Periodic certification breaks when access changes faster than the review cycle. Dormant accounts, inherited permissions, and orphaned tokens can remain active long after the review closes. Continuous discovery and remediation are needed so the control operates in the same time window as the risk.
Why This Matters for Security Teams
Periodic certification is a point-in-time control, but Office 365 access is not static. Mailboxes, SharePoint, Teams, app registrations, delegated permissions, and guest access can change between review windows, so a clean certification can still leave active exposure behind. NHI Management Group notes that only 5.7% of organisations have full visibility into their service accounts, which helps explain why reviews often miss the identities and tokens that matter most. The core failure is timing: the control checks yesterday’s state while attackers operate in today’s state.
This gap becomes more dangerous when identity sprawl includes service principals, API tokens, and inherited admin rights that are easy to overlook in a human-centric review. Current guidance from the NIST Cybersecurity Framework 2.0 emphasises ongoing governance and monitoring, not just scheduled attestation. That aligns with NHI Management Group’s broader analysis in the Ultimate Guide to NHIs. In practice, many security teams discover the problem only after dormant access or orphaned tokens have already been abused.
How It Works in Practice
To make Office 365 reviews effective, the certification process has to be paired with continuous discovery, policy evaluation, and remediation. Periodic attestation still has value for accountability, but it should verify current findings from live telemetry rather than act as the primary detection mechanism. That means inventorying users, guests, privileged roles, application permissions, mailbox delegation, OAuth grants, and service principals on an ongoing basis.
For identity-led environments, best practice is to treat certification as one layer in a broader control stack:
- Continuously discover identities and permissions across Microsoft 365, Entra ID, and connected SaaS tenants.
- Flag stale accounts, unused app registrations, excessive admin roles, and high-risk delegated permissions.
- Use time-bound access, just-in-time elevation, and automatic revocation when business need expires.
- Require evidence for approvals so reviewers validate real usage, not just job titles or ownership labels.
- Feed findings into ticketing and remediation workflows so certification exceptions are closed quickly.
This is especially important because NHI exposure is common across enterprise environments. NHI Management Group reports in the 52 NHI Breaches Analysis that identity abuse frequently involves credentials and privileges that survive far beyond their intended lifespan. The issue is not that certification is useless, but that it is too slow to be the only control. Teams should map the review process to operational risk, then automate the parts that can change faster than a quarterly or semi-annual cycle. These controls tend to break down when tenant sprawl, delegated admin chains, and unmanaged app consent create access paths that reviewers cannot reliably see in one pass.
Common Variations and Edge Cases
Tighter certification often increases administrative overhead, so organisations have to balance assurance against reviewer fatigue and false confidence. That tradeoff is most visible in hybrid estates, multi-tenant Microsoft 365 deployments, and environments with many external collaborators. In those settings, a reviewer may approve access because the entitlement looks familiar, even though the actual risk has shifted through inheritance, app consent, or role chaining.
There is no universal standard for how often every Office 365 identity should be certified, but current guidance suggests the cadence should vary by risk. High-impact admin roles, externally shared resources, and non-human identities should be monitored more frequently than low-risk end-user access. The strongest programs use certification to confirm ownership and business justification, while continuous controls detect drift between reviews. NHI Management Group’s Top 10 NHI Issues resource is a useful reminder that excessive privilege and weak offboarding are recurring failure points, not edge cases. The practical answer is to shorten the remediation window, not just the review window.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.RM-05 | Periodic certification must fit risk management and continuous oversight. |
| OWASP Non-Human Identity Top 10 | NHI-02 | Stale and orphaned identities are classic non-human identity governance failures. |
| NIST AI RMF | The control gap is operational governance and ongoing monitoring of changing access. |
Tie Office 365 access reviews to ongoing risk monitoring, not just scheduled attestation.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 23, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
