What is Microsoft Entra Identity Governance?

The working world is increasingly digitised.

This means more devices and users accessing data and resources across on-premises and multi-cloud/remote environments.

The complexity of these IT-security ecosystems can make it difficult to effectively manage user identities and access.

And the risks of granting improper access to data and resources are much higher now. Which can result in large financial penalties for data breaches, and loss of trust from your customers.

Granting access to individuals comes with risks to that data – particularly if:

• There are too many users in privileged roles.
• Automation of access rules is difficult or there are many exceptions to the access rules.
• There is a proliferation of security groups that nobody understands.
• Guest (external) users are invited but aren’t well managed.

All of these risks make your organisation vulnerable to cyber attacks and data breaches.

Microsoft Entra’s Identity Governance tools can help answer these challenges. Giving you the control you need to liberate your users.

What does Identity Governance do?

There are some key areas that identity governance is specifically designed to manage. Let’s look at how each of these enable greater control over your identities and their levels of access.

Entitlement management

Entitlement management in identity governance gives you the ability to create ‘access packages’ to group together sets of resources that you’d normally provide to many users. Resources can be security or Office365 groups, applications, or SharePoint sites.

Managers can define how the access packages are rolled out. For example:

• Who can apply for the package.
• Whether it needs approval.
• Who can approve the assignment.

This means that entitlements can be grouped into manageable sets, simplifying employee onboarding. But also reducing the number of ‘loose ends’ produced by mover and leaver processes.

Access reviews

Over time, a group’s membership can become excessive, such as a project-based group.

Initially, the group is formed upon a service desk request and includes relevant users.

However, this type of group doesn’t have a fixed membership. As new users join the project, they are added to the group.

Often, users who leave the project remain in the group, keeping unnecessary access in place.

An access review periodically assesses group memberships or access to applications.

Access reviews allow reviewers to:

• Review all group members or just guest users.
• Determine if the reviewers are users, group owners, or specific individuals. 
• Receive emails with a web page to conduct the review.

This process automates access removal if users fail to respond to the access review emails. Preventing unchecked expansion of security groups or access to other resources.

Group owners, such as project or application managers, are responsible for reviewing group membership and identifying individuals who should no longer be members. These individuals can be automatically removed from the group.

Access reviews are applicable to both groups and applications and can be scheduled regularly for ongoing governance.

Privileged Identity Management (PIM)

When we look at the administration of cloud services, many organisations create additional accounts for their administrative users.

These accounts are given the relevant roles in Azure to accomplish their job.

While this seems straightforward, the administration user should have access to email (for alerts and information) and so will require a full licence.

It also means that the user has another ID and password to remember and gives an attacker another account to target.

Rather than give a user access all the time, the relevant users should be allowed to use Privileged Identity Management (PIM).

This allows users to request time-limited elevation to a specific role from a list that is available to them. This is then approved, and the user granted the relevant permissions.

Identity lifecycle management

Identity lifecycle management involves managing user identities and their changing access privileges throughout their association with an organisation.

This process spans from the day they join the organisation to the day they leave. Identity lifecycle management aims to automate and streamline the entire process of managing digital identities.

The lifecycle management process consists of three stages:

• Join: When someone joins the organisation, they need an identity to access the necessary applications to do their job. If one doesn’t exist, a new digital identity may be created.
• Move: When someone changes locations, additional access authorisations are added or removed from their digital identity.
• Leave: When someone no longer requires access, it can be removed. The identity may continue for audit or forensics purposes.

Azure Active Directory (AD) provides features such as automated creation and updating of user accounts. Based on HR-driven provisioning, automatic user assignment to groups, dynamic groups, and the propagation of user updates to various applications through app provisioning.

Provisioning

Provisioning involves creating and updating digital identities across multiple systems for consistency.

When a new employee joins, their HR information is used to create an Azure AD user account, granting access to necessary applications. HR system changes are synchronized with Azure AD and other apps.

Azure AD offers automated provisioning in three areas:

• HR-driven provisioning.
• App provisioning.
• Inter-directory provisioning.

Deployment options depend on HR systems and Active Directory usage.

App provisioning in Azure AD creates and manages user identities in separate data stores.

Azure AD supports provisioning for on-premises and virtual machine-hosted apps.

SCIM-enabled apps can be automated using the Azure AD Provisioning agent.

Inter-directory provisioning connects;

• Active Directory and Azure AD.
• Existing Active Directory users can be provisioned into Azure AD.
• On-premises systems can be provisioned from Azure AD.

Provisioning ensures consistency of digital identities across systems, streamlining access and management.

Lifecycle workflows (In preview)

Lifecycle workflows are automated processes that manage Azure Active Directory (Azure AD) users throughout their lifecycle.

Workflows consist of tasks and execution conditions. Tasks are specific actions triggered automatically, while execution conditions define the scope and trigger of the workflow.

For example, a workflow can send an email to a manager (the task) seven days before a new employee starts (the execution conditions).

Lifecycle workflows can integrate with logic apps to handle more complex scenarios.

They offer benefits such as:

• Streamlining the onboarding process.
• Timely access revocation for departing users.
• Simplified troubleshooting.
• Scalability for user lifecycle management.

These workflows are useful for user orientation and HR provisioning, as they:

• Automate group membership.
• Manage workflow history and auditing.
• Automate user account management.
• Integrate with logic apps for complex scenarios.

To use the lifecycle workflows feature, an Azure AD Premium P2 license is required.

During the preview, users can create, manage, and delete up to 50 workflows, trigger on-demand and scheduled executions, configure tasks, and create custom task extensions.

Conclusion

Effective management of user identities and access is crucial for organisations to mitigate risks and enhance security in their work environments.

Microsoft Entra’s Identity Governance tools provide solutions such as entitlement management, access reviews, privileged identity management, provisioning, and lifecycle workflows.

These tools enable greater control over identities and access privileges. Simplifying onboarding processes, reducing complexities in security groups, and automating user account management.

By implementing these identity governance measures, organisations can protect against cyber attacks and data breaches. Ensuring a secure and efficient digital work environment.

Key takeaways

Next steps

Like this? Don’t forget to share!