What is an access review?
An access review is exactly what it sounds like: you review who has access to what, and you check whether that access is still correct. It is one of the most fundamental identity governance activities, and it is required by virtually every compliance framework.
The basic question an access review answers is: "Does this person still need this access?" If yes, the access stays. If no, the access gets removed.
Access reviews can range from informal (an IT admin scanning a group membership list) to highly structured (a formal certification campaign with designated reviewers, deadlines, and documented outcomes). For compliance purposes, the structured version is what auditors expect.
Why do access reviews matter?
Access is not static. People's roles and responsibilities change. Projects end. Employees leave. Applications get decommissioned. But access permissions tend to stick around long after the reason for granting them has passed.
Without regular access reviews, organizations end up with long-tenured employees who have far more access than they need, former contractors with active guest accounts months after their engagement ended, people with access to sensitive systems they have never actually used, and no one who can confidently answer the question "who has access to our financial data?" without spending hours investigating.
Access reviews are the mechanism for catching and correcting this drift. They force someone to look at the current state of access and make a conscious decision about whether it is appropriate.
What do compliance frameworks say about access reviews?
Most compliance frameworks include specific requirements around access reviews.
SOC 2 (Trust Services Criteria CC6.1-CC6.3) requires organizations to manage access to information assets based on authorization. This includes periodic review of access to ensure it remains appropriate. Auditors expect to see evidence of regular access reviews as part of your SOC 2 controls.
ISO 27001 (Annex A.9.2.5) explicitly states that asset owners must review users' access rights at regular intervals. The standard does not specify exactly how often, but "regular intervals" typically means at least annually, with more frequent reviews for sensitive systems.
NIS2 requires organizations to implement access control policies and review them. For companies in the Nordic region working toward NIS2 compliance, documented access reviews are a practical necessity.
The common thread: you need a process, you need to follow it consistently, and you need to keep records.
How to run an access review
Here is a practical approach for a mid-sized company using Microsoft Entra ID.
Decide what to review. You do not have to review everything at once. Start with your highest-risk areas: privileged roles (Global Admin, User Admin, Exchange Admin in Entra ID), access to financial systems and data, access to customer data and PII, guest and external user access, and access to production environments.
Identify the right reviewers. The reviewer should be someone who understands the business context. For group memberships and application access, the user's direct manager is usually the best choice — they know what their team members need. For application-level access, the application owner can review who has access to their system. Avoid making IT the reviewer for everything. IT can confirm what access exists, but they often lack the business context to know whether that access is still needed.
Gather the data. Pull the current access information from Entra ID — group memberships, application assignments, and role assignments. For connected SaaS applications, gather access lists from those systems as well. Present this data to reviewers in a format they can actually work with. A CSV dump of 500 group memberships is not useful. Organize it by reviewer, show relevant context (department, last login date, when access was granted), and make it easy to mark items for removal.
Review and decide. Reviewers go through each access entitlement and decide: keep or remove. Give them a reasonable deadline (one to two weeks is typical) and send reminders. Provide context to help them decide. If a user has not logged into an application in six months, that is a strong signal that the access may no longer be needed.
Act on the results. This is where many access reviews fall apart. The review happens, decisions are made, but the revocations are not carried out. Revocation should be prompt — ideally the access review tool automatically executes revocation decisions in Entra ID. If you are doing it manually, assign a specific person to carry out revocations within a defined timeframe.
Document everything. Save the review results, including who reviewed what, what decisions were made, when revocations were carried out, and any exceptions or escalations. This is your audit evidence.
Access reviews in Entra ID
Microsoft Entra ID includes built-in access review functionality as part of Entra ID Governance (requires P2 licensing). You can create reviews for security group and Microsoft 365 group memberships, application assignments, Entra ID directory roles, Azure resource roles, and access packages.
The built-in tool works, but it has limitations. The reviewer experience is designed for administrators, not business users. Configuring reviews across many groups and applications is time-consuming. And reporting is basic.
Adcyma provides access reviews designed for mid-sized organizations using Entra ID. Reviewers see a clear interface showing who has what access and can approve or revoke with context. Revocation decisions execute automatically. Reports are generated in auditor-ready format.
How often should you do access reviews?
A risk-based approach works best. Quarterly for privileged and admin roles. Quarterly or semi-annually for access to sensitive data and systems. Semi-annually or annually for standard application access. Quarterly for guest and external users, given the higher risk profile. Semi-annually for service accounts.
Beyond scheduled reviews, trigger ad-hoc reviews when significant events occur: a reorganization, a security incident, a major change to your application portfolio, or when preparing for an audit.
Tips for making access reviews actually work
Keep reviews focused. A reviewer facing 200 access decisions will rubber-stamp most of them. Break reviews into manageable chunks — one application or one team at a time.
Show usage data. Telling a reviewer that someone has access to a system is less useful than telling them the person has not logged into that system in four months. Usage data turns vague decisions into obvious ones.
Set real deadlines. Reviews without deadlines do not get completed.
Close the loop. If a reviewer revokes access, make sure the revocation actually happens. Nothing undermines the process faster than reviewers learning that their decisions are not being acted on.