How to Run Periodic Access Reviews in Google Workspace

Your SOC 2 auditor asks: "Can you show me your most recent access review?" You open a Google Sheet from six months ago. Half the data is stale. Two of the admins listed have since left the company. The auditor writes something down and you know it's not good.

Periodic access reviews are the compliance task that everyone knows they should do and almost nobody does consistently. The concept is simple — regularly verify that every user's access is still appropriate. The execution, in Google Workspace, is painful enough that it gets postponed until an audit forces it.

Here's how to build a process that actually gets done.

What a Periodic Access Review Covers

Access reviews aren't just about admin roles. They touch five areas, and skipping any one of them leaves a gap that auditors will find.

Admin Role Assignments

Who has Super Admin? User Management Admin? Groups Admin? Custom roles? For each assignment, the question is: does this person still need this level of access, and is there a documented business reason?

This is where most organizations find the worst surprises. The IT contractor who was given Super Admin for a migration project three months ago. The department head who got Groups Admin to fix one mailing list and still has it. The former employee whose delegated admin role was never revoked because nobody thought to check.

Go to Admin Console > Account > Admin roles and click through each role. Count the members. If Super Admin has more than 2-3 people, you have a problem. For a deeper dive, the admin role audit guide walks through the full process.

Google Groups Memberships

Groups control access to shared drives, calendar resources, and applications. A quarterly review should check:

External members — Is every external email address in a group still a current business relationship?
Departed employees — Did offboarding catch all their group memberships, or are there ghosts?
Group owners — Is every group owned by an active employee? Orphaned groups are a governance gap.
Permission levels — Are any internal groups set to "anyone on the internet can post"?

If your groups haven't been audited in a while, start with the group cleanup guide before layering on a recurring review.

License Assignments

License reviews aren't a security issue — they're a cost issue. But auditors still ask about them because over-provisioned licenses mean over-provisioned access.

Check for:

Suspended accounts still consuming paid licenses
Users on Business Plus or Enterprise who only use email and Drive
Shared mailboxes and service accounts on unnecessarily expensive editions

The license cost reduction guide has the full breakdown.

OAuth App Grants

Third-party apps with domain-wide access are the blind spot in most access reviews. That Slack integration, the CRM connector, the random Chrome extension someone authorized two years ago — each one has scoped access to your Workspace data.

Admin Console > Security > API controls > App access control shows everything. The question for each app: is it still in use, is the access scope appropriate, and is the vendor still trusted?

User Account Status

The final check: is every active account a real, current employee or contractor? Look for:

Accounts that haven't logged in for 90+ days
Accounts created for temporary projects that ended
Test accounts that were never cleaned up
Former employees whose accounts were suspended but never deleted

How Often to Review

Compliance frameworks have opinions about this.

SOC 2 requires evidence of periodic access reviews. Quarterly is the de facto standard — anything less frequent is hard to defend to an auditor.

ISO 27001 (A.9.2.5) requires periodic review of user access rights. The standard doesn't specify a cadence, but quarterly satisfies most certification bodies.

HIPAA requires periodic review of information system access. Quarterly is typical for covered entities.

PCI DSS (Requirement 7) requires review of user access at least every six months. Quarterly is better.

If you're not subject to any framework, quarterly is still the right cadence. Monthly is overkill for most organizations. Semi-annual lets too many issues accumulate between reviews.

The Google Workspace Problem

Here's why access reviews in Workspace are painful: there's no built-in review workflow.

Google Admin Console lets you view admin roles (one at a time), view groups (one at a time), view users (in a list you can't sort by last login), and view license assignments (in a separate billing screen). Pulling all of this together into a coherent review requires:

Exporting admin role assignments to a spreadsheet
Exporting group memberships to another spreadsheet
Exporting user data to yet another spreadsheet
Cross-referencing all three manually
Documenting findings in a fourth document
Getting sign-off from the appropriate managers

This process takes 2-4 hours for a 50-user domain. For 200+ users, it's a full-day project. And because it's manual, it's error-prone — which somewhat defeats the purpose of an access review.

Building a Sustainable Review Process

The trick is to make the review small enough that people actually do it.

Week 1: Admin Roles (30 minutes)

Pull up every admin role. For each role with assigned users, verify that each user still needs that level of access. Document any changes needed. Revoke access that's no longer justified.

The key question for each assignment: "If this person asked for this role today, would we grant it?" If the answer is no, revoke it.

Week 2: Groups (45 minutes)

Scan all groups for external members, deleted-user entries, and orphaned ownership. For groups with external members, confirm the business justification. Remove departed employees from all groups they're still listed in.

Don't try to audit every group's content and activity — focus on membership and permissions. That's what auditors check.

Week 3: Licenses and OAuth (30 minutes)

Count suspended accounts with active licenses and reclaim them. Review any new OAuth app grants since the last review. Flag apps with broad scopes for closer examination.

Week 4: User Accounts (30 minutes)

Sort users by last login. Investigate anyone inactive for 90+ days. Confirm that all accounts belong to current employees or contractors. Flag accounts that should be suspended or deleted.

After Each Cycle: Document

Create a brief review record:

Date of review and who performed it
Number of admin role changes made
Number of group membership changes
Licenses reclaimed
OAuth apps revoked
User accounts flagged or suspended

This is the artifact your auditor needs. It doesn't have to be elaborate — a dated document in a shared drive with bullet points is sufficient. The point is proof that the review happened and what was found.

Making It Stick

The reviews above total about 2.5 hours per quarter. That's manageable — unless it keeps getting bumped for more urgent work.

Two things help:

Put it on the calendar as a recurring meeting. Not a reminder. A blocked hour on four consecutive Mondays each quarter, with a meeting invite that includes the steps. Treat it like any other recurring obligation.

Rotate the reviewer. If the same person does every review, they develop blind spots. Rotating between team members (if you have them) brings fresh eyes to the data each quarter.

The 2.5-Hour Problem

That 2.5 hours exists because the Admin Console makes you go to five different screens, export three CSVs, and cross-reference everything by hand.

The fix is boring: put all the data on one screen. Admin role map, group health with external member flags, user list sorted by last login, license assignments. MonitorWorkspace does this. The quarterly review drops from half a day to about 30 minutes — not because the tool is magic, but because you stop exporting CSVs and building VLOOKUP formulas.

The first thing you see after connecting your domain is the stuff that usually takes an hour to export. That tends to be persuasive enough.