Unit 6: Automate access review management tasks

Purpose of this unit

Manually reviewing access is necessary, but manual follow-up does not scale. This unit explains how Microsoft Entra access reviews can automatically enforce decisions, reduce administrative overhead, and help organizations continuously remove unnecessary access.

Automation ensures that access reviews result in action, even when reviewers don’t respond.

Automatically apply access review results

When creating an access review, administrators can enable Auto apply results to resource.

When this setting is enabled:

• Once the review completes and ends, Microsoft Entra automatically:
• Removes access for users who were denied.
• Retains access for users who were approved.

What “removal” means depends on the resource type:

• Removing group membership.
• Removing application assignments.
• Revoking eligibility or assignment for privileged roles.

This prevents reviews from becoming “advisory only” and enforces governance consistently.

Take recommendations automatically

What recommendations are

Access review recommendations are system-generated suggestions based on:

• Last interactive sign-in to the tenant.
• Last access to the application.
• Review configuration criteria.

Example:

• If the review is configured to remove access for users with no interactive sign-in for 30 days, the system will recommend removal for those users.

What happens when “Take recommendations” is selected

• Reviewers see recommendations during the review.
• If reviewers do not respond:
• The system records decisions based on recommendations.
• At the end of the review:
• Recommended actions are automatically applied.

Microsoft continuously improves recommendation logic, but recommendations are only as strong as the review criteria you define.

Review guest user access

Access reviews are a critical tool for cleaning up external identities.

External users may gain access through:

• Group membership.
• Microsoft Teams invitations.
• Enterprise application assignments.
• Access package assignments.
• Privileged role assignments in Microsoft Entra ID or Azure.

Over time, these users often no longer require access, increasing risk.

Focus reviews on guest users

When creating access reviews for groups or applications, administrators can scope the review to:

• Everyone with access, or
• Guest users only.

Using Guest users only:

• Reduces reviewer workload.
• Focuses reviews on higher-risk external identities.
• Helps meet compliance and partner-access requirements.

Visibility into external user access

External users invited into the tenant can have:

• Group memberships.
• Role assignments.
• Application assignments.

Access reviews allow organizations to:

• See where external users still have access.
• Remove access automatically when no longer justified.

Important limitation:

• Access reviews only cover assignments managed through Microsoft Entra ID.
• Direct access granted outside Entra (for example, direct SharePoint permissions) is not included unless groups are used.

Why automation is critical (exam focus)

Automation in access reviews:

• Prevents stalled or ignored reviews.
• Ensures consistent enforcement.
• Reduces dependency on manual admin follow-up.
• Aligns with Zero Trust and least privilege principles.

Common exam pitfall:

• Creating access reviews without enabling auto-apply, resulting in no real access changes.