Missing data in access review

Question

Missing data in access review

ISNY MSP 0

Hello, client informs me they did Q4 access reviews last year. However the most recent data appears to be from October of last year. Client claims there were some done in November-January. Are you able to see if any data is missing, orphaned, or has been deleted? Thank you,

User's image

ISNY MSP 0 Reputation points

2026-04-03T19:47:48.0066667+00:00

I can't look for historical data in terms of access reviews being deleted, as the history only goes back like 30 days.
Rukmini 34,845 Reputation points Microsoft External Staff Moderator

2026-04-03T19:49:57.2966667+00:00
Hey there! It sounds like you’re expecting to see access‐review instances for November through January but the portal only shows the October run. By design, the audit pane in the Azure portal only holds about 30 days of raw audit data, so older events will fall off that view unless you’ve taken extra steps to preserve them.

Here’s how you can confirm whether those mid‐quarter review instances actually exist (or if they were never created/deleted):

Check the review definition’s History blade

In the Entra portal, go to Identity Governance > Access reviews > select your Q4 review definition.

Click History on the left. That view surfaces every instance (start/end date) that ran against that definition—regardless of audit-log retention.

If your Nov/Dec/Jan runs aren’t there, they either weren’t created under that definition or someone deleted the definition and re-created it under a different name.

Query via the Microsoft Graph API

Use the Graph endpoint GET /identityGovernance/accessReviews/definitions/{definitionId}/instances to list all instances for a given definition. Even older/completed instances show up here.

If they don’t appear in Graph, they never existed or were deleted at definition-level (instances themselves can’t be individually deleted via UI).

Export audit logs for long-term retention

If you need historical tracking beyond 30 days, route your Entra audit logs to a Log Analytics workspace, storage account, or Event Hub.

Then you can run Kusto queries against the AuditLogs table to filter on the AccessReviewInstance activities by date.

Let me know if you need sample Graph queries or guidance on exporting your logs for longer retention. If you’d also share:

The exact name (and definition ID, if possible) of the Q4 review you’re inspecting

Whether you’re using the “preview” multi-resource view vs. the classic Groups/Apps view

I can then point you to step-by-step docs or sample scripts.

Reference docs:

• What are Microsoft Entra access reviews?

https://docs.microsoft.com/azure/active-directory/governance/access-reviews-overview

• Access reviews reporting & logs (export audit data)

https://docs.microsoft.com/azure/active-directory/governance/deploy-access-reviews#monitor-access-reviews

• Quickstart: route Entra audit logs to Log Analytics

https://docs.microsoft.com/azure/active-directory/reports-monitoring/quickstart-azure-monitor-route-logs-to-storage-account

• Graph API: accessReviewDefinitions and instances

https://docs.microsoft.com/graph/api/resources/accessreviews-root?view=graph-rest-beta

Note: This content was drafted with the help of an AI system. Please verify the information before relying on it for decision-making.
ISNY MSP 0 Reputation points

2026-04-06T16:55:21.8733333+00:00

Access-Reviews.pdfHello!

Yes I was able to get the full output of all access reviews created. However, it appears the data reported missing, is still missing. Is there anything else I can check?
ISNY MSP 0 Reputation points

2026-04-07T14:23:16.34+00:00

@Rukmini Mortha anything else I can try here?

1 answer

Your answer

ISNY MSP 0 Reputation points

2026-04-03T19:47:48.0066667+00:00

I can't look for historical data in terms of access reviews being deleted, as the history only goes back like 30 days.
ISNY MSP 0 Reputation points

2026-04-06T16:55:21.8733333+00:00

Access-Reviews.pdfHello!

Yes I was able to get the full output of all access reviews created. However, it appears the data reported missing, is still missing. Is there anything else I can check?
ISNY MSP 0 Reputation points

2026-04-07T14:23:16.34+00:00

@Rukmini Mortha anything else I can try here?

Answer 1

Use Microsoft Entra audit logs and, if configured, exported logs to determine whether any access reviews are missing or deleted.

In the Microsoft Entra admin center, go to Audit logs.
Filter on:
- Category: Policy (or equivalent category used for access reviews)
- Activity type: at least Create access review, Update access review, Access review ended, Delete access review, Apply decision
- Date range: cover the full period in question (for example, November–January).
Review the results:
- If there are Create access review events for Q4 but no corresponding entries in the access reviews blade, those reviews may have been deleted; look for Delete access review events to confirm.
- If there are no audit events at all for that period, then no access reviews were created in the tenant during those dates.
If audit logs are being exported to Azure Monitor Log Analytics or Azure Event Hubs, query those workspaces for the same activity types and date range to see historical events beyond the retention period of the Entra audit logs and to track completion over time.

This approach shows definitively whether reviews were created, updated, ended, or deleted, and whether any expected Q4 reviews are missing from the current access review list.

References:

Plan a Microsoft Entra access reviews deployment

Share via

Missing data in access review

1 answer

Your answer