The best Identity Governance feature to meet these requirements is Access reviews. This feature is specifically designed to manage and attest to group memberships and application access. It allows you to assign reviewers, such as project managers, to periodically verify that users still require access. Crucially, it can be configured to automatically remove users from a group if their access is denied or not reviewed within a specified timeframe (e.g., 30 days), which directly fulfills key requirements while minimizing administrative effort.

For the configuration, the existing groups synced from on-premises Active Directory cannot have their membership modified directly by Azure AD, as their source of authority is on-premises. To allow Access reviews to automatically remove users, you must use cloud-mastered groups. The correct approach is to create new security groups in Azure AD and then enable group writeback. This makes the cloud-managed group available in the on-premises AD, allowing it to be used for permissions on both the Windows Server shared folders and the SharePoint Online sites.

Microsoft Entra documentation, "What are access reviews?": This document states, "You can manage the access lifecycle by using Azure Active Directory (Azure AD) access reviews. Access reviews help your organization do things like... Ensure that only the right people have continued access... When reviews are finished, you can then make changes and remove access for users who no longer need it." It also details the automatic removal capability.

Microsoft Entra documentation, "Azure AD Connect: Group writeback": This source explains the functionality and prerequisites for group writeback. It clarifies, "Group writeback allows you to write cloud groups back to your on-premises Active Directory instance by using Azure Active Directory (Azure AD) Connect Sync... This feature allows you to manage groups in the cloud, while controlling access to on-premises applications and resources." This supports the chosen configuration for managing hybrid resource access.

Microsoft Entra documentation, "Review access to groups and applications in access reviews": In the section on reviewing access, it is noted that for groups synchronized from an on-premises AD, automatic removal via Access Reviews is not possible unless the group is a writeback-enabled group. This limitation necessitates the creation of new, cloud-mastered groups with writeback enabled to fulfill the automation requirement.