What are access reviews?
Also known as
Definition
In Microsoft 365, access doesn't clean itself up. Someone leaves a project but keeps their group membership. A guest gets invited for one initiative and stays for three years. A role gets assigned during a busy quarter and nobody revisits it. Access reviews are the mechanism that catches all of that.
Reviews are scheduled checks where reviewers approve or deny whether access should continue.
tip
A good starting point: quarterly reviews for guest access, annual for low-risk internal workspaces.
Why it matters
Access drifts. Reviews are how you catch it. When people change roles or projects end and guests get invited but are never removed, guess what? None of that gets cleaned up without reviews.
- Migration: Before a migration, reviews help identify which access should move, change, or be removed. After cutover, they catch guests and groups that shouldn't have made the trip.
- Governance & security: Stale access is a risk. Excessive access rights can lead to data exposure, especially when Copilot can surface content based on what people have access to.
- Day-to-day operations: Reviews reduce over-permissioning, cut manual audit work, and put accountability where it belongs, with the owners who know whether access is still needed.
What we see out there
Too broad, no context.
Owners can't answer "is this access still appropriate?" when they don't know what the resource contains or why access was granted. A review that covers too much at once makes that worse. Scope it tight enough that reviewers can actually make a call.
Exceptions that outlive their purpose.
Unique permissions get created for a reason. The project ends, the reason disappears, and the permission stays. Over time those exceptions add up and they're usually the last thing anyone thinks to review.
Frequently asked questions
Who should perform access reviews?
IT can set them up and facilitate them. But the people who should approve or deny access are usually resource owners and business stakeholders; the ones who know whether someone still needs access, not just whether the account exists. The more you can delegate reviews to owners, the more scalable it gets.
What should actually be reviewed?
Start with what's highest risk: external guests, broadly accessible workspaces, sensitive content, and privileged roles. Microsoft Entra access reviews cover group memberships, enterprise app access, and role assignments. SharePoint permissions and sharing links sit outside Entra and need separate visibility. Don't try to review everything at once.
How often should reviews happen?
It depends on risk. Guest access and sensitive workspaces need more frequent reviews—quarterly at minimum. Lower-risk internal workspaces can go longer. Microsoft Entra lets you set weekly, monthly, quarterly, or annual recurrence. Pick the cadence your team can actually sustain.
What evidence should be kept after a review?
Track decisions, removals, exceptions, and follow-up actions. If an exception was made, record why and when it should be revisited. Audit readiness depends on being able to show that access decisions were made intentionally, not just that access exists.


