A global manufacturer operating in sensitive, high-value industries urgently needed to prevent unauthorized access to proprietary R&D documentation and reduce risks from excess permissions.
Faced with unmanaged group memberships and dormant guest accounts, the company used CoreView’s Access Review module to automate, focus, and document access governance. This project not only remediated key security risks; like costly external application licenses and confidential SharePoint data but also slashed audit overhead by 65% and ensured zero critical audit findings in the next compliance cycle.
Customer profile
| Industry sector | Manufacturing |
|---|---|
| Company size | 18.000 |
| Region | North America, Europe & Asia |
Company description
This multinational manufacturing company operates production sites, R&D centers, and administrative offices across North America, Europe, and Asia. Managing over 18.000 Microsoft 365 user accounts for engineers, plant operators, suppliers, and partners, the organization depends on robust data security to protect proprietary designs and supply chain operations. With strict industry compliance requirements and global collaboration, achieving centralized, precise access control was essential.
Business challenge
In 2025, an internal investigation identified a critical business risk; a single Microsoft 365 group, originally provisioned to manage access to a proprietary product design application had ballooned to include dozens of users no longer involved in the project. Each additional user increased the company’s monthly software costs and risked leaking confidential data if the app was mishandled. At the same time, the sheer number of Microsoft 365 groups, many with unclear ownership and dormant guest accounts, created a tangle of potential exposure, compliance liability, and escalating support tickets.
Pain points:
- Uncontrolled group membership raised costs by licensing inactive and unauthorized users for premium third-party applications.
- Dormant vendor and partner accounts risked leaking confidential documentation from SharePoint and Teams.
- Manual access audits failed to reliably catch misconfigurations and missed timely remediation deadlines.
- Inconsistent assignment of group owners meant no clear accountability for access integrity.
- Auditors cited excessive permissions and lack of review documentation as a compliance concern.
Achieved benefits
- Centralized and automated review of sensitive Microsoft 365 groups, starting with those tied to high-value software and confidential data
- 65% reduction in audit effort and time spent chasing access confirmations
- Immediate removal of over 150 misconfigured accounts and dormant guests from critical groups
- Zero compliance findings for access management in the next audit
- Direct cost savings from elimination of unused third-party application licenses
- Consistent, downloadable logs for audit and regulatory purposes
- Enabled business and IT teams to collaborate on access governance
These outcomes directly reduced IT risk, compliance exposure, and operational overhead, while delivering measurable ROI through software savings and audit-readiness
Solution results
By zeroing in on high-cost, high-risk groups first, the organization discovered over 40 inactive project members assigned to an expensive engineering application, cutting both unnecessary licensing costs and potential IP exposure.
“Before CoreView, it took weeks to chase down group owners and manually validate every member. Now reviews are targeted, automated, and fully auditable”
reported the Cybersecurity and Compliance Lead.
Overall, manual audit times fell by an estimated 65%, over a hundred dormant, guest & contractor accounts were purged, and the next external audit returned zero critical findings related to access controls. These improvements empowered IT to focus on strategic, rather than reactive, initiatives.
Lessons learned and best practices
- Prioritize business-critical groups especially those linked to costly licenses or confidential content for initial Access Review cycles
- Delegation to business owners (not just IT) ensures reviews are accurate and relevant
- Scheduling recurring, scope-based dynamic reviews maintain ongoing compliance with minimal manual effort
- Document review findings and remediation for audit defense
- Configure strong backup reviewer assignments to prevent bottlenecks
CoreView products involved
- Access Review: CoreView’s Access Review automates the periodic checking of user and guest access across Microsoft 365 groups – including Teams, distribution and security groups, SharePoint sites, and mailbox permissions. The module leverages customizable templates and workflow automation, ensuring that members, owners, and external users are audited according to policy, with clear reviewer assignments and downloadable audit logs for compliance and reporting.
Step-by-step solution guide
This chapter guides you through creating and scheduling a similar Access Review automation in the CoreView portal.
By following these steps, you will securely establish review parameters, select appropriate resources and reviewers, and configure schedules and notifications to support your organization’s compliance and risk management needs.
Step 1: access the CoreView portal
Log in to the CoreView web portal using your organization’s credentials.
Step 2: navigate to reviews > Access Review
Step 3: general details
Click the “Create your first review” or the “Create review from template” button and choose the “Microsoft 365 group members” review template.
In our scenario, the customer wanted to review all their groups, so we are focusing on “Microsoft 365 group members”.
Once selected, you are asked to provide an appropriate “Title” and, optionally, to fill out the following fields: “Description”, “Why is this important”, “Tags” and “Priority”.
Tip
We suggest filling “Description” and “Why is this important” fields for future reviews and understanding.
You may also assign tags to organize reviews by department, project, or other classification required for reporting or compliance.
Set the review’s “Priority” (“High”, “Medium”, or “Low”) according to your organization’s risk classification or review policy. The assigned priority will be visible on the main dashboard for both reviewers and Tenant Admins.
In our scenario, the customer wanted to tag the reviews “Groups Audit” for reporting purposes. This review was important and urgent, so it was set with a high priority.
Once finished, click “Next” to move in next section.
Step 4: review definition
Under “Groups selection”, choose between “Manual selection” or “Dynamic selection”.
Manual selection
- Use “Manual selection” when you want to explicitly determine which specific resources are included in a one-time Access Review.
- Resources chosen in the original configuration remain fixed for that particular review instance.
Dynamic selection
- Use “Dynamic selection” for periodic (scheduled recurring) Access Reviews where all the available resources are included. With this option, the resource list is determined dynamically for each review cycle.
- Resources added to the environment after the review was initially created will be picked up in the next scheduled review cycle if they meet filter requirements.
In the customers’ scenario we created a dynamic selection as they wanted the reviews to be completed urgently (avoiding manual selection) and reviewed monthly.
Under “Reviewers and backup”, choose between “Group owners”, “Assigned reviewer” or “Tenant admin”:
Tip
In groups with multiple owners or reviewers, only one operator needs to complete the review for it to be deemed complete.
Assigning backup reviewers is recommended to ensure review tasks progress when a primary reviewer is unavailable. By default, the backup reviewer field is populated with the email address of the Tenant Admin who created the review.
To change the backup reviewer, simply update the email address in this field. You can assign any operator with access to your Microsoft environment as a backup reviewer, regardless of whether they are a CoreView operator or not.
In “Scope” (can only be toggled in “Dynamic selection”) you can enable the “Scope” toggle. This applies the review only to the resources included in a specific Virtual Tenant at the time each review occurs.
The “Scope” toggle results disabled when no Virtual Tenant is available.
In our scenario, the customer wanted the group owners to perform the review, with a designated backup reviewer to perform the review in case of no owner available.
Step 5: schedule
This section details when the review should be completed, the periodic review, email reminders and the email template settings.
Select the number of days within which the review should be completed and the start date. Note that the review start date cannot be the same day it is created; the earliest available start date is the following day.
If you want the review to be recurring, toggle on “Perodic review” and select the number of days after which the process will restart, as well as an optional end date.
In the “Reminder” section specify how many days before the review's due date the assigned reviewers receive an email notification. For periodic reviews, a reminder email is sent the defined number of days before the due date of each cycle.
Step 6: review and complete
In this section, you will find a summary of the Access Review information configured in the previous steps. Select “Submit” to confirm the configuration and create the Access Review item.
Step 7: monitoring Access Reviews
At the end of the activity, you will see the created Access Review within the Access Review panel.
Here the Tenant Admin has different options to monitor and supervise the Access Review created.
- “Progress status” will load the access review and give the Tenant Admin details on the current progress:
- “Send reminder” will open another screen to send a reminder to all reviewers that have not completed the review yet:
- “Download log” will download a CSV file of the completed Audit Review.
- “Review history” will display previous review cycles and their status (completed or not completed) with corresponding due dates.
- “Delete review” will permanently delete the Access Review.
Step 8: assigned reviewers
The assigned reviewer(s) will receive an email invitation to access and complete the review task.
Clicking on “Review Tasks”, one of the following will occur:
- If you are a CoreView operator: log in using your standard credentials.
- If you don't have a CoreView account: CoreView automatically creates an account using your Microsoft 365 credentials. This account provides limited access, restricted to assigned reviews.
You will be redirected to the Access Review dashboard, which will vary depending on whether you have one or more review tasks.
The reviewer should click on “Start review”. If there are multiple reviewers some review tasks may be locked to prevent simultaneous edits. Locked reviews can be identified as the “Start review” action will be greyed out.
During an access review, you are required to confirm or revoke access for the user accounts included in the review. For each entry you may:
- Remove access: select the “Delete” checkbox for the user.
- Grant group ownership (if available): select the “SetAsOwner” checkbox for the appropriate user. This updates their role in Microsoft 365.
Tip
- If a user is set as a group owner, the delete option for that entry is disabled during the same session to prevent role conflict. Once the review has been completed, click on “Next” to review and submit, or “Save as draft” to resume before the deadline.
- If you have submitted the review you will not be able to resume the review.
CoreView will then perform any remediation that was selected in the review. In this case, two owners were set, and a user was deleted from the group.
As the review was completed for this Microsoft 365 Group, the “Download Log” button is now available.
This will download a CSV file that details the review.
Additional resources