How to Manage Access Reviews within Microsoft 365

Cloud security

 

In this article, I’m going to show you how to audit security in Microsoft 365 with Access Reviews in Azure Active Directory (AAD). I’ll show you how to set up and run Access Reviews from the Azure management portal and using the Microsoft Graph and PowerShell.

Azure Active Directory enables core collaboration with users both inside and outside the organization. Users can join groups, teams, invite guests, connect to specific cloud applications, use work or personal devices, and work anywhere. It is straightforward to allow anyone to be part of the organization and work within the Microsoft 365 tenant. However, the downside to this is the assignment of correct permissions and managing them when they need revoking or modifying.

Luckily Microsoft 365, and specifically Azure Active Directory, provides the ability to review assigned permissions. The best part of this is that it is not down to the IT Administrators to confirm the access is correct; it can be done directly by the specified user or a manager of the resource’s owner. The feature is called “Access Reviews” and it is part of the overall “Identity Governance” features of Microsoft 365.

Access reviews require the Azure Active Directory Premium Plan 2 license, though not for everyone. The directory needs at least as many Azure Active Directory Premium Plan 2 licenses as the number of employees set as reviewers, performing self-reviews, are a group owner performing an access review, or are application owners conducting an access review.

When assigning guests as reviewers, having them complete a self-review for themselves, or conducting an access review for groups or applications owned, they require Azure Active Directory Premium Plan 2 licenses. For users assigned to the Global Administrator or User Administrator roles, licenses do not need assigning.

Create and perform an access review for users

To begin an Access review, you must be assigned one of the following roles:

  • Global administrator
  • User administrator
  • Identity Governance Administrator
  • Privileged Role Administrator
  • Microsoft 365 or Azure Active Directory Security Group owner of the group to be reviewed

To get started, navigate to the Access review management portal, which you find within any Microsoft 365 administrative center, but within the Azure administrative portal.

Within “Access reviews,” click the “Access reviews” link. You may need to wait a few seconds or longer while it tries to load any existing reviews.

Navigate to the management portal

 

Once any existing access reviews load, you can then click “New access review.” The first task is to define the type of access review from the dropdown options.

Define the type of report from the dropdown options

 

The “Teams and Groups” option focuses on security groups and Microsoft 365 groups and teams membership. The “Application” option targets the assigned users for the specified applications, including guest users. 

Within the “Teams and Groups” option, you can select either “All Microsoft 365 groups with guest users” or “Select Teams and groups.”

The “All Microsoft 365 groups with guest users” option allows the creation of periodic reviews on all guest users across all your Microsoft Teams and Microsoft 365 groups in your organization. The “Select teams and groups” option allows a finite set of teams or groups to perform reviews. Using the “Select teams and groups” option, you choose the groups to review directly from Azure Active Directory. Lastly, you specify to check guest users or all users.

Periodic reviews on all guest users across all your Microsoft Teams and Microsoft 365 groups in your organization

 

With the groups or applications selected, now you determine who will perform the access review.

Determine who will perform the AR

 

Within the access review, we selected “Leadership,” which has three core owners within the tenant. If required, you can choose the “Group Owners“; however, the selected other group is a distribution group that does not have an owner. In that case, you can specify who will perform the access review.

Specify who will perform the AR
Specify who will perform the AR

 

After selecting the chosen reviews, you then set the duration for completion and reoccurrence of the evaluation. The recommendation for this comes down to the existing processes you have in place. However, I suggest that quarterly access reviews.

Set the duration for completion and reoccurrence of the evaluation

 

The goal of the access review is to adjust as required the existing permissions. The final part of the access review setup is to choose whether to automatically apply the adjustments, modify if no one responds, or notify a different user that the access review period has ended.

Choose whether to automatically apply the adjustments, modify if no one responds, or notify a different user that the AR period has ended

 

Once created, the new access review ware listed within the “Access reviews” page.

Choose whether to automatically apply the adjustments, modify if no one responds, or notify a different user that the AR period has ended

 

The reviews assigned to the access review receive an email notifying them of the access review once the status of the review is set to “Active.”

ARs assigned to the access review receive an email notifying them of the AR once the status of the AR is set to "Active."

 

Clicking the “Start review” link within the email takes the reviewer to the “https://myaccess.microsoft.com” site, where they can then approve or deny access for users as needed.

Approve or deny access for users as needed

 

The review selects the chosen account and determines if the account still requires access and either approves or denies the access. The reviewer may also click the “Accept recommendations” button, setting the accounts to the recommended action displayed next to each account.

Each account must be reviewed and assigned a status. Multiple reviewers can assist, allowing others to make decisions for specific accounts as needed. When choosing to approve or deny, justification details are required, allowing the review to explain their decision. As with all Microsoft 365 and Azure features, any actions and decisions get logged for historical review and auditing.

The Access review can be modified as required to add more reviewers, adjust the dates, the reoccurrence schedule, and remove items such as the need for justification. 

Reasons for using Access Reviews

Access reviews are not just for checking memberships of groups or permissions for applications. Though fundamentally that is why they exist, you can use them for group and permission management. For example, if you use conditional access policies with inclusion or exclusion groups, access reviews are ideal for managing the users within those groups. You may also be controlling specifics around legacy authentication or license assignment, all of which are ideal candidates for periodic access reviews.

The most common need is to control external users or guests within the Microsoft 365 Tenant and Azure Active Directory. 

If you want to review the same security groups chosen previously for external guests, you can modify the existing access review or create a new one. The only change required is to select the “Guest users only” option instead of all users or specific users.

Modify the existing AR or create a new one

 

The subsequent adjustment determines the guest users that get set to “deny” by the reviewer.

Subsequent adjustment determines the guest users that get set to "deny" by the reviewer.

 

Once the access review is active, the reviewer, as before, receives an email to start the review process. When entering the access review, this time around, only the external guests are visible for review.

Once the access review is active, the reviewer, as before, receives an email to start the review process

 

The completion process is the same for all access reviews, no matter if reviewing internal or external users.

Lastly, to ensure access review meets the organizational security requirement, you can create reports. The report creation page is available within the “Access reviews” navigation.

Create view history report

 

The report can take some time to generate but once available, it can be downloaded and stored as part of your organizational audit reports.

Report can be downloaded and stored as part of your organizational audit reports.

 

As you can see, access review plays a big part in security management within Microsoft 365 and Azure Active Directory. Issuing regular access reviews to specific teams, users, or group owners will ensure security is controlled and managed better and by those that know the reasons for using it that way. To learn more about Access reviews, you can read more details within the Microsoft documentation.

Managing Access Reviews using Microsoft Graph PowerShell

When managing Access reviews, the most common way is to utilize the administration interface provided within Azure. The wizard interface is fantastic and does a great job of stepping you through what is required and when. However, sometimes these interfaces update, move settings around, or even remove them. To mitigate this, Microsoft also provides PowerShell commands for nearly all features within Microsoft 365, including Access reviews.

The Microsoft Graph PowerShell SDK is a core set of commands made available for many of the administration functions for Microsoft 365. These commands directly call the Microsoft Graph API, which connects all services within Microsoft 365 together.

There is a core set of commands available specifically for access reviews within the Graph PowerShell SDK.

New-MgAccessReview

Get-MgAccessReview

Stop-MgAccessReview

Remove-MgAccessReview

Update-MgAccessReview

More commands cover Access review decisions, instances, reviewers, and Reminders. Each command requires specific properties and expects certain formats for the required properties.

To get started, you must first install and import the required PowerShell module. You use the standard PowerShell “Install-Module” and “Import-Module” commands.

Install-Module Microsoft.Graph

Select-MgProfile -Name "beta"

Import-Module Microsoft.Graph

Next, you need to connect to the Graph using the required scopes (permissions) to manage access reviews. The required permissions are:

AccessReview.Read.All

Allows the app to read the information on access reviews, reviewers, decisions, and settings that you have access to.

AccessReview.ReadWrite.All

Allows the app to read, update and perform the action on access reviews, reviewers, decisions, and settings that you have access to.

AccessReview.ReadWrite.Membership

Allows the app to read, update and perform the action on access reviews, reviewers, decisions, and settings that you have access to.

When connecting using the permissions, use the command “Connect-MgGraph” with the required scopes.

$scopes = @(
"Group.Read.All"
"User.Read.All"
"AccessReview.Read.All"
"AccessReview.ReadWrite.All"
"AccessReview.ReadWrite.Membership"
)
 
Connect-MgGraph -Scopes $scopes

Complete the credential validation as required, then consent to the permissions.

How to run Access Reviews using PowerShell

 

To test the connection works, execute the “Get-MgBusinessFlowTemplate” command. It should complete successfully and return the access review templates available within Microsoft 365. 

How to run Access Reviews using PowerShell

 

Now we have a connection, we can construct the commands we need to review existing access reviews and create new ones.

Retrieve existing access reviews

Access reviews are directly associated with business flow templates. To retrieve an existing access review, you must either know the direct identifier for the access review or find it by using the business flow template-id and then using the access review id to retrieve it.

After executing the command “Get-MgBusinessFlowTemplate,” you can copy the required template-id and use that within a filter property of the “Get-MgAccessReview” command.

# Filtering Access Reviews by Template ID

$accessreview = Get-MgAccessReview -Filter "businessFlowTemplateId eq '6e4f3d20-c5c3-407f-9695-8460952bcc68'"

# Retrieving by Access Review ID

$accessreview = Get-MgAccessReview -AccessReviewId ce685ead-402c-4ca9-b135-8324b012acff

Using the retrieved “$accessreview” variable, you can now view all the properties that make up the access review.

$accessreview | Select-Object *
How to run Access Reviews using PowerShell
$accessreview | Select-Object -ExpandProperty Settings | Format-List
How to run Access Reviews using PowerShell

 

You can easily traverse the properties, expanding as needed to view the specific property values and formats.

Update existing access reviews

To update an existing access review, you must first retrieve it using the standard approaches. The Graph PowerShell provides the “Update-MgAccessReview” command for the very purpose.

To help understand the format of the required properties, we can use the “Invoke-MgGraphRequest” command with a direct Microsoft Graph call to the specific access review.

Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/beta/accessReviews/644de7e2-0156-49f4-a1dc-a0a67e6c6f78"

You can also execute the same query within the Graph Explorer tool, which returns an easy-to-read JSON for each property returned.

How to run Access Reviews using PowerShell

 

Luckily the command doesn’t require everything to be JSON as the properties are part of the command. If you want to pass it all as a JSON object, you can use either the “AdditionalProperties” or “BodyParameter.”

Updating the existing access review settings modifying the properties: “AccessRecommendationsEnabled“, “ActivityDurationInDays“, “AutoReviewEnabled“, “JustificationRequiredOnApproval“, and “RecurrenceSettings” is done by populating the “Settings” parameter with an object containing the key value pairs.

$body = @{
"@odata.context" = "https://graph.microsoft.com/beta/$metadata#accessReviews/$entity"
"settings" = @{
"mailNotificationsEnabled" = "true"
"remindersEnabled" = "true"
"justificationRequiredOnApproval" = "true"
"autoReviewEnabled" = "true"
"activityDurationInDays" = 30
"autoApplyReviewResultsEnabled" = "true"
"accessRecommendationsEnabled" = "true"
"recurrenceSettings" = @{
"recurrenceType" = "monthly"
"recurrenceEndType" = "occurrences"
"durationInDays" = 7
"recurrenceCount" = 21
}
"autoReviewSettings" = @{
"notReviewedResult" = "Deny"
}
}
 "reviewedEntity" = @{
"id" = "f4b638c4-750f-49a1-bed7-a884448b3fb3"
"displayName" = "Leadership"
}
}

$accessreviewid = "ce685ead-402c-4ca9-b135-8324b012acff"

Update-MgAccessReview -AccessReviewId $accessreviewid -Settings $body.settings

Create a new access review

Creating a new access review requires specific properties such as string values and using object types. The “New-MgAccessReview” command supports the use of hashtables, string values, date-times, and strongly typed objects such as IMicrosoftGraphUserIdentity, IMicrosoftGraphAccessReviewDecision, IMicrosoftGraphAccessReview, IMicrosoftGraphIdentity, IMicrosoftGraphAccessReviewReviewer, and IMicrosoftGraphAccessReviewSettings.

The format of the JSON structure to use for creating access reviews is usable for both the “New-MgAccessReview” and the “Invoke-MgGraphRequest” commands.

$body = @{
"displayName" = "PowerShell Leadership Access Review"
"startDateTime" = "2021-11-10T10:30:00.000Z"
"endDateTime" = "2025-11-10T10:30:00.000Z"
"reviewerType" = "delegated"
"description" = "PowerShell Leadership Access Review"
"businessFlowTemplateId" = "6e4f3d20-c5c3-407f-9695-8460952bcc68"
"createdBy" = @{
"id" = "8d32fa65-361a-4aef-9716-60b44082eaab"
"displayName" = "Microsoft CDX"
"userPrincipalName" = "[email protected]"
"mail" = "[email protected]"
}
"settings" = @{
"mailNotificationsEnabled" = "true"
"remindersEnabled" = "true"
"justificationRequiredOnApproval" = "true"
"autoReviewEnabled" = "true"
"activityDurationInDays" = 30
"autoApplyReviewResultsEnabled" = "true"
"accessRecommendationsEnabled" = "true"
"recurrenceSettings" = @{
"recurrenceType" = "quarterly"
"recurrenceEndType" = "occurrences"
"durationInDays" = 5
"recurrenceCount" = 14
}
"autoReviewSettings" = @{
"notReviewedResult" = "Deny"
}
}
"reviewedEntity" = @{
"id" = "419b8be8-c615-4191-81e2-bed087f284b9"
"displayName" = "Executives"
}
}

Using the “New-MgAccessReview” values, you can construct the creation command.

$params = @{
BusinessFlowTemplateId = $body.businessFlowTemplateId
Description = $body.description
DisplayName = $body.displayName
StartDateTime = $body.startDateTime
EndDateTime = $body.endDateTime
ReviewedEntity = $body.reviewedEntity
ReviewerType = $body.reviewerType
Settings = $body.settings
}
New-MgAccessReview @params

You can also create the access review using the “Invoke-MgGraphRequest” and pass in the entire “body” object.

Invoke-MgGraphRequest `

-Method POST `

-Uri "https://graph.microsoft.com/beta/accessReviews" `

-Body $body

Creating access reviews comes down to structuring the properties correctly and then using either option. The advantage to using PowerShell to manage them is being able to script once and then repeat as needed, either in the same or multiple Microsoft 365 tenants.