Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Catalog access reviews in Microsoft Entra ID Governance enables organizations to simplify how managers can review users access to multiple resource types, such as groups, applications and custom disconnected resource at once. This helps ensure only the right people retain access, while enabling managers and resource owners to review access efficiently through a multi-stage process.
License requirements
This feature requires Microsoft Entra ID Governance or Microsoft Entra Suite subscriptions, for your organization's users. For more information, see the articles of each capability for more details. To find the right license for your requirements, see Microsoft Entra ID Governance licensing fundamentals.
Add resources to catalog
To enable access reviews across multiple resources in a single reviewer experience, you must first add those resources to a catalog. Groups, Applications and custom data provided resources are currently the three resources that can be reviewed by catalog. To add resources to a catalog:
Sign in to the Microsoft Entra admin center as at least an Identity Governance Administrator or catalog creator, and as the owner or administrator of the resources.
Browse to Entitlement management > Catalogs.
On the catalogs screen, select an existing catalog or select New Catalog to create a new one.
On the catalog overview page, select Resources > Add resources.
To review memberships of groups or teams, select Groups and Teams and choose the groups you want to include in the catalog. To review app role assignments, select Applications and choose the applications you want to include in the catalog.
Note
In catalog access reviews, only groups, applications, and custom data provided resources are supported.
With the resources selected, select Add to save them in the catalog.
To enable the review to also include data from custom data providers, select Custom Data Provided Resource (Preview), and provide the name and description of the resource. For more information, see custom data provided resource.
For more information on creating a catalog and adding resources, see Create and manage a catalog of resources.
Create a catalog access review
Once you add resources to a catalog, you can then create a catalog access review so that managers can then review access across all of these resources at once for the users they manage. To create a catalog access review, do the following steps:
Sign in to the Microsoft Entra admin center as at least an Identity Governance Administrator.
Browse to ID Governance > Access Reviews > New access review.
On the Access reviews template screen, select Review users access across multiple resource types within a catalog to select the catalog review template.
Enter in basic information about the workflow and select Next.
On the resources tab, select the catalog where you added the resources on and select Next.
On the Reviewers and schedule tab, Choose reviewers. Currently, managers of the users are the primary reviewers.
Optionally, you can configure multi-stage reviews, where the resource owners (group or application owners) serve as secondary reviewers.
Configure reviewer experience options (email notifications, reminders, justification requirements) and completion settings.
Select Create to finalize the access review.
You can also create an access review programmatically using Microsoft Graph. For more information, see Create a single stage access review on a catalog.
Upload data from custom data resources
If you have added custom data provided resources to the catalog, then you must upload the data while the review instance is initializing. For more information, see get access review object and instance ID.
Completing a catalog access review
When the catalog access review is created, managers receive an email notification that directs them to the myaccess portal. They can also directly navigate to the My Access portal where they can view their direct report's access to all resources in the catalog.
To complete a catalog access review, you'd do the following steps:
Sign in to the My Access portal at https://myaccess.microsoft.com as the manager of the users you want to complete the catalog access review for.
In the left menu, select Access reviews to see a list of access reviews pending approval.
Select the Multi-resource tab to see a list of pending catalog access reviews.
For each access item, choose Approve or Deny, and provide a justification if required.
Select Submit to record your decisions.
On the review end date, all decisions, excluding custom disconnected resources, are automatically applied.