Sharegate >
Glossary
>
Access reviews

What are access reviews?

Access reviews are recurring checks that confirm whether users, guests, and groups still need the access they have.

Also known as

Entitlement reviews

Definition

In Microsoft 365, access doesn't clean itself up. Someone leaves a project but keeps their group membership. A guest gets invited for one initiative and stays for three years. A role gets assigned during a busy quarter and nobody revisits it. Access reviews are the mechanism that catches all of that.

Reviews are scheduled checks where reviewers approve or deny whether access should continue.

tip

A good starting point: quarterly reviews for guest access, annual for low-risk internal workspaces.

Why it matters

Access drifts. Reviews are how you catch it. When people change roles or projects end and guests get invited but are never removed, guess what? None of that gets cleaned up without reviews.

  • Migration: Before a migration, reviews help identify which access should move, change, or be removed. After cutover, they catch guests and groups that shouldn't have made the trip.
  • Governance & security: Stale access is a risk. Excessive access rights can lead to data exposure, especially when Copilot can surface content based on what people have access to.
  • Day-to-day operations: Reviews reduce over-permissioning, cut manual audit work, and put accountability where it belongs, with the owners who know whether access is still needed.

Access reviews vs. Related terms

Term How it relates to access reviews
Access management Access management is the broader practice—assigning, maintaining, and removing access across Microsoft 365. Access reviews are one recurring control within it.
Entitlement reviews Used interchangeably in identity governance circles. Microsoft uses "access reviews." Both mean the same thing in practice — periodic validation of whether access is still appropriate.
Identity governance Identity governance is the wider discipline—it includes entitlement management, lifecycle workflows, PIM, and access reviews. Reviews are one capability within it
ShareGate field notes:

What we see out there

Too broad, no context.

Owners can't answer "is this access still appropriate?" when they don't know what the resource contains or why access was granted. A review that covers too much at once makes that worse. Scope it tight enough that reviewers can actually make a call.

Exceptions that outlive their purpose.

Unique permissions get created for a reason. The project ends, the reason disappears, and the permission stays. Over time those exceptions add up and they're usually the last thing anyone thinks to review.

Frequently asked questions

Who should perform access reviews?

IT can set them up and facilitate them. But the people who should approve or deny access are usually resource owners and business stakeholders; the ones who know whether someone still needs access, not just whether the account exists. The more you can delegate reviews to owners, the more scalable it gets.

What should actually be reviewed?

Start with what's highest risk: external guests, broadly accessible workspaces, sensitive content, and privileged roles. Microsoft Entra access reviews cover group memberships, enterprise app access, and role assignments. SharePoint permissions and sharing links sit outside Entra and need separate visibility. Don't try to review everything at once.

How often should reviews happen?

It depends on risk. Guest access and sensitive workspaces need more frequent reviews—quarterly at minimum. Lower-risk internal workspaces can go longer. Microsoft Entra lets you set weekly, monthly, quarterly, or annual recurrence. Pick the cadence your team can actually sustain.

What evidence should be kept after a review?

Track decisions, removals, exceptions, and follow-up actions. If an exception was made, record why and when it should be revisited. Audit readiness depends on being able to show that access decisions were made intentionally, not just that access exists.