Access Management

How to Run an Access Review (Without Drowning in Spreadsheets)

Your auditor mentions access reviews. Your CISO mentions access reviews. Your last security questionnaire from a customer mentions access reviews. Two months later you're sitting in front of a 4,000-row spreadsheet of "User, Application, Permission, Last Used."

May 18, 2026Updated: May 16, 20264 min readDaniel Persson

How to Run an Access Review (Without Drowning in Spreadsheets)

The annual ritual

Your auditor mentions access reviews. Your CISO mentions access reviews. Your last security questionnaire from a customer mentions access reviews. Two months later you're sitting in front of a 4,000-row spreadsheet of "User, Application, Permission, Last Used."

You email it to managers. Half respond. Half of the responses are "I think it's fine." You compile the answers. You write a summary. You file it. You hope the auditor doesn't dig too deep into the methodology.

Sound familiar?

Access reviews don't have to be like that. They're a useful exercise when run properly. The trick is scope, cadence, and a way to make managers actually do them.

If you specifically need the SOC 2 angle on this, there's a separate post for that. This one is the generic version.

What an access review actually is

An access review is a periodic check. Designated people (usually managers or application owners) confirm that the access their team has is still appropriate.

It's not an audit. It's not a security investigation. It's a "look at this list of permissions and tell me if anything looks wrong" exercise.

Three reasons companies do them. First, compliance. NIS2, ISO 27001, SOC 2 all expect it. Second, security hygiene. Access accumulates over time. Reviews force a cleanup. Third, license cost. Reviews surface people who don't actually use what they're paying for.

The mistake is treating access review as a once-a-year event for everything at once. That's the spreadsheet death march. The better approach is small, frequent, scoped.

Scope first

Don't review everything. Pick high-risk slices.

Privileged accounts. Anyone with Global Admin, User Admin, billing roles, or Privileged Role Administrator. There should be very few of these. Review quarterly.

Sensitive data access. Finance shares, HR data, customer data exports, anything with payment information. Whoever has access should justify it. Review quarterly.

Stale users. Anyone who hasn't signed in for 90+ days but is still licensed and grouped. They're either on long leave, gone, or dormant. Review monthly if you can. Quarterly at minimum.

Externals. Guests, contractors, vendor accounts. These should expire by default. They rarely do. Review quarterly.

Everything else (regular employee access to standard apps) can go once a year. The 80/20 lives in the high-risk slices.

Cadence

Set the cadence at the start of the year. Block calendar time. Don't make it ad-hoc.

A workable rhythm for a 200-person company:

Monthly: stale user check. 15 minutes. Anyone who hasn't logged in for 90 days gets flagged for their manager.

Quarterly: privileged accounts review. Two hours total. Every admin role gets reviewed by the security lead. Every Conditional Access exclusion is checked. Every guest account over 90 days old gets a "still needed?" prompt.

Annually: full review. A half-day commitment per manager. Each manager confirms their team's group memberships and SaaS app assignments.

That schedule passes most audits and doesn't take a week of someone's life.

Make it doable for the reviewer

The reviewer (usually a manager) is not an IT person. They don't know what "M365 E5" means. They don't care that "Salesforce-Standard" is different from "Salesforce-Lightning-Power-User."

Translate before you ask. Compare the two framings.

Bad: "User: Anna Karlsson. Application: AAD-RBAC-Sales-VP. Granted: 2024-03-15."

Good: "Anna has the same Sales VP access as everyone else in your team."

Give them a clear question. Not "is this appropriate." Try "is Anna still on your team and still doing the same job? Yes / No / Changed roles."

Make it three clicks max. If the review takes more than 10 minutes per direct report, the manager will skim and approve. That's worse than not running the review at all. Now you have documented approval for everything wrong.

Document the result

Whatever you found, write it down. Who reviewed what. What changed. What stayed. The dates. This is the audit trail. Without it, the review didn't happen as far as the auditor is concerned.

Two practical formats that work:

A simple spreadsheet (yes, sometimes a spreadsheet is the right tool). One row per review event. Columns for reviewer, scope, findings, remediation.

A ticket in your service desk system with the same fields. Has the benefit of timestamps and an audit log built in.

Whichever you pick, be consistent. Same format every quarter. Auditors love consistency.

Where Adcyma fits

Full transparency: this is our product. Adcyma runs access reviews as a built-in workflow. Manager-readable language, three-click approvals, full audit log, exports for whichever framework you're being audited against. Free for up to 25 users.

Back to blogAccess Management

Related articles

A

Identity and Access Management (IAM): A Practical Guide for Mid-Market IT Teams

Somebody asks you in a meeting what your identity and access management strategy is. You have Entra ID. You have MFA on most accounts. There's a wiki page from 2023 that says new hires get added to three security groups. Is that a strategy? Sort of. Is that IAM? Also sort of.

May 16, 2026
A

Access creep: what it is and how to stop it in Entra ID

Pull up the access list for someone who's been at your company five years. Take a real look. Half those permissions are from projects that ended in 2023. Sites they joined for one meeting. Shared mailboxes they were added to "just in case." This is access creep. The slow accumulation of permissions a person picked up over time and never lost. Nobody designed it. Nobody approved most of it on purpose. It just grew. How it actually happens Somebody joins a new project. Gets added to a SharePoint site, a Teams group, two shared mailboxes, maybe a license bundle. Project ends. Access stays. Then they change roles. They get the new permissions for the new role. The old ones stay too, because nobody owns that cleanup. Then they cover for a colleague on parental leave. Temporary access to a finance group. Colleague comes back. Temporary access is now permanent. Now multiply that by every employee, every project, every leave cover. Add every "can you give me access real quick" Teams message over four years. That's your access list today. Why nobody catches it Manual provisioning is built for adding access, not removing it. When a project ends, there's no Jira ticket that says "remove eight people from this SharePoint site." When someone changes role, the old manager assumes the new manager is cleaning up. The new manager assumes the old one already did. And honestly, for a while it works fine. Nothing breaks. The user has more access than they need, but they're not malicious, so nothing happens. Then somebody quits, or clicks a phishing link, or you get audited. Suddenly the access list everyone ignored is the only thing anyone is looking at. What it actually costs you Three specific things. First, audit findings. Any auditor doing a serious sample of user access in Entra ID will find people with permissions they don't need. ISO 27001 calls that a control failure. You get to write a corrective action plan. Second, breach blast radius. If an account is compromised, the attacker gets everything that user can reach. Picture a finance person. They have access to four old project sites. Two shared mailboxes from a previous role. A Teams group from a vendor onboarding two years ago. That's a much bigger problem than a finance person with finance access. Third, licenses. People collect Entra ID P1, Intune, and app licenses as they move between roles. A 200-person company can easily be paying for 30 to 50 licenses nobody actually uses. Cleaning it up without losing a month Don't try to clean up everything. You'll burn out and quit halfway through. Pick the riskiest 10 percent and start there. That's usually people who changed roles in the last 24 months. People in privileged groups. Shared mailboxes with more than five members. Pull the current access list per user. Show it to their manager. Ask one question. "Is any of this still needed?" Most managers look at the list and say "no, kill half of that." Do this once a quarter for the high-risk group. Once a year for everyone else. Write down what you removed and why. That's your audit trail. The bit nobody mentions: you also need triggers. Role change. Project end. Leave start. Leave end. Contractor end date. If access doesn't get reviewed at those moments, creep just rebuilds itself. A quieter way to do this Full transparency, this is our product, so take it with the appropriate context. Adcyma handles the Entra ID lifecycle triggers and access reviews. No six-month rollout like the enterprise IGA tools want. If you're tired of doing this in spreadsheets, have a look.

May 6, 2026

Try Adcyma free — no credit card needed

Set up identity governance for your Entra ID or Active Directory environment in under a day.

Start Free Trial