Introducing Machine Learning based recommendations in Azure AD Access reviews
Published Dec 01 2022 10:28 AM 10.1K Views

Many of you are already using Azure AD access reviews to govern access of your employees, guests, and workload identities to sensitive resources. Over the years, one of the top requests from our customers is to make the review process easier so that reviewers can make quicker and more accurate decisions. Today, I’m excited to share that we’ve vastly enhanced our recommendations in access reviews using sophisticated machine learning models that determine users’ affiliation to the group being reviewed, based on the organization’s reporting structure. This additional recommendation makes the entire process much easier for reviewers, thereby increasing reviewer efficiency, reducing attestation fatigue, and ensuring that your sensitive resources are secure. 


Microsoft Entra Identity Governance is helping customers move beyond the traditional Identity governance approach of managing access, thereby reducing cost and increasing productivity.  





What is User-to-Group Affiliation? 

The User-to-Group Affiliation recommendation compares users’ relative affiliation with other users in the group, based on the organization’s reporting structure. Our machine learning based scoring mechanism identifies the distance between the users in an organizational hierarchy to detect those users who are very distant from other users in the group i.e., have "low affiliation" and our system then provides a ‘Deny’ recommendation. 


Enabling this recommendation in access reviews is a one-click process 

Switching on this recommendation while creating access reviews is easy – select the decision helper “User-to-Group Affiliation” in settings during the access review creation experience and the rest is the same as any other access review. 





Recommendations for Reviewers of access reviews: 

The reviewers of access reviews see the recommendations if a user has “Low Affiliation” with other users within the group along with our existing Inactive user recommendation. The reviewer can accept the recommendations by clicking on “Accept Recommendations” or can manually “Accept” or “Deny” access based on the recommendations, thereby helping the reviewer make a quick decision. 





Additional details to enhance access review decision making: 

A reviewer who needs additional information to make an access decision can click on “Details” and will get an option to “Accept” or “Deny” access. If the reviewer selects the recommended option, the decision can be submitted directly, whereas, if the reviewer goes against the recommended option, a reason is required before the decision is submitted.  





Try it now by navigating to the Entra Identity Governance and enabling access reviews on a group. 


Resources and Feedback: 

For more information, please visit User-to-Group Affiliation recommendation for Azure AD Access reviews 

As we work on simplifying identity governance processes through analytics, we want to hear from you! Please leave your comments down below or reach out to us on  


Joseph Dadzie, Partner Director of Product Management 

Twitter: @joe_dadzie 



Learn more about Microsoft identity: 

Version history
Last update:
‎Dec 01 2022 12:30 PM
Updated by: