Microsoft Entra ID · Access Reviews

Access Review Administration

Responsibility profile, not a standalone Microsoft Entra role. User Administrator or Identity Governance Administrator manages group and app reviews; Privileged Role Administrator is required for role-assignable groups and role reviews.

Scope: Access review administration split by resource type across User, Identity Governance, and Privileged Role Administrator

Permissions

  • Access Reviews - Full access review management
  • Review Creation - Create and configure access reviews
  • Review Settings - Manage access review settings and schedules
  • Review Results - View access review results and history
  • Scope Configuration - Configure review scope and reviewers
  • Auto-Apply - Set auto-apply and notification settings
  • Multi-Stage - Configure multi-stage reviews
  • Recurring Reviews - Set up recurring review schedules
  • Export - Export review results for compliance

Common use cases

  • Periodic group membership certification
  • Application access recertification
  • Privileged role access reviews
  • Guest user access attestation
  • Regulatory compliance attestation
  • Joiner-mover-leaver process support
  • Quarterly access certification programs
  • Sensitive resource access governance

Best practices

  • Schedule quarterly reviews for sensitive access
  • Use auto-apply for reviewer non-response
  • Configure manager reviews for direct reports
  • Review guest access more frequently (monthly)
  • Document review policies and procedures
  • Set appropriate review durations
  • Configure reminder notifications
  • Archive review results for compliance
  • Use multi-stage reviews for high-risk access

Security considerations

  • Review scope affects what access is certified
  • Auto-apply settings can remove access automatically
  • Reviewer selection affects review quality
  • Non-response handling can affect access
  • Monitor for review completion rates
  • Audit review decisions for patterns
  • Alert on reviews with high denial rates

Common questions

When should I assign the Access Review Administration role?

Assign Access Review Administration when you need to: Periodic group membership certification; Application access recertification; Privileged role access reviews; Guest user access attestation; and Regulatory compliance attestation. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Access Review Administration role do?

The Access Review Administration role grants permissions including: Access Reviews - Full access review management; Review Creation - Create and configure access reviews; Review Settings - Manage access review settings and schedules; Review Results - View access review results and history; Scope Configuration - Configure review scope and reviewers; and Auto-Apply - Set auto-apply and notification settings. See the Permissions section above for the full list.

What are the security risks of the Access Review Administration role?

Key considerations when assigning Access Review Administration: Review scope affects what access is certified; Auto-apply settings can remove access automatically; Reviewer selection affects review quality; and Non-response handling can affect access. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →