Paste an Entra access-review history export, then select Build evidence pack. A sample export is loaded so you can try it right away.
About the Entra access review evidence pack
The Entra access review evidence pack turns a pasted Microsoft Entra access-review history export into an audit-ready read of what each access decision means. Paste the export, add optional app-roster owner notes, and the tool normalizes the Entra review columns, buckets every decision into revoke, approve, exception, or not reviewed, flags dormant access and reviewer justifications, and gives each row a suggested evidence action. It is built for the moment before a quarterly access certification closeout when you need to know which exceptions and undecided rows still need attention.
A sample export is loaded so you can see findings right away: a dormant approval, a justified retention, and a Don't-know decision surface as exceptions, and an undecided row surfaces as not reviewed. Everything runs in your browser. The export you paste is never uploaded, logged, or stored, which matters because an access-review export can carry names, emails, group names, app names, decisions, and reviewer comments. On-screen identities are masked; the full value is written only to the evidence CSV you download. When the buckets look right, download the evidence CSV or copy the auditor summary. The tool organizes evidence and makes no certification determination of its own.
How to use
- In Microsoft Entra, open Identity Governance, then Access reviews, select the review under certification, and export or copy its review history (decisions). Include decision, resource or application, principal, reviewer, and last sign-in columns where available.
- Paste the review history into the export box. A sample export is loaded so you can see the format the tool expects.
- Optionally paste app-roster owner notes, one per line, as the app name then a note (separated by a colon, comma, or pipe). Notes are matched to resources by name.
- Select Build evidence pack to bucket every decision into revoke, approve, exception, or not reviewed, with dormancy and reviewer context and a suggested evidence action.
- Use the decision filter to focus on exceptions or undecided rows, then download the evidence CSV or copy the auditor summary for your certification record.
Worked examples
A dormant approval is flagged as an exception to document
When access is approved but the principal has not signed in within the dormancy window (measured against the latest sign-in in the export), the row is bucketed as an exception with a prompt to document the justification and set a re-review date.
An undecided row surfaces as not reviewed before closeout
A row with no decision, or marked Not reviewed, is surfaced separately with a prompt to obtain a decision or revoke by default before certification closeout, so it does not slip through.
A clean review shows no exceptions
When every decision is a straightforward approve or revoke with recent sign-ins, the pack reports no exceptions or undecided rows, so you can close the review with the evidence CSV retained.
Frequently asked questions
- What should I paste in the export box?
- A Microsoft Entra access-review history export as CSV, TSV, or JSON rows. The tool reads a decision column (Approve, Deny or Remove, Don't know, or Not reviewed) and uses resource or application, principal (user or UPN), reviewer, justification or comment, and last sign-in columns when present. It recognizes common Entra header names (for example resourceDisplayName, userPrincipalName, reviewResult, reviewedBy, lastSignInDateTime). You can omit any columns you do not have.
- How does it decide which rows are exceptions?
- A decision to deny or remove access is a revoke; a clean approval with a recent sign-in is an approve. An approval becomes an exception when it retains access despite dormancy (no sign-in within the window) or carries a reviewer justification, and a Don't-know decision is treated as an exception to document. A row with no decision is surfaced as not reviewed. Exceptions and not-reviewed rows are the items that still need attention before closeout.
- How is dormant access detected?
- Dormancy is measured against the latest sign-in present in your export, which stands in for the review run date, so the result is deterministic and needs no live clock. Access with no sign-in within 90 days of that reference date, or with no recorded sign-in at all, is flagged as dormant. Include a last sign-in column to surface dormant access; without one, dormancy cannot be flagged.
- Is my export sent anywhere, and are identities exposed?
- No. Parsing, bucketing, and export run entirely in your browser. The pasted rows, names, emails, group names, app names, decisions, reviewer comments, and justifications are never uploaded, logged, or stored, and they are not included in any analytics. On-screen and in the copied auditor summary, principal identities are masked; the full principal value is written only to the evidence CSV you download, which stays on your device. Only coarse, anonymous count bands are recorded so we can tell how often the tool is used.
- Does this replace Entra ID Governance or my GRC tool?
- No. It is a fast, paste-based aid for organizing access-review evidence before closeout. It does not connect to your tenant, apply decisions, or make a certification determination. Keep using Microsoft Entra ID Governance access reviews and your audit or GRC platform as the authoritative system of record. This tool is evidence organization, not compliance or legal advice.
- Is the Entra access review evidence pack free?
- Yes. It is free to use and does not require an account.
Use this again tomorrow
Save this page so it's one tap away when you need a quick result.
Take a 2-minute brain break.
Play Daily Challenge on sts.games