GOV-03HighEnhanced Security
Conduct Quarterly Privileged Access Reviews
Governance & Hygiene control for Microsoft 365 and Entra ID
Why This Control Matters
Over time, users accumulate privileges they no longer need. Access reviews force managers to justify each privileged assignment, preventing privilege creep and reducing risk from over-entitled accounts.
Expected State
When this control is compliant, your tenant should meet these criteria:
- 1Access reviews for all privileged roles are scheduled quarterly
- 2Self-attestation is disabled for Global Admin and other high-privilege roles
- 3Unreviewed access is automatically removed after 30 days
Enforcement
Default Mode
Advisory
Alerts on deviations but does not make changes
Auto-Remediation
Manual Only
Requires Entra ID Governance access review configuration
Ready to implement this control?
TrueConfig continuously monitors your Microsoft 365 tenant for compliance with this and 50+ other security controls.