Most SMB tenants I look at have a “Guest Users” list that’s basically a graveyard. People invited for a project that finished in 2022. A contractor whose engagement ended last March. Somebody’s external accountant who hasn’t signed in since the BAS that prompted the invite.
Nobody removes them. Nobody can remember why they were added. Nobody’s even sure who should remember.
That’s not a guest problem. That’s a governance problem.
Now do the same exercise with Global Administrator. Or Privileged Role Administrator. Or that mystery security group somebody pinned to a SharePoint site three years ago and called “Finance – All”. Same pattern. Stale access. No owner. No expiry.
This is exactly what Access Reviews in Entra ID Governance is built to fix — and most MSPs I talk to either don’t know they’re licensed for it or have never actually run one.
Time to fix that.
What is Access Reviews, really?
Access Reviews is a recurring “are you sure?” loop. You point it at a group, an application, a privileged role, or every guest in your tenant. On a schedule you pick, it emails a reviewer — you, the group owner, or the user themselves — and asks them to confirm whether each person still needs the access they’ve got.
If the reviewer says no, or doesn’t reply and you’ve configured “no response = deny”, the access gets removed automatically when the review ends. No tickets. No spreadsheet. No “I’ll get to it next quarter”.
It’s the same job your auditor wants you to do at a desktop level. Just done in the portal, on a timer, with an audit trail attached.
What you need to run one
Licensing trips most people up here. Access Reviews is an Entra ID P2 or Entra ID Governance feature, and licensing is per user, not per tenant. Every user whose access you’re reviewing needs to be covered. Guest accounts don’t need a license to be reviewed, which is the one bit of good news.
Business Premium customers don’t have P2 in the box. If they want this, they need Microsoft 365 E5 or the Entra ID Governance add-on. Tell the client up front — don’t promise the feature and discover the gap at invoice time.
You’ll want Identity Governance Administrator or Global Administrator to set the first review up. Group owners can run reviews on their own groups once an admin enables the toggle in the Access Reviews settings.
Step-by-Step: a recurring guest review
Start here on every tenant. It’s the easiest win.
Open the portal
Sign in to entra.microsoft.com as Identity Governance Administrator. Go to ID Governance > Access Reviews > New access review.
Pick what to review
In Select what to review, choose Teams + Groups, then All Microsoft 365 groups with guest users. This is the magic option. It creates one recurring review that sweeps every M365 group containing guests, across the whole tenant, automatically, forever.
Set Scope to Guest users only.
Pick your reviewers
Pick Group owners with a fallback. Group owners actually know whether Alice from the partner agency still needs Teams access. You don’t. You also don’t want to be reviewer-of-last-resort for fifty groups.
Set the schedule
Recurrence: Quarterly. Duration: 5 days. Long enough that nobody can claim they were on leave. Short enough that the next quarter doesn’t lap it.
Set the settings that actually matter
This is where most people skim and lose the whole value of the feature. Slow down.
- Auto-apply results to resource: On. Without this, denied users stay in the group until somebody manually clicks apply. They never do.
- If reviewers don’t respond: Remove access. Yes, really. If the owner can’t spend two minutes confirming a guest, the guest goes.
- Justification required: On. Forces reviewers to type a reason for “keep”. Stops the rubber-stamp click-through.
- Mail notifications + reminders: On.
Name it Quarterly Guest Review - All M365 Groups, hit Create, done.
Step-by-Step: privileged groups and admin roles
Same engine, different doorway. PIM for Entra roles and PIM for Groups each have their own access review entry point — not the one above.
For Entra admin roles
Open PIM > Microsoft Entra roles > Access reviews > New. Review every role with active or eligible assignments. Reviewer = the user themselves, because self-attestation forces them to type a justification. Add a second-stage approver if you want belt-and-braces. Recurrence: every 90 days for admin roles. No exceptions.
For privileged groups
If you’re using PIM for Groups to gate access to sensitive things, you can review the eligible members on the same cadence. Same wizard, hosted under PIM. Same settings. Same auto-apply.
Notice what’s missing? PowerShell. None of this needs it. Portal only.
One artefact you can paste into every client runbook
Guest access: quarterly, 5-day window, owner-reviewed,
no response = remove, auto-apply on.
Admin roles: every 90 days, self-attest + 2nd stage,
no response = remove, auto-apply on.
PIM for Groups: every 90 days, owner-reviewed,
no response = remove, auto-apply on.Notice what’s not in there? Anything called “annual”. Annual reviews don’t do anything except let stale access fester for eleven and a half months. If the cadence isn’t quarterly or better, you don’t have a control — you have a calendar reminder.
Why this actually changes behaviour
Before: “I’ll clean up guests when I get a chance.” After: “The system already did it last Tuesday.”
That’s the shift. Access Reviews moves access cleanup from a thing humans intend to do into a thing that happens whether they intend to or not.
For an MSP the win is bigger. Every client tenant you manage produces a quarterly evidence trail — who reviewed what, what got removed, who signed off. Exactly the evidence the cyber insurer asks for at renewal. Exactly the evidence an SMB1001 or Essential Eight auditor wants on the table. According to the Access Reviews FAQ, reviewers and decisions are captured against each instance, so the audit trail is already there — you just have to turn the reviews on.
You’re not selling “we’ll clean up your guests” anymore. You’re selling governance with a paper trail.
Access Reviews isn’t there to help you remember to remove stale access. It’s there to remove it whether you remember or not.
If you’re not turning this on for your clients, you’re leaving the easiest governance win in Microsoft 365 on the table.
CIAOPS 