IGA-ordlista

Access Certification

Access certification is a formal governance process where designated reviewers (typically managers or application owners) verify that users' current access to systems and data is still appropriate. It is a key control for maintaining least-privilege access and meeting compliance requirements.

What is access certification?

Access certification is the process of systematically reviewing who has access to what and confirming that the access is still needed and appropriate. Think of it as an inventory check, but for permissions instead of physical goods.

In practice, it works like this: on a regular schedule (quarterly, semi-annually, or annually), a reviewer receives a list of users and their current access to a particular system or set of resources. For each user, the reviewer either certifies ("yes, this person still needs this access") or revokes ("no, this person should not have this access anymore"). The results are documented, revocation actions are carried out, and the entire process is logged for audit purposes.

It sounds simple, and the concept is simple. But doing it well — consistently, completely, and without it becoming a rubber-stamp exercise — is where most organizations struggle.

How is access certification different from an access review?

The terms "access certification" and "access review" are often used interchangeably, and in many contexts they mean the same thing. But there is a subtle difference worth understanding.

An access review is the broader activity of examining who has access to what. It can be informal (an IT admin checking a group membership list) or formal (a structured governance process).

Access certification specifically refers to the formal, documented process where a designated reviewer explicitly approves or rejects each access entitlement. It carries an element of accountability — the reviewer is certifying that the access is correct and taking responsibility for that decision.

In compliance contexts, auditors usually look for access certification specifically. They want to see that someone with authority reviewed the access and signed off on it, not just that someone glanced at a list.

Why does access certification matter?

Access does not stay clean on its own. Over time, without active review, several things happen.

Privilege creep. Employees accumulate access as they take on new projects, temporarily need access to different systems, or move between roles. Without certification, this extra access is rarely removed.

Orphaned access. Accounts for departed employees, expired contractors, or decommissioned service accounts can persist if deprovisioning processes are not perfect. Certification campaigns catch what automated processes miss.

Inappropriate access. Sometimes access was granted correctly at the time but is no longer appropriate. A temporary project ended. A vendor relationship was terminated. Business needs changed. Certification is the mechanism for catching these situations.

Compliance requirements. SOC 2 (CC6.1, CC6.2, CC6.3), ISO 27001 (Annex A.9), and NIS2 all require organizations to periodically review and validate access. Certification campaigns provide the evidence auditors need.

What does an access certification campaign look like?

A certification campaign typically follows these steps.

Scoping. Decide what is being reviewed — all access to a specific application, all access held by a specific department, or all privileged access across the organization. The scope depends on your risk priorities and compliance requirements.

Reviewer assignment. Determine who is responsible for reviewing each set of access. The most common approach is manager-based review, where each manager reviews their direct reports' access. For sensitive applications, the application owner might also review who has access.

Campaign creation. Generate the review tasks. Each reviewer receives a list of users and their entitlements, along with a deadline for completing the review.

Review and decision. Reviewers go through each access entitlement and make a decision: certify (keep) or revoke (remove). Good certification tools provide context to help reviewers make informed decisions, such as when the access was last used or when it was granted.

Remediation. Revocation decisions are executed. If a reviewer marks access for removal, the access is actually removed from the system. This step is critical — a certification campaign that identifies issues but does not fix them is just an exercise on paper.

Reporting and documentation. The results are compiled into a report showing what was reviewed, what decisions were made, and what actions were taken. This report is what you hand to auditors.

Common problems with access certification

Rubber-stamping. The most widespread problem. Reviewers approve everything without actually evaluating whether the access is appropriate. This happens when campaigns are too large, context is insufficient, or there are no consequences for approving everything. To reduce rubber-stamping: keep campaigns focused, provide usage data so reviewers can see if access has actually been used, and track approval rates — if a reviewer certifies 100% of access every time, that is a red flag.

Campaign fatigue. If certification campaigns are too frequent or too broad, reviewers start to see them as a nuisance rather than a meaningful activity. Find a cadence that balances compliance needs with reviewer capacity. Quarterly reviews for high-risk systems and annual reviews for lower-risk systems is a common approach.

No remediation. Running a certification campaign and then not acting on the results defeats the purpose. Revocation decisions need to be executed promptly. Automated remediation — where the certification tool directly removes access in Entra ID when a reviewer revokes it — is far more reliable than asking IT to process revocations manually.

Incomplete scope. Certifying access to your core business applications but ignoring SaaS tools, shared drives, or guest accounts leaves gaps. A mature certification program covers all significant access, not just the most visible systems.

Access certification in Microsoft Entra ID

Entra ID has a built-in access review feature (part of Entra ID Governance, which requires P2 licensing). It supports reviews of group memberships, application assignments, and Entra ID role assignments.

However, built-in Entra ID access reviews have limitations for mid-sized companies. The interface is admin-oriented rather than business-user friendly. Setting up reviews across many groups and applications requires significant configuration. And the reporting capabilities are basic.

Adcyma provides access certification for organizations using Entra ID, with a focus on making the process manageable for companies without a dedicated IAM team. Reviewers get clear, contextual information about each access entitlement. Revocation decisions are automatically executed in Entra ID. And the resulting reports are ready for auditors without additional formatting.

How often should you run access certification?

There is no single right answer, but common practices are: quarterly for privileged access (admin roles, sensitive systems), semi-annually or annually for standard application access, quarterly for guest and external user access given the higher risk profile, and on-demand after significant organizational changes like mergers, restructuring, or layoffs.

The key is consistency. Pick a schedule that works for your organization and stick to it. Auditors care less about the specific frequency and more about whether you have a defined, documented, and consistently followed process.

Se hur Adcyma hanterar detta:

Utforska styrning

Omsatt dessa begrepp i praktiken

Adcyma gor identitetsstyrning enkelt for foretag som anvander Microsoft Entra ID.

Starta gratis provperiod