GOV-03: Conduct Quarterly Privileged Access Reviews
Overview
Privileged roles in Microsoft Entra ID carry significant risk if left unreviewed. This control requires that access reviews for all privileged roles are scheduled on a quarterly cadence, that self-attestation is disabled for the highest-risk roles, and that unreviewed access is automatically removed after 30 days.
The expected state for this control is:
- Access reviews for all privileged roles are scheduled quarterly.
- Self-attestation (users reviewing their own access) is disabled for Global Administrator, Privileged Role Administrator, and Security Administrator.
- Unreviewed access is automatically removed after 30 days.
Access Reviews require Microsoft Entra ID P2 licensing and are part of the Identity Governance suite. This control is manual-only; configuration must be performed in the Entra admin center.
Prerequisites
Required Roles
- Global Administrator - Required for initial setup
- Identity Governance Administrator - Recommended for ongoing management
- User Administrator - For group-based reviews
- Privileged Role Administrator - For role-based reviews
Required Licenses
- Microsoft Entra ID P2 - Required for Access Reviews
- Microsoft Entra ID Governance - Enhanced features (optional)
Required Permissions
- Access to Microsoft Entra admin center
- Permissions to modify the resources being reviewed
Prerequisites Checklist
- Microsoft Entra ID P2 licenses assigned to reviewers
- Groups/applications to be reviewed identified
- Reviewers identified and available
- Review cadence determined
Time Estimate
| Task | Duration |
|---|---|
| Planning and design | 1-2 hours |
| Access review creation | 30-45 minutes per review |
| Reviewer communication | 30 minutes |
| Monitoring and follow-up | Ongoing |
| Initial Setup Total | 3-5 hours |
Step-by-Step Instructions
Step 1: Plan Your Access Review Strategy
Before creating reviews, document your strategy:
| Review Type | Target | Frequency | Reviewers | Action |
|---|---|---|---|---|
| Privileged Roles | All privileged roles (GA, PRA, SA, and others) | Quarterly | Designated governance committee (NOT self) | Remove if no justification; auto-remove after 30 days |
| Sensitive Groups | Finance, HR groups | Quarterly | Group owners | Remove inactive |
| Guest Access | All guests | Quarterly | Sponsors | Remove if inactive 90+ days |
| Application Access | Critical apps | Quarterly | App owners | Remove unused access |
Step 2: Create an Access Review for Groups
- Navigate to Microsoft Entra admin center: https://entra.microsoft.com
- Go to Identity Governance > Access reviews
- Click + New access review
Review Scope Settings
- Select what to review: Choose Teams + Groups
- Review scope: Select Select Teams + groups
- Click + Select groups and choose the groups to review
- Scope: Choose one of:
- All users - Review all group members
- Guest users only - Review only external guests
- Inactive users (on tenant level) only - Users inactive for specified days
Reviewer Settings
-
Select reviewers: Choose reviewer type:
- Group owner(s) - Recommended for most scenarios
- Selected user(s) or group(s) - Specific reviewers
- Users review their own access - Self-attestation
- Managers of users - Manager-based review
-
Specify reviewers: Add backup reviewers
-
Specify recurrence of review:
- Duration (in days): 7-14 days recommended
- Review recurrence: Weekly, Monthly, Quarterly, Semi-annually, Annually
- Start date: Select when to begin
- End: Never, specific date, or after number of occurrences
Upon Completion Settings
-
Auto apply results to resource: Enable to automatically remove denied access
-
If reviewers don't respond: Choose action:
- No change - Access unchanged
- Remove access - Denied by default
- Approve access - Approved by default
- Take recommendations - System recommendations applied
-
At end of review, send notification to: Add administrators for notifications
Advanced Settings
- Enable additional options:
- Show recommendations - AI-based recommendations for reviewers
- Require reason on approval - Mandate justification
- Email notifications - Send reminders
- Reminders - Enable reminder emails
Step 3: Create an Access Review for Privileged Roles
- Navigate to Identity Governance > Access reviews
- Click + New access review
Role-Specific Configuration
-
Select what to review: Choose Privileged Identity Management
-
Review type: Select Azure AD roles or Azure resource roles
-
Role(s): Select all privileged roles, including at minimum:
- Global Administrator
- Privileged Role Administrator
- Security Administrator
- Exchange Administrator
- SharePoint Administrator
- (Add all other privileged roles in scope)
-
Assignment type: Select All assignments to cover both active and PIM-eligible assignments.
-
Reviewers: For Global Administrator, Privileged Role Administrator, and Security Administrator, you MUST NOT select "Users review their own access." Self-attestation is prohibited for these roles. Use:
- Selected user(s) or group(s) -- designate a governance committee or a peer admin group as reviewers.
-
Specify recurrence of review:
- Review recurrence: Quarterly
- Duration (in days): Set to 30 days or fewer so the auto-removal window (see step below) is enforced within the quarter.
-
Under Upon Completion Settings:
- Auto apply results to resource: Enable
- If reviewers don't respond: Remove access -- this ensures that any unreviewed privileged role assignment is automatically removed after the review period ends (within 30 days).
-
Configure remaining settings as in Step 2.
Step 4: Create an Access Review for Applications
- Navigate to Identity Governance > Access reviews
- Click + New access review
- Select what to review: Choose Applications
- Select application(s): Choose critical applications:
- Salesforce
- ServiceNow
- AWS
- (Other business-critical apps)
- Configure reviewers and completion actions as above
Step 5: Create a Guest User Access Review
- Navigate to Identity Governance > Access reviews
- Click + New access review
- Select what to review: Choose Teams + Groups
- Review scope: Select All Microsoft 365 groups with guests
- Scope: Select Guest users only
- Configure with these recommended settings:
- Reviewers: Group owner(s)
- Duration: 14 days
- Recurrence: Quarterly
- If reviewers don't respond: Remove access
- Show recommendations: Enabled
Step 6: Configure Review Recommendations
Access Reviews can provide AI-powered recommendations:
- Navigate to Identity Governance > Access reviews > Settings
- Enable Show recommendations
- Configure recommendation sources:
- Last sign-in activity - Recommends removal if no recent sign-in
- Peer analysis - Compares to similar users
- User-to-group affiliation - Recommends based on attributes
Step 7: Monitor Access Reviews
-
Navigate to Identity Governance > Access reviews
-
View the Overview dashboard:
- Reviews in progress
- Completed reviews
- Pending reviewer actions
-
Click on a specific review to see:
- Completion percentage
- Reviewer response breakdown
- Decisions by outcome
Create Alerts for Overdue Reviews:
- Navigate to Identity Governance > Access reviews > Settings
- Configure notification settings
- Set up email alerts for:
- Review start
- Review reminder (at 50% duration)
- Review ending soon (2 days before end)
Verification Checklist
After setting up Access Reviews, verify the following:
- Access reviews appear in the Identity Governance dashboard
- Reviewers have received notification emails
- Test review with a pilot group before full rollout
- Auto-apply settings are configured correctly
- Backup reviewers are assigned
- Review schedule aligns with compliance requirements
- Reporting and notifications are working
- Decision history is being logged
Troubleshooting
Issue: Reviewers Not Receiving Emails
Cause: Email notifications may be blocked or reviewers may not have P2 licenses.
Solution:
- Verify reviewers have Microsoft Entra ID P2 licenses
- Check email spam/junk folders
- Verify reviewer email addresses are correct
- Check Identity Governance > Access reviews > Settings for email configuration
Issue: Recommendations Not Appearing
Cause: Insufficient data or feature not enabled.
Solution:
- Ensure Show recommendations is enabled in the review
- Verify sign-in logs are available (requires 30+ days of data)
- Check that the reviewed users have recent sign-in activity
Issue: Auto-Apply Not Working
Cause: The review may not have completed or settings may be incorrect.
Solution:
- Verify Auto apply results to resource is enabled
- Check that the review has ended (not still in progress)
- Review the audit log for any errors
- Manually apply results if needed from the review dashboard
Issue: Cannot Create Review for Specific Group
Cause: Group type may not support access reviews.
Solution:
- Access reviews support:
- Microsoft 365 groups
- Security groups
- Teams
- Distribution lists are not supported
- Dynamic groups have limited support
Issue: Reviewers See Blank Review
Cause: No users meet the review criteria.
Solution:
- Check the review scope settings
- Verify the group/application has members
- Review the filter criteria (guest only, inactive only, etc.)
Cost Considerations
License Requirements
| Feature | License Required | Cost (approx.) |
|---|---|---|
| Access Reviews | Microsoft Entra ID P2 | $9/user/month |
| Identity Governance | Entra ID Governance add-on | +$7/user/month |
Note: Only reviewers and users being reviewed need P2 licenses.
Licensing Strategy
Option 1: Full P2 for All Users
- Pros: Simple licensing, all features available
- Cons: Higher cost
- Cost: $9/user/month for all users
Option 2: P2 for Privileged Users Only
- Pros: Lower cost
- Cons: Limited to reviewing P2-licensed users
- Cost: $9/month for each privileged user
Option 3: Microsoft Entra ID Governance
- Pros: Advanced lifecycle management, workflows
- Cons: Highest cost
- Cost: P2 ($9) + Governance ($7) = $16/user/month
ROI Calculation
| Metric | Without Access Reviews | With Access Reviews |
|---|---|---|
| Time spent on manual reviews | 40 hours/quarter | 5 hours/quarter |
| Inappropriate access discovered | Low | High |
| Compliance audit preparation | 20 hours | 2 hours |
| License reclamation | Manual | Automated |
Example ROI:
- 500 users, 10 privileged admins needing review
- P2 for 10 admins: $90/month
- Time savings: 35 hours/quarter at $50/hour = $1,750/quarter
- Net savings: $1,660/quarter
Best Practices
-
Start small and expand:
- Begin with privileged role reviews
- Expand to sensitive groups
- Add application reviews over time
-
Choose appropriate reviewers:
- Use group/resource owners when possible
- Designate backup reviewers
- Avoid reviewer fatigue (limit reviews per person)
-
Set reasonable durations:
- 7-14 days for most reviews
- 21-30 days for large reviews
- Send reminders at 50% and 75%
-
Use recommendations wisely:
- Enable recommendations but require justification
- Train reviewers on how to interpret recommendations
- Monitor recommendation accuracy
-
Automate where safe:
- Auto-remove guest access after denial
- Require approval for privileged role renewal
- Keep manual review for sensitive roles
-
Document and communicate:
- Notify users before their access is reviewed
- Explain the process to reviewers
- Archive review results for compliance
Related Controls
- GOV-01: Stale account review
- GOV-02: Account cleanup
- PA-01: Privileged role assignments
- PA-04: Require PIM for All Privileged Roles
Revision History
| Date | Version | Author | Changes |
|---|---|---|---|
| 2025-01-07 | 1.0 | TrueConfig | Initial release |