SCENARIO 11 Identity Governance Access Reviews SOC 2

Entra ID Access Reviews

A 188-member privileged group had never been formally reviewed since provisioning — SOC 2 finding under CC6.3 and CC6.2. Quarterly Entra access review deployed with manager approval routing, auto-apply enforcement, and a pre-review Graph API audit that uncovered a manager attribute gap across all 188 members. 6 denied, 100% completion rate, full audit trail exported.

Entra ID Governance Access Reviews Graph API PowerShell Hybrid Identity SOC 2 CC6.2/CC6.3

Business Problem

IDSentinel Solutions' quarterly security audit flagged a critical gap in its identity governance program: privileged group membership had never been formally reviewed since initial provisioning. GRP-SEC-PrivilegedUsers — granting elevated access to security tooling, audit logs, and sensitive configuration portals — had accumulated 188 members across Security, IT, Legal, Sales, HR, and other departments with no documented recertification and no process to remove access when a member's role changed.

A pre-review Graph API audit confirmed a secondary finding: the manager attribute was unpopulated for all 188 members in Active Directory — a common gap in hybrid environments where AD user objects are provisioned without the Organization tab fully populated — meaning no reviewer routing was possible until remediated.

Risk

  • 188-member privileged group unreviewed since provisioning — stale access accumulating across role changes and departures
  • No documented approval trail for ongoing group membership
  • Manager attribute unpopulated in AD — all review decisions would fall to a single fallback reviewer without remediation
  • SOC 2 Type II finding — CC6.3 and CC6.2 non-compliant
  • Hybrid limitation: Entra Access Reviews cannot write back removals to AD-synced groups — on-prem remediation required

Scope

FieldDetail
Review targetGRP-SEC-PrivilegedUsers — AD-synced privileged access group
Members reviewed188
PlatformMicrosoft Entra ID Access Reviews (Identity Governance)
CadenceQuarterly — recurring, automated scheduling
Reviewer typeManager of each member (manager approval required)
Fallback reviewerGroup owner (Cleveland Oliver) for members without manager set
Outcome enforcementAuto-apply results on review completion
Hybrid limitationAccess removal for AD-synced groups requires on-prem AD remediation after review — Entra enforces cloud group state only
Compliance targetSOC 2 Type II — CC6.2, CC6.3

Solution Design — 3 Workstreams

WS 1

Group Baseline and Manager Remediation

Graph API audit to document 188-member pre-review state as SOC 2 evidence. Identify and remediate manager attribute gap in AD via PowerShell, sync to Entra via delta sync. Confirm reviewer routing before launch.

WS 2

Access Review Configuration

Entra ID Access Review configured with quarterly recurrence, manager approval with group owner fallback, auto-apply of review decisions, and justification required for all decisions.

WS 3

Review Execution and Audit Trail

Execute first review cycle — 188 reviewed, 182 approved, 6 denied. Document hybrid enforcement limitation. Remediate denied members via on-prem AD PowerShell + delta sync. Export audit trail as SOC 2 evidence.

// diagrams/access-review-flow.png — Access review workflow diagram expand
Access review workflow diagram

Implementation

  • 01

    Confirm Group in Entra ID

    GRP-SEC-PrivilegedUsers confirmed as an AD-synced Assigned Security group with 188 members. A second cloud-only Dynamic group also exists — the AD-synced Assigned group is the correct target as Dynamic groups cannot be scoped for manager-approval review workflows.

    // 01-group-created expand
    GRP-SEC-PrivilegedUsers confirmed — 188 members, AD-synced
  • 02

    Pre-Review Baseline Audit (Graph API)

    Baseline script using Get-MgGroupMemberAsUser batch-retrieved all 188 member properties in a single Graph API call — avoiding per-member call timeouts on large groups. CSV exported as the SOC 2 "before" evidence.

    PowerShell
    .\scripts\Get-PrivilegedGroupBaseline.ps1
    // 02-pre-review-baseline expand
    Baseline audit — 188 members retrieved, CSV exported
  • 03

    Manager Attribute Remediation

    Finding: 188/188 members — manager attribute NOT SET. All review items would route to group owner fallback without remediation. Manager attribute set via AD PowerShell and synced to Entra via delta sync. Security department confirmed with manager set; remaining departments route to fallback as expected.

    PowerShell — remediate + sync
    .\scripts\Set-SecurityGroupManagers.ps1 -WhatIf  # Preview
.\scripts\Set-SecurityGroupManagers.ps1          # Apply
Start-ADSyncSyncCycle -PolicyType Delta          # Sync to Entra
    // 03-manager-verification expand
    Manager attribute confirmed set for Security department post-sync
  • 04

    Access Review Configured

    Entra ID Access Review configured with quarterly recurrence, manager approval with group owner fallback, auto-apply of review decisions, and justification required for all decisions.

    SettingValue
    Reviewer typeManager of each member
    Fallback reviewerGroup owner (Cleveland Oliver)
    FrequencyQuarterly — perpetual recurring series
    Duration14 days
    Auto apply resultsEnabled
    If reviewer doesn't respondRemove access
    Justification requiredYes
    // 04-access-reviews-portal expand
    Access Reviews portal — new review initiated
    // 05-review-scope expand
    Review scope — GRP-SEC-PrivilegedUsers, 188 members
    // 06-reviewer-config expand
    Reviewer configuration — manager with group owner fallback
    // 07-recurrence-settings expand
    Quarterly recurrence — 14-day window, perpetual series
    // 08-auto-enforcement expand
    Auto-apply enabled — remove access on no response
    // 09-review-active expand
    Review active — 188 members in scope, reviewer routing confirmed
  • 05

    Review Executed via MyAccess Portal

    Reviewer notification email received within minutes of activation. All 188 members reviewed at myaccess.microsoft.com with mandatory justification for each decision — 182 approved, 6 denied. 100% reviewer response rate.

    // 10-reviewer-email expand
    Reviewer notification email — review name, deadline, MyAccess link
    // 11a-approval-decision expand
    MyAccess portal — approval decision with justification
    // 11b-denial-decision expand
    MyAccess portal — denial decision with justification
  • 06

    Hybrid Enforcement Finding and Remediation

    • Finding: Review status shows "Results Applied" but member count remains at 188 in Entra
    • Root cause: GRP-SEC-PrivilegedUsers is AD-synced — Entra Access Reviews auto-apply cannot remove members from AD-sourced groups
    • Lab remediation: 6 denied members removed via AD PowerShell + delta sync. Member count confirmed at 182
    • Production path: Automate post-review PowerShell reading denied decisions from Graph API and applying AD group changes, or migrate privileged groups to cloud-only membership
    // 12-post-review-membership expand
    Post-remediation — member count confirmed at 182
  • 07

    Audit Trail Export + Membership Delta Report

    All review decisions, justifications, reviewer identities, and timestamps exported via Graph API. Post-review delta report confirmed: 182 RETAINED, 6 REMOVED, 0 unexpected additions.

    // 13-audit-trail-export expand
    Audit trail export — decisions, justifications, timestamps per member
    // 14-membership-delta expand
    Membership delta — 182 retained, 6 removed, 0 unexpected

Outcome

Manager attribute gap discovered and remediated — 188/188 originally unpopulated
188 members reviewed — 182 approved, 6 denied, 100% completion rate
Quarterly recurring review configured — next cycle auto-triggered Q3 2026
Hybrid AD enforcement limitation identified and documented with production remediation path
6 denied members removed via on-prem AD PowerShell + delta sync
SOC 2 CC6.2 and CC6.3 evidence produced — full audit trail with decisions, justifications, and timestamps

Review Results

MetricResult
Members reviewed188
Access approved182
Access denied6
Non-response0 (100% completion rate)
Total access removed6
Hybrid enforcement gap identified✅ Yes — documented
On-prem remediation completed✅ Yes
SOC 2 evidence generated✅ CC6.2, CC6.3
Next review scheduledQ3 2026 (auto-triggered)

Hybrid Environment Notes

  • Manager attribute gap: AD user objects provisioned without the Organization tab populated will have no manager set in Entra ID. In production: enforce manager population as part of the JML joiner process, or use HR system integration to auto-populate the attribute.
  • Access Reviews write-back limitation: Entra Access Reviews auto-apply enforcement only works for cloud-native groups. AD-synced groups require a separate on-prem remediation step. In production: automate via post-review PowerShell reading denied decisions from Graph API.

Files