applications
* Complete an access review of groups or applications
FEEDBACK
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the
feedback mechanism for content and replacing it with a new feedback system. For
more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for
This product This page
View all page feedback
--------------------------------------------------------------------------------
ADDITIONAL RESOURCES
--------------------------------------------------------------------------------
Training
Module
Plan, implement, and manage access review - Training
Once identity is deployed, proper governance using access reviews is necessary
for a secure solution. Explore how to plan for and implement access reviews.
Certification
Microsoft Certified: Identity and Access Administrator Associate -
Certifications
As a Microsoft identity and access administrator, you design, implement, and
operate an organization’s identity and access management by using Microsoft
Entra ID (ID). You configure and manage the full cycle of identities for users,
devices, Microsoft Azure resources, and applications.
--------------------------------------------------------------------------------
Events
Windows Server Summit
Mar 26, 5 PM - Mar 29, 12 AM
Join our virtual technical event March 26-28, 2024, sponsored by Intel. Windows
Server, Intel, and Azure experts share tips, demos, and preview what’s next.
Join us
English (United States)
California Consumer Privacy Act (CCPA) Opt-Out Icon Your Privacy Choices
Theme
* Light
* Dark
* High contrast
* Manage cookies
* Previous Versions
* Blog
* Contribute
* Privacy
* Terms of Use
* Trademarks
* © Microsoft 2024
ADDITIONAL RESOURCES
--------------------------------------------------------------------------------
Events
Windows Server Summit
Mar 26, 5 PM - Mar 29, 12 AM
Join our virtual technical event March 26-28, 2024, sponsored by Intel. Windows
Server, Intel, and Azure experts share tips, demos, and preview what’s next.
Join us
--------------------------------------------------------------------------------
Training
Module
Plan, implement, and manage access review - Training
Once identity is deployed, proper governance using access reviews is necessary
for a secure solution. Explore how to plan for and implement access reviews.
Certification
Microsoft Certified: Identity and Access Administrator Associate -
Certifications
As a Microsoft identity and access administrator, you design, implement, and
operate an organization’s identity and access management by using Microsoft
Entra ID (ID). You configure and manage the full cycle of identities for users,
devices, Microsoft Azure resources, and applications.
IN THIS ARTICLE
English (United States)
California Consumer Privacy Act (CCPA) Opt-Out Icon Your Privacy Choices
Theme
* Light
* Dark
* High contrast
* Manage cookies
* Previous Versions
* Blog
* Contribute
* Privacy
* Terms of Use
* Trademarks
* © Microsoft 2024