CoreView Access Reviews enable Tenant Admins and delegated Access Review Admins to assess and adjust user permissions across Microsoft 365 resources on a scheduled basis. Admins can identify and remove obsolete user permissions, and configure Access Reviews to align with internal policies or regulatory requirements, such as NIST, ISO, or SOC2. Reviewer assignments, notifications, and reporting occur through automated CoreView workflows. All decisions made during an Access Review are logged and can be exported for audit purposes.
Access Review execution process
1. Review creation by Tenant Admins or Access Review Admins
Only Tenant Admins or delegated Access Review Admins can initiate an Access Review. During creation, admins specify which resources (such as Teams, Groups, mailboxes, SharePoint resources, OneDrive resources, or privileged access assignments) are included in the review. Reviewer assignments are made by selecting individuals or groups who manage or own the selected resources.
2. Execution by assigned reviewers
Reviewers—commonly group owners, resource managers, or designated approvers—inspect the current permissions for all users on targeted resources. Reviewers select whether to approve, modify, or revoke each user's access. Modifications remain in a pending state until the review is finalized.
3. Templates and customization
CoreView provides templates and configuration options for recurring reviews of:
- Microsoft Teams or group memberships
- Security groups
- Guest user access
- Mailbox permissions
- OneDrive ownership
- SharePoint site membership
Additionally, two Microsoft Entra Privileged Identity Management Access Review templates can be enabled through additional configuration:
- Admin roles with Permanent assignments
- Admin roles with Eligible assignments
Microsoft Entra Privileged Identity Management (PIM) Access Review templates can be used to periodically assess privileged access scenarios. These templates help validate elevated access on a recurring basis as part of governance and compliance processes.
For more information about Microsoft Entra Privileged Identity Management, refer to Microsoft documentation: What is Privileged Identity Management?
Who can be a reviewer?
Tenant Admin and Access Review Admins
Tenant Admins and Access Review Admins have the ability to assign reviewers—including themselves—to Access Reviews. They can also start Access Reviews that have been previously assigned to them, whether by themselves or by other admins.
CoreView operator
A CoreView operator can be any user with an assigned role in CoreView, such as a group owner, delegated admin, or someone with a custom role designed for review responsibilities.
Non-CoreView user
Users without a CoreView account, but who have accounts in the organization’s Microsoft 365 tenant, can be selected as reviewers. In such cases, CoreView provisions an account with restricted access limited to the assigned Access Review tasks, using Microsoft 365 authentication.
Access Review lifecycle
The Access Review lifecycle includes the following stages:
- Initiation: Admin specifies resources to be reviewed, duration of review, schedule, and notification configurations.
- Assignment: Assigned reviewers receive notification by email.
- Execution: Reviewers approve, modify, or revoke user access permissions for each resource. All permission changes remain in a pending state until the review is concluded.
- Monitoring: Admin monitors review progress by using dashboards that indicate completion percentages and outstanding items.
- Logging: Upon review conclusion, CoreView generates audit logs for the review cycle. These logs can be exported in CSV format for retention or integration with external compliance tracking systems.
.png)
For step-by-step configuration and operational instructions, refer to the following articles: