Access Reviews for Groups – Is Microsoft Entra ID P2 sufficient for licensing?

Question

Hi all,

We currently have Microsoft Entra ID P2 licenses in our tenant and would like to confirm the licensing requirements for Access Reviews on group memberships.

Specifically, can you please confirm whether Microsoft Entra ID P2 alone is sufficient to:

• Create and run Access Reviews for security groups
• Create and run Access Reviews for Microsoft 365 groups
• Schedule recurring reviews and automatically remove access based on review outcomes

Additionally, can you confirm the licensing scope:

• Do users being reviewed and users acting as reviewers both need to be licensed with Entra ID P2?
• Is an additional Microsoft Entra ID Governance license required for standard group access reviews, or only for advanced features?

We have reviewed Microsoft Learn documentation, which indicates that Access Reviews require Entra ID P2 or Entra ID Governance, but would like confirmation from the community or Microsoft moderators to ensure our understanding is correct.

Thank you in advance for your clarification.

Answer 1

Hello Gregory Soares,

Yes, Microsoft Entra ID P2 is sufficient to create and run Access Reviews for both security groups and Microsoft 365 groups. With Entra ID P2, you can schedule recurring reviews and automatically remove access based on review outcomes.

Regarding licensing scope, only the users being reviewed need Entra ID P2. Reviewers themselves do not require a P2 license. An additional Microsoft Entra ID Governance license is not required for standard group access reviews—it is only needed for advanced scenarios such as Entitlement Management (access packages).

This aligns with Microsoft Learn guidance stating that Access Reviews are supported with Entra ID P2 or Entra ID Governance.

https://docs.azure.cn/en-us/entra/id-governance/manage-user-access-with-access-reviews

Please let me know if this doesn’t fully address your scenario or if any clarification is needed.

Answer 2

Microsoft Entra ID P2 is sufficient for standard access reviews of group memberships, with some important distinctions for advanced capabilities and licensing scope.

1. Capabilities with Microsoft Entra ID P2

With Entra ID P2, the following access review scenarios are supported as part of the “Capabilities previously generally available in Microsoft Entra ID P2”:

• Create and run access reviews for security groups
• Create and run access reviews for Microsoft 365 groups
• Use recurring reviews and apply decisions (for the capabilities that were GA under P2)

These core access review capabilities are listed under:

• “Access reviews (AR)” with Entra ID P2 ✔
• “AR – Capabilities previously generally available in Microsoft Entra ID P2” with Entra ID P2 ✔

No Entra ID Governance license is required for these previously GA P2 capabilities.

2. When Entra ID Governance is required

Some newer/advanced access review capabilities require Entra ID Governance (or Entra Suite), not just P2. Examples from the licensing tables:

• AR – PIM for Groups (Preview) – requires Entra ID Governance or Suite
• AR – Reviews scoped to inactive users without active users in the review – requires Entra ID Governance or Suite
• AR – Machine learning assisted access certifications and reviews (user-to-group affiliation) – requires Entra ID Governance or Suite
• AR – Catalog Access Reviews (Preview) – requires Entra ID Governance or Suite
• AR – Custom data provided resource (Preview) – requires Entra ID Governance or Suite

So, for “standard” group access reviews (the capabilities that were already GA under P2), Entra ID P2 alone is sufficient. Entra ID Governance is only required if using the advanced/preview features listed above.

3. Licensing scope: who needs a license

For Access Reviews, the licensing scope is described as follows:

• Access Reviews require a Microsoft Entra ID license appropriate to the feature (P2 or Governance, depending on which capabilities are used).
• Licenses are required for:
  1. Member and guest users who are assigned as reviewers.
  2. Member and guest users who perform a self-review.
  3. Group owners who perform an access review.
  4. Application owners who perform an access review.

Global Administrator or User Administrator accounts that only set up access reviews, configure settings, or apply decisions do not require P2 licenses.

Applied to Entra ID P2:

• Users being reviewed: need to be licensed when they perform self-review (for self-attestation scenarios). If they are only being evaluated and never interact with the review, the licensing requirement in practice focuses on the users who actually use the feature (reviewers, self-reviewers, owners performing reviews), as outlined above.
• Users acting as reviewers (including group owners and application owners performing reviews): must be licensed with the appropriate Entra ID tier (P2 for P2 features, Governance for Governance-only features).

4. Summary

• Yes, Microsoft Entra ID P2 alone is sufficient to:
  • Create and run access reviews for security groups and Microsoft 365 groups.
  • Schedule recurring reviews and automatically remove access, as part of the capabilities previously GA in P2.
• Entra ID Governance is only required for advanced access review features such as PIM for Groups reviews, inactive-only reviews, ML-assisted recommendations, catalog access reviews, and custom data resources.
• Licensing must cover:
  • Reviewers (including group/app owners acting as reviewers) and users performing self-review.
  • Global/User Admins configuring reviews do not require P2.

For detailed matrices and examples, see the Microsoft Entra ID Governance licensing fundamentals and Microsoft Entra licensing pages.

---

References:

• What are access reviews?
• Microsoft Entra ID Governance licensing fundamentals
• Microsoft Entra licensing
• Create an access review of groups and applications in Microsoft Entra ID
• Design identity governance