Access Reviews: overview

  • Last update on August 27th, 2025

CoreView Access Reviews enable tenant admins to assess and adjust user permissions across Microsoft 365 resources on a scheduled basis. Tenant admins can identify and remove obsolete user permissions, and configure Access Reviews to align with internal policies or regulatory requirements, such as NIST, ISO, or SOC2. Reviewer assignments, notifications, and reporting occur through automated CoreView workflows. All decisions made during an Access Review are logged and can be exported for audit purposes.

Access Review execution process

1. Review creation by Tenant Admins

Tenant admins initiate each Access Review. During creation, tenant admins specify which resources (such as Teams, Groups, mailboxes, or other Microsoft 365 resources) are included in the review. Reviewer assignments are made by selecting individuals or groups who manage or own the selected resources.

2. Execution by assigned reviewers

Reviewers—commonly group owners or resource managers—inspect the current permissions for all users on targeted resources. Reviewers select whether to approve, modify, or revoke each user's access. Modifications remain in a pending state until the review is finalized.

3. Templates and customization

CoreView provides templates and configuration options for recurring reviews of:

  • Microsoft Teams or group memberships
  • Security groups
  • Guest user access
  • Mailbox permissions
  • OneDrive ownership
  • SharePoint site membership

Who can be a reviewer?

Tenant admin

A tenant admin is a user with administrative privileges who can assign reviewers and initiate Access Reviews for Microsoft 365 resources in the tenant.

CoreView operator

A CoreView operator can be any user with an assigned role in CoreView, such as a group owner, delegated admin, or someone with a custom role designed for review responsibilities. 

Non-CoreView user

Users without a CoreView account, but who have accounts in the organization’s Microsoft 365 tenant, can be selected as reviewers. In such cases, CoreView provisions a temporary account with restricted access limited to the assigned Access Review tasks, using Microsoft 365 authentication. When assigned tasks are completed, access is revoked until they are assigned to another review.

Access Review lifecycle

The Access Review lifecycle includes the following stages:

  • Initiation: tenant admins specifies resources to be reviewed, duration of review, schedule and notification configurations.
  • Assignment: assigned reviewers receive notification via email.
  • Execution: reviewers approve, modify, or revoke user access permissions for each resource. All permission changes remain in a pending state until the review is concluded.
  • Monitoring: tenant admins monitor review progress using dashboards that indicate completion percentages and outstanding items.
  • Logging: upon review conclusion, CoreView generates audit logs for the review cycle. These logs can be exported in CSV format for retention or integration with external compliance tracking systems.

For step-by-step configuration and operational instructions, refer to the following articles: