CoreView Access Reviews enable Tenant Admins and delegated Access Review Admins to assess and adjust user permissions across Microsoft 365 resources on a scheduled basis. Admins can identify and remove obsolete user permissions, and configure Access Reviews to align with internal policies or regulatory requirements, such as NIST, ISO, or SOC2. Reviewer assignments, notifications, and reporting occur through automated CoreView workflows. All decisions made during an Access Review are logged and can be exported for audit purposes.
Access Review execution process
1. Review creation by Tenant Admins or Access Review Admins
Only Tenant Admins or delegated Access Review Admins can initiate an Access Review. During creation, admins specify which resources (such as Teams, Groups, mailboxes, or other Microsoft 365 resources) are included in the review. Reviewer assignments are made by selecting individuals or groups who manage or own the selected resources.
2. Execution by assigned reviewers
Reviewers—commonly group owners or resource managers—inspect the current permissions for all users on targeted resources. Reviewers select whether to approve, modify, or revoke each user's access. Modifications remain in a pending state until the review is finalized.
3. Templates and customization
CoreView provides templates and configuration options for recurring reviews of:
- Microsoft Teams or group memberships
- Security groups
- Guest user access
- Mailbox permissions
- OneDrive ownership
- SharePoint site membership
Who can be a reviewer?
Tenant Admin and Access Review Admins
Tenant Admins and Access Review Admins have the ability to assign reviewers—including themselves—to Access Reviews. They can also start Access Reviews that have been previously assigned to them, whether by themselves or by other admins.
CoreView operator
A CoreView operator can be any user with an assigned role in CoreView, such as a group owner, delegated admin, or someone with a custom role designed for review responsibilities.
Non-CoreView user
Users without a CoreView account, but who have accounts in the organization’s Microsoft 365 tenant, can be selected as reviewers. In such cases, CoreView provisions an account with restricted access limited to the assigned Access Review tasks, using Microsoft 365 authentication.
Access Review lifecycle
The Access Review lifecycle includes the following stages:
- Initiation: Admin specifies resources to be reviewed, duration of review, schedule and notification configurations.
- Assignment: assigned reviewers receive notification via email.
- Execution: reviewers approve, modify, or revoke user access permissions for each resource. All permission changes remain in a pending state until the review is concluded.
- Monitoring: Admin monitors review progress using dashboards that indicate completion percentages and outstanding items.
- Logging: upon review conclusion, CoreView generates audit logs for the review cycle. These logs can be exported in CSV format for retention or integration with external compliance tracking systems.
.png)
For step-by-step configuration and operational instructions, refer to the following articles: