On this page

Access Reviews and Recertification

Access reviews are periodic examinations of user access rights to verify that entitlements remain appropriate for current job responsibilities. Recertification extends this verification to require explicit approval from designated reviewers before access continues. These processes detect access accumulation from role changes, identify orphaned accounts from incomplete offboarding, and satisfy audit requirements for access governance.

Access review: Examination of user entitlements to determine continued appropriateness. Reviews generate reports but do not inherently modify access.
Recertification: Formal approval process where reviewers explicitly confirm or revoke access. Recertification changes access state based on reviewer decisions.
Entitlement: A specific access right: membership in a group, assignment of a role, permission to a resource, or licence for an application.
Reviewer: Person responsible for evaluating whether access remains appropriate. Usually the user’s manager or the resource owner.
Certification campaign: A bounded review cycle covering a defined scope of users and entitlements with a deadline for completion.

The distinction between review and recertification matters for audit purposes. A review that generates a report without requiring action provides visibility but not control. Recertification creates an approval record demonstrating that a responsible person evaluated and approved continued access. Most compliance frameworks require recertification rather than review alone.

Prerequisites

Before beginning an access review cycle, verify the following conditions are met.

Identity data currency: The identity provider contains accurate information about users, their managers, and their organisational assignments. Stale manager data causes reviews to route to departed staff or incorrect approvers. Run a report of users with no assigned manager or managers who have left the organisation. Resolve these before launching a campaign.

Entitlement inventory: You have a complete list of entitlements to review. For identity provider groups and roles, export current memberships. For applications with local permissions, obtain access reports from application administrators. Gaps in the entitlement inventory mean access that escapes review.

Reviewer identification: Each entitlement has an assigned reviewer. For user access reviews, this is typically the user’s manager. For privileged access and application-level permissions, this may be the resource owner or application owner. Document the reviewer assignment logic before launching campaigns.

Communication preparation: Draft notification messages for reviewers explaining their responsibilities, the deadline, and the consequences of non-response. Prepare escalation messages for overdue reviews. Clear communication reduces reviewer confusion and improves completion rates.

Access requirements: You have authority to export user and entitlement data from identity systems, send notifications to reviewers, and modify access based on review outcomes. For automated campaigns using identity governance platforms, you need administrative access to the review module.

Prerequisite	Verification method	Resolution if not met
Manager data current	Report users with null or terminated managers	Update manager assignments in HR system and sync to IdP
Entitlements inventoried	Compare entitlement sources against review scope	Add missing applications or groups to campaign scope
Reviewers assigned	Test reviewer lookup for sample users	Define reviewer assignment rules for edge cases
Notifications drafted	Review templates with stakeholders	Revise for clarity; include deadline and action required
System access confirmed	Test export and modification capabilities	Request access from system administrators

Procedure

Access reviews divide into four phases: preparation, user access review, privileged access review, and closeout. User access reviews cover standard entitlements held by all staff. Privileged access reviews cover administrative rights, sensitive data access, and elevated permissions requiring additional scrutiny.

Preparing the review cycle

Define the campaign scope by specifying which users and entitlements require review. A quarterly campaign might cover all active employees and their group memberships. An annual campaign might additionally include application-level permissions and external user access. Document the scope in the campaign record.

Campaign: Q1-2025-User-Access-Review
Scope:
  Users: All active employees (status = active, type = employee)
  Entitlements:
    - Identity provider group memberships
    - Role assignments in SSO-integrated applications
  Exclusions:
    - Service accounts (separate campaign)
    - Privileged accounts (separate campaign)

Generate the entitlement extract from each system in scope. For identity providers, export group memberships with user identifiers, group names, and membership dates. For applications, request access reports showing users and their permission levels.

For Microsoft Entra ID, export group memberships:

# Export all group memberships for active users
$users = Get-MgUser -Filter "accountEnabled eq true" -All
$results = foreach ($user in $users) {
    $groups = Get-MgUserMemberOf -UserId $user.Id
    foreach ($group in $groups) {
        [PSCustomObject]@{
            UserId = $user.Id
            UserPrincipalName = $user.UserPrincipalName
            DisplayName = $user.DisplayName
            Manager = (Get-MgUser -UserId $user.Id -ExpandProperty Manager).Manager.Id
            GroupId = $group.Id
            GroupName = $group.AdditionalProperties.displayName
        }
    }
}
$results | Export-Csv -Path "entitlements-q1-2025.csv" -NoTypeInformation

For Keycloak, use the admin API:

# Get all users with their group memberships
curl -X GET "https://keycloak.example.org/admin/realms/production/users?max=10000" \
  -H "Authorization: Bearer $ACCESS_TOKEN" \
  -H "Content-Type: application/json" | \
  jq -r '.[] | {id, username, email, groups: .groups}' > users-groups.json

Assign reviewers to each entitlement line. The standard assignment routes user entitlements to the user’s manager. Where managers are unavailable or inappropriate, assign to a delegate or escalate to the manager’s manager.

Reviewer Assignment Rules:
1. If user has active manager → manager reviews
2. If manager terminated → manager's manager reviews
3. If manager on extended leave → designated delegate reviews
4. If no manager chain available → department head reviews
5. If user is executive → board delegate or peer executive reviews

Configure the campaign in your review platform or spreadsheet. Set the start date, deadline, and reminder schedule. A 14-day review window with reminders at day 7 and day 12 provides adequate time while maintaining urgency.
```
Campaign Timeline:
Start date: 2025-01-06
Reminder 1: 2025-01-13 (day 7)
Reminder 2: 2025-01-16 (day 12)
Deadline: 2025-01-20 (day 14)
Escalation: 2025-01-21 (overdue items escalate)
```

Send the launch notification to all reviewers. Include the number of items requiring their review, the deadline, instructions for accessing the review interface, and contact information for questions.

Subject: Action Required: Access Review - 14 items awaiting your decision

You have been assigned 14 access entitlements to review by 20 January 2025.

For each item, confirm the user still requires this access for their current
role, or revoke if no longer needed.

Access your review items: https://identity.example.org/reviews/pending

Questions: identity-team@example.org

Conducting user access reviews

Monitor campaign progress daily. Track completion percentage, identify reviewers with high volumes of pending items, and note any reviewers who have not started their reviews.

Daily Progress Report - Day 5
Total items: 2,847
Completed: 1,203 (42%)
Pending: 1,644 (58%)

Reviewers with >50 pending items:
- J. Smith (Regional Director): 127 pending
- M. Johnson (Programme Manager): 89 pending

Reviewers with 0% completion:
- T. Williams (on leave - reassign)
- K. Brown (no login to review system)

Send reminder notifications at scheduled intervals. Personalise reminders with the reviewer’s pending count and specific deadline. For reviewers who have not accessed the review system, include login instructions.
Reassign items from unavailable reviewers. If a reviewer is on extended leave, has departed, or is otherwise unable to complete reviews, reassign their items to an appropriate delegate. Document the reassignment with justification.
```
Reassignment Record:
Original reviewer: T. Williams
Reason: Extended medical leave through February
New reviewer: S. Davis (Williams' delegate per HR records)
Items reassigned: 34
Authorised by: IT Security Lead
Date: 2025-01-10
```
Process reviewer decisions as they arrive. For each entitlement, the reviewer selects one of three outcomes: certify to confirm access should continue, revoke to remove the access, or flag to indicate the reviewer cannot make a determination and requires assistance.
Certification decisions require no immediate action but must be recorded with the reviewer identity and timestamp. Revocation decisions trigger access removal within 24 hours. Flagged items require investigation to determine the correct reviewer or gather additional information.

Execute revocations promptly. When a reviewer revokes access, remove the entitlement from the identity provider or application within 24 hours. Notify the affected user that their access has been removed as part of the periodic review, with instructions for requesting reinstatement if needed.

For Entra ID group removal:

# Remove user from group based on review decision
Remove-MgGroupMemberByRef -GroupId $groupId -DirectoryObjectId $userId

# Log the removal with review reference
$logEntry = @{
    Action = "Revoke"
    UserId = $userId
    GroupId = $groupId
    ReviewCampaign = "Q1-2025-User-Access-Review"
    Reviewer = $reviewerUpn
    ReviewDate = Get-Date -Format "yyyy-MM-ddTHH:mm:ssZ"
}
$logEntry | ConvertTo-Json | Out-File -Append "review-actions.log"

Conducting privileged access reviews

Privileged access requires separate handling due to the elevated risk of administrative accounts and sensitive data access. Review frequency is higher (quarterly or monthly) and reviewers must have sufficient technical understanding to evaluate appropriateness.

Extract privileged entitlements from all systems. Include identity provider administrative roles, cloud platform IAM roles, database administrator access, application administrator permissions, and access to sensitive data repositories.

Privileged Access Scope:
- Global Administrator, Privileged Role Administrator, Security Administrator (Entra ID)
- Owner, Contributor on production subscriptions (Azure)
- Admin, Editor roles on production projects (GCP)
- root access, sudo group membership (Linux servers)
- db_owner, sysadmin roles (databases)
- Administrator role (business applications)

Assign reviewers based on resource ownership rather than management hierarchy. The database owner reviews database administrator access. The cloud platform owner reviews cloud IAM assignments. Where owners are the same as holders, assign review to a peer or the security function.
```
Privileged Review Assignments:
- Cloud IAM roles → Cloud Platform Owner (or Security if owner holds access)
- Database admin → Database Owner
- Application admin → Application Owner
- Global Administrator → CISO or IT Director
- Security roles → IT Director (peer review)
```

Require justification for certification. Unlike standard access where certification confirms ongoing need, privileged access certification requires the reviewer to document why the user requires administrative rights. This justification becomes part of the audit record.

Privileged Access Certification:
User: j.chen@example.org
Entitlement: Azure Subscription Contributor (Production)
Decision: Certify
Justification: J. Chen is the primary infrastructure engineer responsible
for production deployment pipelines. Contributor access required for
resource provisioning and configuration management. Access reviewed
against current project assignments and confirmed as minimum necessary.
Reviewer: Cloud Platform Owner
Date: 2025-01-15

Review service account access alongside human accounts. Service accounts with privileged access pose equal or greater risk than human accounts. Verify that each service account is still required, its access remains appropriate for its function, and its credentials are managed according to policy.
Evaluate whether privileged access should convert to just-in-time access. During review, identify accounts holding standing privileged access that could instead use elevation on demand. Flag these for conversion to reduce persistent privileged access. See Privileged Access Management for just-in-time implementation.

Documenting and closing reviews

Generate the completion report showing all review decisions, completion statistics, and exception details. The report serves as the audit evidence that reviews occurred and documents the outcome for each entitlement.

Campaign Completion Report: Q1-2025-User-Access-Review

Summary:
- Total entitlements reviewed: 2,847
- Certified: 2,691 (94.5%)
- Revoked: 134 (4.7%)
- Exceptions granted: 22 (0.8%)

Completion by reviewer type:
- Manager reviews: 98.2% complete
- Resource owner reviews: 96.7% complete
- Delegated reviews: 100% complete

Overdue items resolved:
- Escalated to manager's manager: 12
- Reassigned due to reviewer unavailability: 34
- Auto-revoked after deadline: 8

Process exception requests. Where reviewers flagged items or where organisational circumstances prevent standard review, document the exception with justification, risk acceptance, and an expiration date for the exception.

Exception Record:
User: m.patel@example.org
Entitlement: Finance-Reporting group
Requested by: Finance Director
Reason: User on secondment to partner organisation; access retained
for quarterly close activities requiring occasional system access.
Risk acceptance: Finance Director accepts risk of retained access
during secondment.
Exception expires: 2025-04-01 (end of secondment)
Approved by: IT Security Lead

Escalate unresolved items. If the deadline passes with items neither certified nor revoked, escalate to the reviewer’s manager. If escalation fails to produce resolution within 48 hours, apply the default action specified in policy (typically revocation with notification).
Archive campaign records. Store the complete campaign data including all decisions, reviewer identities, timestamps, exceptions, and the completion report. Retain for the period specified in your records retention policy, typically 7 years for access control evidence.
Initiate access changes from review outcomes. Verify that all revocation decisions have been executed. Confirm that flagged items converted to just-in-time access have been reconfigured. Update the baseline for the next review cycle.

Verification

After completing a review cycle, verify that outcomes have been correctly applied and documented.

Revocation verification: For each revoked entitlement, confirm the access has been removed. Attempt to authenticate as an affected user (with appropriate authorisation) or query the identity system for current memberships.

# Verify revocations were applied
$revocations = Import-Csv "revocations-q1-2025.csv"
foreach ($revoke in $revocations) {
    $memberships = Get-MgUserMemberOf -UserId $revoke.UserId
    $stillMember = $memberships | Where-Object { $_.Id -eq $revoke.GroupId }
    if ($stillMember) {
        Write-Warning "Revocation not applied: $($revoke.UserPrincipalName) still in $($revoke.GroupName)"
    }
}

Audit trail completeness: Verify that every entitlement in scope has a recorded decision. Query the campaign data for items with null decisions or missing reviewer information.

-- Check for incomplete review records
SELECT user_id, entitlement_id, reviewer_id, decision, decision_date
FROM access_review_decisions
WHERE campaign_id = 'Q1-2025-User-Access-Review'
  AND (decision IS NULL OR reviewer_id IS NULL OR decision_date IS NULL);

Exception documentation: Confirm that all exceptions have documented justification, risk acceptance, and expiration dates. Exceptions without expiration dates become permanent access grants that escape future review.

Report distribution: Verify that completion reports have been distributed to required stakeholders: IT management, internal audit, compliance function, and any external auditors requiring access review evidence.

Troubleshooting

Symptom	Cause	Resolution
Reviewer reports no items in their queue	Reviewer assignment lookup returning incorrect manager	Verify manager-employee relationship in identity provider; correct HR data if wrong
Same entitlement assigned to multiple reviewers	Overlapping reviewer assignment rules	Review assignment logic; ensure rules are mutually exclusive or define precedence
High volume of flagged items	Reviewers unsure whether to certify or revoke	Provide decision guidance; offer lookup for job role to entitlement mapping
Reviewer cannot access review interface	Account not provisioned in review system or MFA issue	Verify reviewer account exists; reset MFA if needed; provide login support
Revocations not applied after deadline	Integration between review system and identity provider failing	Check connector status; manually apply revocations; investigate integration error
Users complaining of lost access they need	Incorrect revocation decision or premature execution	Restore access with expedited request; review with original reviewer to understand decision
Completion percentage stuck below 100%	Reviewers departed or on leave with items assigned	Reassign items to delegates; escalate unresolved items to management
Exception requests exceed threshold	Review scope too broad or entitlement model poorly designed	Analyse exception patterns; consider splitting entitlements or adjusting scope
Audit finding for incomplete evidence	Campaign closed without full documentation	Reopen campaign to capture missing decisions; implement completion checks before closure
Duplicate users appearing in review	User accounts duplicated across identity sources	Deduplicate identity data before next campaign; investigate source of duplicates
Service accounts missing from review	Service accounts excluded from user queries	Add service account filter to campaign scope; run separate service account campaign
Reviewers certifying everything without evaluation	Reviewer fatigue or lack of engagement	Reduce review volume per reviewer; add random sampling verification; require justification for certification
Integration timeout during large exports	Export query exceeds system limits	Paginate exports; run during off-peak hours; increase timeout thresholds

Automation approaches

Manual access reviews scale poorly beyond a few hundred users. Identity governance platforms automate campaign management, reviewer notification, decision collection, and access modification.

Platform-native review capabilities exist in most enterprise identity providers. Microsoft Entra ID Access Reviews, Okta Access Certification, and similar features handle the full review lifecycle within the identity platform. These work well for organisations using a single identity provider for most access.

Dedicated identity governance platforms such as SailPoint, Saviynt, and open source options like Midpoint provide cross-system review capabilities. These suit organisations with diverse identity sources requiring unified governance.

Spreadsheet-based reviews remain viable for smaller organisations or specific review scopes. Export entitlements to a spreadsheet, distribute to reviewers with instructions, collect responses, and apply changes manually. This approach requires more administrative effort but avoids platform licensing costs.

Automation Decision Factors:
- Users under 500, single IdP → Platform-native or spreadsheet
- Users 500-5000, single IdP → Platform-native reviews
- Users 500-5000, multiple IdPs → Consider dedicated IGA platform
- Users over 5000 → Dedicated IGA platform strongly recommended
- Compliance requirements (SOX, HIPAA) → Automated evidence preferred

For organisations with limited IT capacity, begin with the identity provider’s built-in review features. Configure a quarterly campaign covering group memberships. As the organisation grows or compliance requirements increase, evaluate dedicated platforms.

Review frequency determination

Review frequency balances risk reduction against operational burden. More frequent reviews catch inappropriate access sooner but consume more reviewer time and create change fatigue.

Access type	Recommended frequency	Rationale
Standard user access	Quarterly	Balances detection speed with reviewer burden
Privileged access	Monthly	Higher risk warrants more frequent verification
External user access	Monthly	External parties change roles without internal visibility
Sensitive data access	Quarterly	Risk level similar to privileged access
Service accounts	Quarterly	Ownership changes less frequently than human accounts
Dormant accounts	Monthly scan	Automated detection of accounts with no recent activity

Adjust frequency based on organisational context. Organisations with high staff turnover benefit from monthly standard reviews. Stable organisations with low turnover can extend to semi-annual reviews for standard access while maintaining quarterly privileged reviews.