SKILL.md— paste into Microsoft 365 Copilot or ClaudeDownload▸ View skill file▾ Hide skill file
---
name: Access Reviews Health Audit
description: Audit Microsoft Entra access reviews for coverage, currency and completion, flagging stale reviews and unactioned recommendations for least-privilege governance.
---
# Access Reviews Health Audit
> **TL;DR:** This skill inspects your Microsoft Entra access reviews to confirm they exist, are running on schedule and have been completed, then produces a prioritised list of stale reviews and unactioned recommendations so excess access does not quietly accumulate.
## What are Microsoft Entra access reviews?
Microsoft Entra access reviews are an identity governance capability that periodically asks reviewers to confirm whether users still need their group memberships, application assignments or privileged roles. They are a core part of Microsoft Entra ID Governance and underpin least-privilege practice across Microsoft 365. When reviews are missing, overdue or left unactioned, stale access lingers and weakens the protection offered by Conditional Access and Microsoft Purview controls. This skill reads the current state of those reviews and reports on their health.
## When should you run this skill?
- "Are our Microsoft Entra access reviews actually configured for privileged roles and sensitive groups?"
- "Which access reviews are overdue or have a stale schedule?"
- "Have reviewers ignored the recommendations the last cycle generated?"
- "We are preparing for an audit and need evidence that access is reviewed regularly."
- "Did anyone action the deny recommendations from the last review, or did access just continue?"
- "Show me which guest access reviews have never completed."
- "Is access review coverage strong enough to support least-privilege governance?"
## How this skill works, step by step
1. Connect read-only to Microsoft Entra ID Governance using delegated permissions sufficient to enumerate access review definitions and instances.
2. Enumerate all access review definitions across groups, applications, privileged roles and guest access scopes.
3. For each definition, record its scope, recurrence, reviewers and whether auto-apply of results is enabled.
4. Retrieve the most recent instances for each definition and read their status, due dates and completion dates.
5. Flag stale reviews where the schedule has lapsed, an instance is overdue, or no review has run within the expected cadence.
6. Read the decisions and recommendations on completed instances and identify deny or recommendation outcomes that were never applied.
7. Identify sensitive scopes, such as privileged roles and guest access, that have no access review configured at all.
8. Derive a risk score that weights uncovered sensitive scopes, overdue instances and unactioned deny recommendations most heavily.
9. Compile the findings into a prioritised report with clear remediation guidance.
## Output format
The skill returns a findings table followed by a short summary.
| Review scope | Status | Issue detected | Risk | Recommended action |
| --- | --- | --- | --- | --- |
| Privileged role: Global Administrator | No review configured | Sensitive scope has no access review | High | Create a recurring access review with auto-apply enabled |
| Group: Finance-Sensitive-Data | Overdue | Instance due 2026-04-15 not completed | High | Notify reviewers and complete the open instance |
| Guest access: All guests | Completed | 12 deny recommendations never applied | Medium | Apply deny decisions or document an exception |
Summary bullets accompany the table:
- Total access review definitions found and how many cover sensitive or privileged scopes.
- Count of overdue or stale instances requiring attention.
- Count of unactioned deny recommendations across completed reviews.
- Overall risk score with the top three remediation priorities.
## Scope and safety
This skill is read-only by default and makes no changes to your tenant. It only reads access review configuration, instances, decisions and recommendations to assess their health.
This skill does NOT:
- Create, modify, schedule or delete any access review.
- Apply, override or reverse any review decision or recommendation.
- Add, remove or change any user access, group membership or role assignment.
- Alter reviewer assignments, notification settings or auto-apply configuration.
## Licensing and permissions
### Licences and add-ons
| Capability used | Minimum licence |
| --- | --- |
| Microsoft Entra access reviews (creating and reading review definitions, instances and decisions) | Microsoft Entra ID Governance, or Microsoft Entra ID P2 |
| Reviewing guest and external user access | Microsoft Entra ID Governance, or Microsoft Entra ID P2 (guests covered under the External Identities monthly active user model) |
### Least-privilege roles
- Security Reader or Global Reader for read-only visibility across access review definitions, instances and decisions.
- Identity Governance Administrator only where the organisation later needs to create or remediate reviews; not required for this read-only audit.
### Microsoft Graph permissions (read-only)
- `AccessReview.Read.All` — reads access review definitions, instances, decisions and recommendations.
- `RoleManagement.Read.Directory` — reads privileged role assignments to confirm which roles should be in scope for review.
- `Directory.Read.All` — reads the groups, applications and users referenced by each review scope.
## Sources and compliance
- [Access reviews overview](https://learn.microsoft.com/en-us/entra/id-governance/access-reviews-overview)
- [Manage user access with access reviews](https://learn.microsoft.com/en-us/entra/id-governance/manage-user-access-with-access-reviews)
- Supports the Essential Eight control "Restrict administrative privileges" by verifying that privileged access is reviewed and unneeded access is removed.
- Aligns with ISM controls for regular review and revalidation of user access and privileged accounts.
- [ASD Essential Eight Maturity Model](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model)
- Output in Australian English.
How to use this skill
- Get the file. Download or copy the
SKILL.mdfrom the panel above. - Load it into your host:
- Microsoft 365 Copilot / Copilot Studio — add it as the instructions of a declarative agent or Copilot Studio agent.
- Claude (Cowork / Claude Code) — drop the file into your skills folder; it loads as an Agent Skill automatically.
- Any chat host — paste the file contents as your prompt.
- Grant read-only access. Assign the least-privilege roles and Microsoft Graph scopes listed in Licensing and permissions below.
- Provide your tenant scope and run it (a site, a collection, or the whole tenant).
- Review the report and action the risk-ranked recommendations.
This skill is read-only by default — it inspects and reports, and never changes your tenant.
Access Reviews Health Audit
TL;DR: This skill inspects your Microsoft Entra access reviews to confirm they exist, are running on schedule and have been completed, then produces a prioritised list of stale reviews and unactioned recommendations so excess access does not quietly accumulate.
What are Microsoft Entra access reviews?
Microsoft Entra access reviews are an identity governance capability that periodically asks reviewers to confirm whether users still need their group memberships, application assignments or privileged roles. They are a core part of Microsoft Entra ID Governance and underpin least-privilege practice across Microsoft 365. When reviews are missing, overdue or left unactioned, stale access lingers and weakens the protection offered by Conditional Access and Microsoft Purview controls. This skill reads the current state of those reviews and reports on their health.
When should you run this skill?
- “Are our Microsoft Entra access reviews actually configured for privileged roles and sensitive groups?”
- “Which access reviews are overdue or have a stale schedule?”
- “Have reviewers ignored the recommendations the last cycle generated?”
- “We are preparing for an audit and need evidence that access is reviewed regularly.”
- “Did anyone action the deny recommendations from the last review, or did access just continue?”
- “Show me which guest access reviews have never completed.”
- “Is access review coverage strong enough to support least-privilege governance?”
How this skill works, step by step
- Connect read-only to Microsoft Entra ID Governance using delegated permissions sufficient to enumerate access review definitions and instances.
- Enumerate all access review definitions across groups, applications, privileged roles and guest access scopes.
- For each definition, record its scope, recurrence, reviewers and whether auto-apply of results is enabled.
- Retrieve the most recent instances for each definition and read their status, due dates and completion dates.
- Flag stale reviews where the schedule has lapsed, an instance is overdue, or no review has run within the expected cadence.
- Read the decisions and recommendations on completed instances and identify deny or recommendation outcomes that were never applied.
- Identify sensitive scopes, such as privileged roles and guest access, that have no access review configured at all.
- Derive a risk score that weights uncovered sensitive scopes, overdue instances and unactioned deny recommendations most heavily.
- Compile the findings into a prioritised report with clear remediation guidance.
Output format
The skill returns a findings table followed by a short summary.
| Review scope | Status | Issue detected | Risk | Recommended action |
|---|---|---|---|---|
| Privileged role: Global Administrator | No review configured | Sensitive scope has no access review | High | Create a recurring access review with auto-apply enabled |
| Group: Finance-Sensitive-Data | Overdue | Instance due 2026-04-15 not completed | High | Notify reviewers and complete the open instance |
| Guest access: All guests | Completed | 12 deny recommendations never applied | Medium | Apply deny decisions or document an exception |
Summary bullets accompany the table:
- Total access review definitions found and how many cover sensitive or privileged scopes.
- Count of overdue or stale instances requiring attention.
- Count of unactioned deny recommendations across completed reviews.
- Overall risk score with the top three remediation priorities.
Scope and safety
This skill is read-only by default and makes no changes to your tenant. It only reads access review configuration, instances, decisions and recommendations to assess their health.
This skill does NOT:
- Create, modify, schedule or delete any access review.
- Apply, override or reverse any review decision or recommendation.
- Add, remove or change any user access, group membership or role assignment.
- Alter reviewer assignments, notification settings or auto-apply configuration.
Licensing and permissions
Licences and add-ons
| Capability used | Minimum licence |
|---|---|
| Microsoft Entra access reviews (creating and reading review definitions, instances and decisions) | Microsoft Entra ID Governance, or Microsoft Entra ID P2 |
| Reviewing guest and external user access | Microsoft Entra ID Governance, or Microsoft Entra ID P2 (guests covered under the External Identities monthly active user model) |
Least-privilege roles
- Security Reader or Global Reader for read-only visibility across access review definitions, instances and decisions.
- Identity Governance Administrator only where the organisation later needs to create or remediate reviews; not required for this read-only audit.
Microsoft Graph permissions (read-only)
AccessReview.Read.All— reads access review definitions, instances, decisions and recommendations.RoleManagement.Read.Directory— reads privileged role assignments to confirm which roles should be in scope for review.Directory.Read.All— reads the groups, applications and users referenced by each review scope.
Sources and compliance
- Access reviews overview
- Manage user access with access reviews
- Supports the Essential Eight control “Restrict administrative privileges” by verifying that privileged access is reviewed and unneeded access is removed.
- Aligns with ISM controls for regular review and revalidation of user access and privileged accounts.
- ASD Essential Eight Maturity Model
- Output in Australian English.
Last updated on