GOV-03: Conduct Quarterly Privileged Access Reviews

Overview

Privileged roles in Microsoft Entra ID carry significant risk if left unreviewed. This control requires that access reviews for all privileged roles are scheduled on a quarterly cadence, that self-attestation is disabled for the highest-risk roles, and that unreviewed access is automatically removed after 30 days.

The expected state for this control is:

  • Access reviews for all privileged roles are scheduled quarterly.
  • Self-attestation (users reviewing their own access) is disabled for Global Administrator, Privileged Role Administrator, and Security Administrator.
  • Unreviewed access is automatically removed after 30 days.

Access Reviews require Microsoft Entra ID P2 licensing and are part of the Identity Governance suite. This control is manual-only; configuration must be performed in the Entra admin center.

Prerequisites

Required Roles

  • Global Administrator - Required for initial setup
  • Identity Governance Administrator - Recommended for ongoing management
  • User Administrator - For group-based reviews
  • Privileged Role Administrator - For role-based reviews

Required Licenses

  • Microsoft Entra ID P2 - Required for Access Reviews
  • Microsoft Entra ID Governance - Enhanced features (optional)

Required Permissions

  • Access to Microsoft Entra admin center
  • Permissions to modify the resources being reviewed

Prerequisites Checklist

  • Microsoft Entra ID P2 licenses assigned to reviewers
  • Groups/applications to be reviewed identified
  • Reviewers identified and available
  • Review cadence determined

Time Estimate

TaskDuration
Planning and design1-2 hours
Access review creation30-45 minutes per review
Reviewer communication30 minutes
Monitoring and follow-upOngoing
Initial Setup Total3-5 hours

Step-by-Step Instructions

Step 1: Plan Your Access Review Strategy

Before creating reviews, document your strategy:

Review TypeTargetFrequencyReviewersAction
Privileged RolesAll privileged roles (GA, PRA, SA, and others)QuarterlyDesignated governance committee (NOT self)Remove if no justification; auto-remove after 30 days
Sensitive GroupsFinance, HR groupsQuarterlyGroup ownersRemove inactive
Guest AccessAll guestsQuarterlySponsorsRemove if inactive 90+ days
Application AccessCritical appsQuarterlyApp ownersRemove unused access

Step 2: Create an Access Review for Groups

  1. Navigate to Microsoft Entra admin center: https://entra.microsoft.com
  2. Go to Identity Governance > Access reviews
  3. Click + New access review

Review Scope Settings

  1. Select what to review: Choose Teams + Groups
  2. Review scope: Select Select Teams + groups
  3. Click + Select groups and choose the groups to review
  4. Scope: Choose one of:
    • All users - Review all group members
    • Guest users only - Review only external guests
    • Inactive users (on tenant level) only - Users inactive for specified days

Reviewer Settings

  1. Select reviewers: Choose reviewer type:

    • Group owner(s) - Recommended for most scenarios
    • Selected user(s) or group(s) - Specific reviewers
    • Users review their own access - Self-attestation
    • Managers of users - Manager-based review
  2. Specify reviewers: Add backup reviewers

  3. Specify recurrence of review:

    • Duration (in days): 7-14 days recommended
    • Review recurrence: Weekly, Monthly, Quarterly, Semi-annually, Annually
    • Start date: Select when to begin
    • End: Never, specific date, or after number of occurrences

Upon Completion Settings

  1. Auto apply results to resource: Enable to automatically remove denied access

  2. If reviewers don't respond: Choose action:

    • No change - Access unchanged
    • Remove access - Denied by default
    • Approve access - Approved by default
    • Take recommendations - System recommendations applied
  3. At end of review, send notification to: Add administrators for notifications

Advanced Settings

  1. Enable additional options:
    • Show recommendations - AI-based recommendations for reviewers
    • Require reason on approval - Mandate justification
    • Email notifications - Send reminders
    • Reminders - Enable reminder emails

Step 3: Create an Access Review for Privileged Roles

  1. Navigate to Identity Governance > Access reviews
  2. Click + New access review

Role-Specific Configuration

  1. Select what to review: Choose Privileged Identity Management

  2. Review type: Select Azure AD roles or Azure resource roles

  3. Role(s): Select all privileged roles, including at minimum:

    • Global Administrator
    • Privileged Role Administrator
    • Security Administrator
    • Exchange Administrator
    • SharePoint Administrator
    • (Add all other privileged roles in scope)
  4. Assignment type: Select All assignments to cover both active and PIM-eligible assignments.

  5. Reviewers: For Global Administrator, Privileged Role Administrator, and Security Administrator, you MUST NOT select "Users review their own access." Self-attestation is prohibited for these roles. Use:

    • Selected user(s) or group(s) -- designate a governance committee or a peer admin group as reviewers.
  6. Specify recurrence of review:

    • Review recurrence: Quarterly
    • Duration (in days): Set to 30 days or fewer so the auto-removal window (see step below) is enforced within the quarter.
  7. Under Upon Completion Settings:

    • Auto apply results to resource: Enable
    • If reviewers don't respond: Remove access -- this ensures that any unreviewed privileged role assignment is automatically removed after the review period ends (within 30 days).
  8. Configure remaining settings as in Step 2.

Step 4: Create an Access Review for Applications

  1. Navigate to Identity Governance > Access reviews
  2. Click + New access review
  3. Select what to review: Choose Applications
  4. Select application(s): Choose critical applications:
    • Salesforce
    • ServiceNow
    • AWS
    • (Other business-critical apps)
  5. Configure reviewers and completion actions as above

Step 5: Create a Guest User Access Review

  1. Navigate to Identity Governance > Access reviews
  2. Click + New access review
  3. Select what to review: Choose Teams + Groups
  4. Review scope: Select All Microsoft 365 groups with guests
  5. Scope: Select Guest users only
  6. Configure with these recommended settings:
    • Reviewers: Group owner(s)
    • Duration: 14 days
    • Recurrence: Quarterly
    • If reviewers don't respond: Remove access
    • Show recommendations: Enabled

Step 6: Configure Review Recommendations

Access Reviews can provide AI-powered recommendations:

  1. Navigate to Identity Governance > Access reviews > Settings
  2. Enable Show recommendations
  3. Configure recommendation sources:
    • Last sign-in activity - Recommends removal if no recent sign-in
    • Peer analysis - Compares to similar users
    • User-to-group affiliation - Recommends based on attributes

Step 7: Monitor Access Reviews

  1. Navigate to Identity Governance > Access reviews

  2. View the Overview dashboard:

    • Reviews in progress
    • Completed reviews
    • Pending reviewer actions
  3. Click on a specific review to see:

    • Completion percentage
    • Reviewer response breakdown
    • Decisions by outcome

Create Alerts for Overdue Reviews:

  1. Navigate to Identity Governance > Access reviews > Settings
  2. Configure notification settings
  3. Set up email alerts for:
    • Review start
    • Review reminder (at 50% duration)
    • Review ending soon (2 days before end)

Verification Checklist

After setting up Access Reviews, verify the following:

  • Access reviews appear in the Identity Governance dashboard
  • Reviewers have received notification emails
  • Test review with a pilot group before full rollout
  • Auto-apply settings are configured correctly
  • Backup reviewers are assigned
  • Review schedule aligns with compliance requirements
  • Reporting and notifications are working
  • Decision history is being logged

Troubleshooting

Issue: Reviewers Not Receiving Emails

Cause: Email notifications may be blocked or reviewers may not have P2 licenses.

Solution:

  1. Verify reviewers have Microsoft Entra ID P2 licenses
  2. Check email spam/junk folders
  3. Verify reviewer email addresses are correct
  4. Check Identity Governance > Access reviews > Settings for email configuration

Issue: Recommendations Not Appearing

Cause: Insufficient data or feature not enabled.

Solution:

  1. Ensure Show recommendations is enabled in the review
  2. Verify sign-in logs are available (requires 30+ days of data)
  3. Check that the reviewed users have recent sign-in activity

Issue: Auto-Apply Not Working

Cause: The review may not have completed or settings may be incorrect.

Solution:

  1. Verify Auto apply results to resource is enabled
  2. Check that the review has ended (not still in progress)
  3. Review the audit log for any errors
  4. Manually apply results if needed from the review dashboard

Issue: Cannot Create Review for Specific Group

Cause: Group type may not support access reviews.

Solution:

  1. Access reviews support:
    • Microsoft 365 groups
    • Security groups
    • Teams
  2. Distribution lists are not supported
  3. Dynamic groups have limited support

Issue: Reviewers See Blank Review

Cause: No users meet the review criteria.

Solution:

  1. Check the review scope settings
  2. Verify the group/application has members
  3. Review the filter criteria (guest only, inactive only, etc.)

Cost Considerations

License Requirements

FeatureLicense RequiredCost (approx.)
Access ReviewsMicrosoft Entra ID P2$9/user/month
Identity GovernanceEntra ID Governance add-on+$7/user/month

Note: Only reviewers and users being reviewed need P2 licenses.

Licensing Strategy

Option 1: Full P2 for All Users

  • Pros: Simple licensing, all features available
  • Cons: Higher cost
  • Cost: $9/user/month for all users

Option 2: P2 for Privileged Users Only

  • Pros: Lower cost
  • Cons: Limited to reviewing P2-licensed users
  • Cost: $9/month for each privileged user

Option 3: Microsoft Entra ID Governance

  • Pros: Advanced lifecycle management, workflows
  • Cons: Highest cost
  • Cost: P2 ($9) + Governance ($7) = $16/user/month

ROI Calculation

MetricWithout Access ReviewsWith Access Reviews
Time spent on manual reviews40 hours/quarter5 hours/quarter
Inappropriate access discoveredLowHigh
Compliance audit preparation20 hours2 hours
License reclamationManualAutomated

Example ROI:

  • 500 users, 10 privileged admins needing review
  • P2 for 10 admins: $90/month
  • Time savings: 35 hours/quarter at $50/hour = $1,750/quarter
  • Net savings: $1,660/quarter

Best Practices

  1. Start small and expand:

    • Begin with privileged role reviews
    • Expand to sensitive groups
    • Add application reviews over time
  2. Choose appropriate reviewers:

    • Use group/resource owners when possible
    • Designate backup reviewers
    • Avoid reviewer fatigue (limit reviews per person)
  3. Set reasonable durations:

    • 7-14 days for most reviews
    • 21-30 days for large reviews
    • Send reminders at 50% and 75%
  4. Use recommendations wisely:

    • Enable recommendations but require justification
    • Train reviewers on how to interpret recommendations
    • Monitor recommendation accuracy
  5. Automate where safe:

    • Auto-remove guest access after denial
    • Require approval for privileged role renewal
    • Keep manual review for sensitive roles
  6. Document and communicate:

    • Notify users before their access is reviewed
    • Explain the process to reviewers
    • Archive review results for compliance

Related Controls

  • GOV-01: Stale account review
  • GOV-02: Account cleanup
  • PA-01: Privileged role assignments
  • PA-04: Require PIM for All Privileged Roles

Revision History

DateVersionAuthorChanges
2025-01-071.0TrueConfigInitial release