GOV-03: Conduct Quarterly Privileged Access Reviews
Frequently asked questions about implementing and managing the GOV-03 security control in Microsoft 365 and Entra ID.
QWhat is GOV-03 (Conduct Quarterly Privileged Access Reviews)?▼
GOV-03 is a security control that over time, users accumulate privileges they no longer need. access reviews force managers to justify each privileged assignment, preventing privilege creep and reducing risk from over-entitled accounts. It requires that access reviews for all privileged roles are scheduled quarterly and self-attestation is disabled for global admin and other high-privilege roles, unreviewed access is automatically removed after 30 days.
QWhy is Conduct Quarterly Privileged Access Reviews important for Microsoft 365 security?▼
Over time, users accumulate privileges they no longer need. Access reviews force managers to justify each privileged assignment, preventing privilege creep and reducing risk from over-entitled accounts.
QHow do I implement GOV-03 in my tenant?▼
GOV-03 requires manual implementation. Requires Entra ID Governance access review configuration
QWhat license do I need for GOV-03?▼
This control requires Azure AD Premium P2 (included in Microsoft 365 E5) or standalone P2.
QWhich security baseline includes GOV-03?▼
GOV-03 is included in the Enhanced Security baseline (Level 2). This level adds stricter controls for security-conscious organizations.
5
Questions
1
Related Controls
—
Categorized
Related Resources
Still have questions?
Our security experts are here to help. Start a free trial and get personalized guidance for your Microsoft 365 environment.
Start Free Trial