Spring Has Sprung… So Has Group Clutter

With spring in full bloom, it’s not just your garage or junk drawer that could use a little tidying your Microsoft Entra tenant might need some love, too. If you’re swimming in outdated group memberships and forgotten access rights, Access Reviews are your go-to tool for a digital deep clean.

Let’s dive into how this often-overlooked Microsoft Entra ID P2 feature can help you stay secure, reduce unnecessary permissions, and keep your environment fresh and organized.

Why Access Reviews Matter

Back in one of my first IT jobs, I was always being added to groups for app testing. But no one ever took me out of them afterward. Fast-forward a few years, and I was in so many groups I couldn’t tell what half of them did. Sound familiar?

Access Reviews in Entra ID solve exactly that problem. They help enforce least privilege access by regularly reviewing who should stay in a group and who should get the boot. It’s security, compliance, and organization all in one neat feature.

How to Set Up an Access Review in Microsoft Entra

In the Entra portal, head over to Identity Governance > Access Reviews and click New Access Review.

Step 1: Choose the Right Group

For this demo, I selected Teams + Groups and picked my very secure (and creatively named) “This is a Top Secret Group”. I set the scope to All Users we’ll talk about guest access in another post.

Pro Tip: There’s an option called Inactive Users Only that lets you target folks who haven’t logged in for a while. Perfect for trimming the fat.

Step 2: Configure the Review Settings

I chose a multi-stage review, since our group is top secret and needs extra eyes.

Reviewer Options Include:

  • User’s Manager – Great for delegating access decisions to someone who knows the user.
  • Group Owner(s) – Ideal for centrally managed groups.
  • Selected Users/Groups – Perfect for IT or security teams.
  • Users Review Themselves – Good for low-risk or periodic self-assessments.

In this case, I had the manager review first, followed by the group owner.

If a user doesn’t have a manager listed, fallback reviewers step in to ensure no one slips through the cracks.

You can also control how long each stage lasts with Stage Duration, and let later reviewers see earlier decisions with Show Previous Stage Decisions.

Step 3: Decide Who Moves Forward

You can fine-tune which users move on to the next review stage:

  • Approved? Move on.
  • Denied? Get a second opinion.
  • Not Reviewed or Marked “Don’t Know”? Still up for review if you allow it.

I went with Select All so every user progresses giving both reviewers a chance to weigh in.

Step 4: Automate Where It Makes Sense

You can have Entra auto-apply decisions and set what happens if reviewers don’t respond. I chose Remove Access by default.

Bonus: Turn on Take Recommendations to let Microsoft suggest decisions based on user activity like automatically removing access for anyone who hasn’t logged in for 90 days.

You can also notify specific users or groups about the outcome. Keep everyone in the loop!

Step 5: Enable Review Aids (a.k.a. Decision Helpers)

There’s a feature called Reviewer Decision Helpers that gives reviewers extra intel:

  • No sign-in in 30 days? Maybe it’s time to go.
  • User-to-Group Affiliation? This setting does require an ID Governance license. Lucky for me, I do have the Entra Suite in this tenant.  If someone looks like they don’t belong, it’ll flag that too.

This last one is my personal favorite. Remember younger me, stuck in groups long after testing was done? This would’ve saved me a lot of head-scratching.

Step 6: Advanced Settings

Want even more control?

  • Justification Required – Forces reviewers to explain their decision.
  • Email Notifications & Reminders – Keeps everyone on task.

Give your review a name that fits your process, then click Create.

The Reviewer Experience

If email notifications are enabled, reviewers get a direct link. Otherwise, they can visit myaccess.microsoft.com to complete their tasks.

In my test run, the manager said “Sure, keep the access,”…..

… but then the group owner said, “Nope!” Boom… access removed. Simple as that.

After the access review has been completed, we can easily check the results and see that A User has been removed from the Top Secret group.

Bonus Tip!

You can delegate review creation to group owners, letting them manage their own cleanup without needing IT. That’s one less thing on your plate.

Wrapping It Up

Access Reviews in Microsoft Entra are your best friend when it comes to cleaning up group memberships and maintaining a secure, well-organized environment. It’s a smart, scalable way to enforce least privilege access without needing to dig through every group manually.

So, as you’re spring cleaning your real-world messes, take a few minutes to do the same in your Entra tenant. You’ll have fewer security risks, cleaner groups, and a whole lot less permission chaos.

Author Dustin

You Might Also Like

Save the Meatloaf! Why Protected Actions Matter in Entra

The Ultimate Microsoft 365 Upgrade You Didn’t Know You Already Paid For! (But Wait, There’s More!)

Entra Password Protection Smarter Security, Fewer Pop-Tarts