Identity Lifecycle & Access Reviews in SC-900 explain how organisations manage access as users join, change roles, and leave.
Access control is not a one-time decision. Users move between roles, take on temporary responsibilities, and eventually exit the organisation, making lifecycle-based access management critical for security and compliance.
Users join organisations, change roles, take on temporary responsibilities, and eventually leave. If access is not adjusted at each stage, excessive permissions accumulate silently, creating security and compliance risk.
This is why Identity Lifecycle & Access Reviews are core concepts in SC-900 (Microsoft Security, Compliance, and Identity Fundamentals).
SC-900 introduces these topics to help learners understand how access should be managed over time, not just at sign-in.
What is Identity Lifecycle & Access Reviews in SC-900
Many security incidents don’t start with attackers.
They start with outdated access.
Examples include:
- Users retaining admin access after role changes
- Former employees still having application access
- Temporary permissions never being removed
SC-900 includes identity lifecycle and access reviews to explain how organisations:
- Maintain Least Privilege
- Reduce long-term risk
- Support governance and audits
What Is the Identity Lifecycle in SC-900?
The identity lifecycle refers to the stages an identity goes through during its existence.
At SC-900 level, this is explained using a simple model:
Joiner → Mover → Leaver
This model applies to:
- Users
- Contractors
- External identities
Understanding this lifecycle is essential to understanding why access must be reviewed regularly.
Joiner: When an Identity Is Created
A joiner is a new user joining the organisation.
At this stage:
- An identity is created
- Initial access is granted
- Roles are assigned based on job function
SC-900 emphasises that access should be:
- Role-based
- Minimal
- Aligned with job responsibilities
This prevents over-permissioning from day one.
Mover: When Roles or Responsibilities Change
A mover is an existing user whose role changes.
Examples:
- Promotion
- Department change
- Temporary project assignment
This is where many access issues occur.
If access is only added and never removed:
- Privileges grow over time
- Least Privilege is violated
- Risk increases silently
SC-900 highlights the importance of adjusting access when roles change, not just when users join.
Leaver: When an Identity Is Removed
A leaver is a user who leaves the organisation.
At this stage:
- Access must be removed
- Accounts must be disabled or deleted
- Permissions must be revoked
Failure to manage leavers properly can result in:
- Orphaned accounts
- Unauthorised access
- Compliance violations
SC-900 includes this stage to stress that identity removal is as important as identity creation.
What Are Access Reviews in SC-900?
Access reviews are periodic checks to confirm whether users still need the access they have.
In simple terms:
Access reviews answer the question:
“Should this user still have this access?”
SC-900 introduces access reviews as a governance control, not a technical task.
Access Reviews are part of Identity Governance and typically require Entra ID P2 licensing when actively used
Why Access Reviews Matter
Over time:
- Job roles change
- Projects end
- Responsibilities shift
Without reviews:
- Access becomes outdated
- Privilege creep occurs
- Risk increases
Access reviews help organisations:
- Enforce Least Privilege
- Maintain Zero Trust
- Support audits and compliance
SC-900 focuses on understanding why reviews are necessary, not how to configure them.
Identity Lifecycle & Access Reviews in Zero Trust
Zero Trust assumes:
- No permanent trust
- Continuous verification
- Ongoing evaluation of access
Identity lifecycle management and access reviews support Zero Trust by:
- Removing unnecessary access
- Limiting long-term permissions
- Reducing attack impact
This connection is exam-relevant in SC-900.
Identity Lifecycle vs Authentication (Important Distinction)
SC-900 clearly separates:
- Authentication → verifying identity at sign-in
- Identity lifecycle & access reviews → managing access over time
Security does not end after login.
It continues throughout the entire lifecycle of an identity.
Common Misconceptions About Identity Lifecycle & Access Reviews
SC-900 helps correct these misunderstandings:
- “Access reviews are only for auditors.”
They are a core security practice. - “Access only needs review for admins.”
All users benefit from reviews. - “Once access is approved, it’s permanent.”
Access should change as roles change.
Understanding these points is important for both the exam and real environments.
SC-900 Exam Tip
For SC-900:
- Understand the joiner–mover–leaver concept
- Know why access reviews exist
- Link identity lifecycle to Least Privilege and Zero Trust
- Avoid thinking in terms of implementation steps
If you can explain this concept in simple language, you are exam-ready.
Final Verdict: Why Identity Lifecycle & Access Reviews Matter in SC-900
Identity security is not static.
By managing identities from creation to removal and reviewing access regularly, organisations:
- Reduce security risk
- Prevent privilege creep
- Strengthen governance
- Support compliance requirements
SC-900 introduces identity lifecycle and access reviews to build the mindset that secure access is an ongoing process, not a one-time event.
Also, view our detailed guide on what is SC-900 to understand Microsoft Security, Compliance, and Identity fundamentals.
For official and up-to-date exam objectives, learning paths, and reference material, refer to Microsoft Learn’s SC-900 documentation.
What’s Next in the SC-900 Series
Next, we’ll cover:
Privileged Identity Management (PIM) in SC-900: Why Standing Admin Access Is a Risk