Description:

Access Reviews in Microsoft Entra ID Privileged Identity Management (PIM) ensure that external users (guests, partners, B2B users) who have privileged access are reviewed regularly. External identities often have elevated risk because they are outside the organization’s direct control. Enforcing recurring access reviews ensures that only users who still require privileged access retain it, reducing unnecessary exposure and preventing stale or unused accounts from maintaining administrative permissions.

Rationale:

External users with privileged access pose a significant security risk if their access is not monitored and validated regularly. Without access reviews, inactive or unauthorized external users may retain administrative roles indefinitely, creating opportunities for misuse, insider threats, or compromised accounts. Implementing periodic access reviews helps maintain least-privilege principles, supports compliance requirements, and strengthens identity governance.


Impact:

  • Ensures external users’ privileged access is continuously validated

  • Reduces excess permissions and privilege creep

  • Strengthens identity governance and compliance posture

  • Minimizes risks from compromised or inactive external accounts


Default Value:

By default, no Access Review is configured for external users in PIM.


Pre-Requisites:

  • Microsoft Entra ID P2 license (required for PIM access reviews)

  • Access to the Microsoft Entra admin center

  • Privileged Identity Management enabled

  • Required permissions: Identity Governance Administrator, Privileged Role Administrator, or Global Administrator.


Test Plan:

  1. Sign in to the Azure Portal.

  2. In the portal, search for Microsoft Entra ID(Azure Active Directory).              

  3. Under Manage section, click Identity Governance

  4. Under the Access Review section, click on  Access Reviews

  5. Review existing access reviews

  6. Verify that an access review is configured for external users with privileged roles

  7. If access reviews for external privileged users are not configured, follow the implementation steps


Implementation Steps:

  1. Sign in to the Azure Portal

  2. Search for Microsoft Entra ID

  3. Under the Manage section, click Identity Governance                     

                         

  1. Under the Access Review section, click on  Access Reviews

                        

  1. Select Create access review and configure the review to target external users with privileged roles

  2. Set the review schedule and recurrence

  3.  Configure reviewers and access decision settings

  4. Enable and save the access review configuration

Backout Plan:

  1. Sign in to the Azure Portal at https://portal.azure.com

  2. Open Microsoft Entra ID

  3. Under the Manage section, select Privileged Identity Management

  4. Select Access reviews

  5. Select the access review configured for external privileged users

  6. Disable or delete the access review

  7. Save the changes


Reference: