What is an access review?
An access review is a security and compliance process that helps organizations ensure that only the right people have access to specific resources, such as Microsoft 365 groups, SharePoint sites, Teams, or applications.
Table of contents
The process involves periodically reviewing user permissions and removing unnecessary access to reduce security risks.
Access reviews in Microsoft 365
Microsoft Entra ID (formerly Azure AD) provides automated Access reviews to help IT admins and resource owners manage user access efficiently. These reviews help:
- Identify inactive users who no longer need access.
- Ensure external guests don’t retain unnecessary permissions.
- Validate that employees only have access to what they need for their roles.
- Meet compliance requirements by regularly reviewing access permissions.
How access reviews work
- Define the scope – Select the users, groups, or resources that need to be reviewed.
- Set reviewers – Assign access reviewers (e.g., managers, group owners, or admins).
- Conduct the review – Reviewers approve or remove user access based on necessity.
- Automate actions – Automatically revoke access if users don’t respond within a set time.
- Monitor and audit – Track reviews in logs for compliance reporting.
Access reviews help prevent privilege creep (when users accumulate unnecessary permissions over time) and enhance overall security by enforcing least privilege access.
