CMMC Level 2 Entra ID Access Reviews Setup Checklist

Access piles up quietly. A user changes roles, a vendor leaves, a temp account stays, and suddenly your CUI environment has “ghost access” nobody meant to approve.

For CMMC Level 2, I treat Entra ID access reviews as my repeatable proof that access stays authorized, current, and least-privileged. The best part is that access reviews can produce assessor-friendly exports, decision records, and audit trails without heroic effort.

This post is my auditor-ready setup playbook, plus an evidence checklist I use with Small Business IT teams that need results fast.

Scope CUI access first, so your reviews match what assessors test

Before I click “New access review,” I write down what “CUI access” means in this tenant. In most SMB environments, CUI shows up in SharePoint sites, Teams, OneDrive folders, line-of-business apps, and sometimes Azure resources. After an Office 365 Migration, it’s common to inherit messy groups and stale app assignments, so scoping matters.

Here’s how I define the review targets:

• Groups that grant access to CUI locations (Microsoft 365 groups, security groups, and role-assignable groups).
• Enterprise applications that touch CUI data, or provide admin access to systems in scope.
• Directory roles (privileged roles) and any “break glass” patterns.

If you want Microsoft’s identity-focused CMMC guidance for Access Control, I keep this bookmarked: Microsoft Entra guidance for CMMC Level 2 access control.

I also set expectations with stakeholders. Access reviews are not a one-time project. They’re part of my Cloud Management routine, alongside Endpoint Security, Device Hardening, and Conditional Access. That combination supports Secure Cloud Architecture and makes audits less painful.

Gotcha: if you can’t explain why each reviewed group, app, or role impacts CUI, your evidence will look “checkboxy” and assessors will push deeper.

Microsoft Entra ID access reviews setup procedures (groups, apps, roles)

I run access reviews from the Microsoft Entra admin center. The menu labels can shift, but the path is usually: Identity Governance (or Governance) → Access reviews.

Scenario 1: Review CUI groups (membership)

1. In Identity Governance → Access reviews, select New access review.
2. Choose Review type for Groups (membership).
3. Pick the CUI-related group (for example, a “CUI-SharePoint-Contributors” group).
4. Set Reviewers to the right owner pattern:
   • I prefer Users’ managers for staff access.
   • I use Group owners for shared operational groups.
5. Set Recurrence and Duration:
   • I default to quarterly for CUI groups.
   • Keep the review window short (7 to 14 days).
6. Configure Decisions and enforcement:
   • Require justification for approvals when it fits your culture.
   • Set “If reviewers don’t respond” to Remove access for high-risk groups.
   • Turn on Auto-apply results (or equivalent) so removals actually happen.
7. Enable notifications so reviewers can’t claim they never saw it.
8. Save the review, then run a test cycle with a small group before expanding.

Evidence to Collect

• Configuration screenshots: review scope, reviewers, recurrence, “auto-apply,” “non-response” behavior.
• Reviewer list: screenshot or export showing who can approve.
• Completion report/export: CSV download of decisions and outcomes.
• Audit logs showing changes: Entra Audit logs filtered to group membership removals tied to the review.
• Ticket/approval trail: change ticket for enabling auto-apply, exceptions, or disputes.
• Sample decision records: at least 2 to 3 entries showing approve, deny, and justification.

Scenario 2: Review Enterprise app assignments (users and groups)

1. Go to Identity Governance → Access reviews → New access review.
2. Select Applications (Enterprise applications) as the resource type.
3. Choose the app that touches CUI (SSO app, admin portal, or a service with sensitive integrations).
4. Define the scope as assigned users and groups.
5. Set Reviewers:
   • Use Application owners for business apps.
   • Use Security group owners if access flows through one main group.
6. Set frequency:
   • I typically set semiannual for stable apps.
   • I set quarterly for apps with staff turnover, such as Restaurant POS Support tools.
7. Turn on Auto-apply results, then set removals for denied and non-responded users.
8. Save, run, and verify the first cycle completes.

For day-to-day operations, I keep Microsoft’s how-to close at hand: how to complete access reviews and apply results.

Evidence to Collect

• App review settings screenshots: app selected, assignment scope, recurrence, and enforcement.
• Exported results (CSV): decisions, reviewers, timestamps, and applied outcomes.
• Enterprise application audit events: audit logs showing assignment removal, user de-provision, or group unassignment.
• Exception approvals: ticket plus business owner sign-off for any “keep access” overrides.
• Attestation sample: one decision record that includes a clear business reason.

Scenario 3: Review privileged roles (directory roles)

1. Open Identity Governance → Access reviews → New access review.
2. Choose Directory roles (privileged roles).
3. Select the roles that can impact CUI systems, like Global Administrator equivalents, security admin roles, or roles controlling collaboration and sharing.
4. Set Reviewers:
   • I use a two-person pattern when possible: role owner plus security lead.
   • Self-review alone is weak for privileged access.
5. Set frequency:
   • I default to monthly for high-privilege roles.
   • Short review windows reduce “I’ll do it later” behavior.
6. Require justification for keeping access, especially for standing admin assignments.
7. Enable Auto-apply so removals happen on schedule.
8. After the first cycle, validate removals, then document how emergency access gets approved.

Evidence to Collect

• Role list and review config screenshots: selected roles, reviewers, recurrence, justification required, auto-apply.
• Decision export: CSV of approvals and removals.
• Audit logs: role assignment removals tied to the review timeframe.
• Break-glass controls evidence: ticketed approval trail for any emergency role enablement.
• Sample outcomes: at least one denied admin and one approved with justification.

Consolidated evidence checklist for CMMC Level 2 (what I hand to assessors)

This table is the “single pane” I keep updated for Business Continuity & Security. It also fits nicely into Technology Consulting deliverables, whether I’m doing Infrastructure Optimization for Cloud Infrastructure or validating legacy Data Center Technology controls.

Artifact	Where to get it in Entra	Export format	Minimum frequency	Retention notes	Control mapping
Access review definition (scope, resources)	Identity Governance → Access reviews → select review → Overview	Screenshot (PNG)	Per change, then each cycle	Keep per SSP/contract, I often keep 3 years	AC.L2-3.1.1, AC.L2-3.1.2
Review schedule and recurrence settings	Same review → Settings (frequency, duration)	Screenshot (PNG)	Per change	Store with change ticket	AC.L2-3.1.1
Reviewer assignment evidence	Review → Reviewers (or Settings)	Screenshot (PNG)	Per change	Keep with org chart or role list	AC.L2-3.1.4
Decision and outcome export	Review → Results (or Completed) → Download	CSV	Every cycle	Store in immutable location	AC.L2-3.1.1, AC.L2-3.1.5
Auto-apply and non-response settings	Review → Settings → Apply results	Screenshot (PNG)	Per change	Keep with policy decisions	AC.L2-3.1.6
Entra audit logs showing removals	Entra ID → Monitoring → Audit logs (filter by Group/Role/App changes)	CSV export	Every cycle	Central log archive, protect from edits	AC.L2-3.1.7, IA.L2-3.5.1
Ticket or approval trail for exceptions	Your ITSM tool linked to review cycle	PDF export or ticket link	Every exception	Keep with review export	AC.L2-3.1.1
Evidence of related identity controls (supporting)	Entra standards guidance and your configured policies	Screenshots + policy exports	Annual and per change	Align with SSP	AC/IA supporting controls

For identity hardening beyond reviews, I also reference Microsoft’s broader guide: additional Microsoft Entra controls for CMMC Level 2.

If an assessor asks “prove it happened,” screenshots show intent, but exports plus audit logs show reality.

Conclusion

When I set up Entra ID access reviews with auto-apply, clear reviewers, and disciplined evidence capture, CMMC Level 2 stops feeling like a mystery. The same pattern supports Digital Transformation goals too, since access stays clean as teams grow.

If you want this operationalized as Managed IT for Small Business, I treat it as part of Tailored Technology Services: identity governance, security logging, and repeatable review cycles that a real assessor can follow. Your next audit shouldn’t depend on somebody’s memory, it should depend on your records.