Access Reviews

Periodically review and certify user access to groups, applications, and roles. Ensure least-privilege access and remove unnecessary permissions.

Review Types

Type	Scope	Frequency
Group membership	Review members of security/M365 groups	Quarterly
Application access	Review users assigned to apps	Semi-annual
Role assignments	Review Azure AD role members	Monthly
Guest access	Review external user access	Quarterly

Review Workflow

Create review — Define scope, reviewers, and schedule
Notify reviewers — Email sent to designated reviewers
Review period — Reviewers approve or deny access
Auto-apply — Denied access automatically removed
Report — Audit trail of decisions

Settings

Auto-apply results — Automatically remove denied access
If reviewer doesn’t respond — Remove access, approve, or no change
Recurrence — One-time, weekly, monthly, quarterly, annual

API Reference

GET /api/security/access-reviews — List access reviews
POST /api/security/access-reviews — Create review

Last updated on February 13, 2026

Information Barriers PIM Roles