In today’s cloud-driven world, managing who has access to what within your organization is more critical than ever. Azure Entra ID (formerly Azure Active Directory) offers a robust solution through Access Reviews, a core feature of Azure Identity Governance. In this article, you’ll learn how to perform an Entra ID Group Access Review, why it’s essential for security and compliance, and how to automate the process to maintain proper access control using the Azure Identity Governance.
What is an Azure Entra ID Group Access Review?
An Entra ID Group Access Review is a process that enables organizations to regularly audit and validate the members of security groups and Microsoft 365 groups within Azure Entra ID. The goal of access reviews is to ensure that only the right people have access to resources and that access is granted based on business needs.
Access Reviews allow administrators to automate the review process and ensure that all users are reviewed consistently. With Access Reviews, administrators can specify a set of rules and conditions that determine which users should be reviewed and how often.
How Does Entra ID Groups Access Reviews Work?
The Access Reviews process starts when an administrator creates a review definition. This definition includes the criteria for selecting users for review, the duration of the review, and the types of access that will be reviewed. For example, an administrator might choose to review all users with access to a specific application or resource, or all users with a certain role or group membership.
Azure Identity Governance
Azure Identity Governance makes it easy to conduct access reviews by providing a user-friendly interface and a set of built-in templates. Administrators can easily create and manage access review campaigns, and they can also customize the templates to fit the specific needs of their organization.
Benefits of Access Reviews with Azure Identity Governance
Performing group access reviews helps to:
- Reduce security risks by identifying and removing unnecessary access
- Meet compliance requirements (e.g., ISO 27001, SOC 2, HIPAA)
- Ensure least privilege access in dynamic environments
- Automate user lifecycle management for contractors, interns, or temporary staff
License requirements
Your directory needs at least as many Microsoft Entra ID P2 licenses (formerly Azure AD Premium P2) as the number of employees who will be performing the following tasks:
- Member/Guest users who are assigned as reviewers
- Member/Guest users who perform a self-review
- Group/Applications owners who perform an access review
How to Set Up an Entra ID Group Access Review
Navigate to the Microsoft Azure portal and ensure that you have either the Global Administrator or User Administrator role assigned. Then search for “Identity Governance” → Access Reviews.
Create a New Access Review
Click on “+ New access review” and configure the following:
- Review Scope: Teams+Groups
- Group: Select the Entra ID Group you need to review.
- Scope: Select All Users (This will consider all members inside the group)
Proceed to the next section of the review details, where you’ll need to specify the reviewer and set the review recurrence schedule.
- Select Reviewers: Choose how you want to assign reviewers from the dropdown menu—you can select the option that best suits your needs.
- Review duration: Specify how long the review should remain active.
- Review recurrence: One-time or recurring (weekly, monthly, quarterly)
- Start date: Select the desired start date for the review.
Note: Since we are simulating an administrator doing a single review, we will select our administrative user and specify a one-time review. The duration can be set to a single day, but it is a good idea to increase this if someone else will be doing the review.
There are additional settings you can configure for this review, such as actions to take upon successful completion (e.g., sending notifications, applying results to resources), and handling scenarios where reviewers do not respond to the review requests.
Finally, provide a Name for the review and create the review.
After you create the access review, it will be scheduled to begin on the selected start date. In this case, since I set the start date to match the review creation date, it became active shortly after creation.
Performing an Access Review
Once an Access Review has been created, the Reviewer will be notified through e-mail with a link to the My Access portal.
Once the reviewer begins the review process, they can approve or deny access for members of the targeted group.
After the Access Review is completed (or manually stopped), the results will be automatically applied if the Auto apply results to resource option was enabled. Additionally, an email notification will be sent to the users configured in the previous step.
Best Practices for Entra ID Group Access Reviews
- ✅ Review high-privilege groups first (Global Admins, SharePoint Owners)
- ✅ Use group owners as reviewers for better accuracy
- ✅ Enable email notifications and reminders to ensure timely completion
- ✅ Export review results for compliance and audit trails
- ✅ Combine with Conditional Access policies for tighter control
Conclusion
With Azure Entra ID Identity Governance, organizations can automate the user access review process to ensure consistent and efficient evaluation of user permissions. The Entra ID Group Access Review feature helps maintain a secure, compliant, and well-managed access environment. Start your access reviews today to stay ahead of potential threats and audit requirements.
