Funnel overlay image

Blog | 5-minute Read

What is Microsoft Entra Identity Governance?

Marcus Idle profile headshot

Marcus Idle

Head of External Identity

Published: 05 June 2023

Poor administration of identities and permissions pose significant risks to organisations in the digital work environment. Mitigate these problems with Microsoft Entra Identity Governance.

The working world is increasingly digitised.

This means more devices and users accessing data and resources across on-premises and multi-cloud/remote environments.

The complexity of these IT-security ecosystems can make it difficult to effectively manage user identities and access.

And the risks of granting improper access to data and resources are much higher now. Which can result in large financial penalties for data breaches, and loss of trust from your customers.

Granting access to individuals comes with risks to that data – particularly if:

  • There are too many users in privileged roles.
  • Automation of access rules is difficult or there are many exceptions to the access rules.
  • There is a proliferation of security groups that nobody understands.
  • Guest (external) users are invited but aren’t well managed.

All of these risks make your organisation vulnerable to cyber attacks and data breaches.

Microsoft Entra’s Identity Governance tools can help answer these challenges. Giving you the control you need to liberate your users.

tag icon

Free Guide

The Complete Guide to Microsoft Entra [New for 2024]

The most comprehensive guide to Microsoft Entra. Over 40 pages. Plus, Microsoft licensing simplified.

Discover how you can:

  • Cut costs by removing 50% management effort
  • Elevate security – reduce breach chances by 45%
  • Automate provisioning to ensure compliance

What does Identity Governance do?

There are some key areas that identity governance is specifically designed to manage. Let’s look at how each of these enable greater control over your identities and their levels of access.

Entitlement management

Entitlement management in identity governance gives you the ability to create ‘access packages’ to group together sets of resources that you’d normally provide to many users. Resources can be security or Office365 groups, applications, or SharePoint sites.

Managers can define how the access packages are rolled out. For example:

  • Who can apply for the package.
  • Whether it needs approval.
  • Who can approve the assignment.

This means that entitlements can be grouped into manageable sets, simplifying employee onboarding. But also reducing the number of ‘loose ends’ produced by mover and leaver processes.

Access reviews

Over time, a group’s membership can become excessive, such as a project-based group.

Initially, the group is formed upon a service desk request and includes relevant users.

However, this type of group doesn’t have a fixed membership. As new users join the project, they are added to the group.

Often, users who leave the project remain in the group, keeping unnecessary access in place.

An access review periodically assesses group memberships or access to applications.

Access reviews allow reviewers to:

  • Review all group members or just guest users.
  • Determine if the reviewers are users, group owners, or specific individuals. 
  • Receive emails with a web page to conduct the review.

This process automates access removal if users fail to respond to the access review emails. Preventing unchecked expansion of security groups or access to other resources.

Group owners, such as project or application managers, are responsible for reviewing group membership and identifying individuals who should no longer be members. These individuals can be automatically removed from the group.

Access reviews are applicable to both groups and applications and can be scheduled regularly for ongoing governance.

Privileged Identity Management (PIM)

When we look at the administration of cloud services, many organisations create additional accounts for their administrative users.

These accounts are given the relevant roles in Azure to accomplish their job.

While this seems straightforward, the administration user should have access to email (for alerts and information) and so will require a full licence.

It also means that the user has another ID and password to remember and gives an attacker another account to target.

Rather than give a user access all the time, the relevant users should be allowed to use Privileged Identity Management (PIM).

This allows users to request time-limited elevation to a specific role from a list that is available to them. This is then approved, and the user granted the relevant permissions.

Speech mark icon

80% of data breaches stem from misuse of privileged account access

Forrester

Identity lifecycle management

Identity lifecycle management involves managing user identities and their changing access privileges throughout their association with an organisation.

This process spans from the day they join the organisation to the day they leave. Identity lifecycle management aims to automate and streamline the entire process of managing digital identities.

The lifecycle management process consists of three stages:

  • Join: When someone joins the organisation, they need an identity to access the necessary applications to do their job. If one doesn’t exist, a new digital identity may be created.
  • Move: When someone changes locations, additional access authorisations are added or removed from their digital identity.
  • Leave: When someone no longer requires access, it can be removed. The identity may continue for audit or forensics purposes.

Azure Active Directory (AD) provides features such as automated creation and updating of user accounts. Based on HR-driven provisioning, automatic user assignment to groups, dynamic groups, and the propagation of user updates to various applications through app provisioning.

Provisioning

Provisioning involves creating and updating digital identities across multiple systems for consistency.

When a new employee joins, their HR information is used to create an Azure AD user account, granting access to necessary applications. HR system changes are synchronized with Azure AD and other apps.

Azure AD offers automated provisioning in three areas:

  • HR-driven provisioning.
  • App provisioning.
  • Inter-directory provisioning.

Deployment options depend on HR systems and Active Directory usage.

App provisioning in Azure AD creates and manages user identities in separate data stores.

Azure AD supports provisioning for on-premises and virtual machine-hosted apps.

SCIM-enabled apps can be automated using the Azure AD Provisioning agent.

Inter-directory provisioning connects;

  • Active Directory and Azure AD.
  • Existing Active Directory users can be provisioned into Azure AD.
  • On-premises systems can be provisioned from Azure AD.

Provisioning ensures consistency of digital identities across systems, streamlining access and management.

Lifecycle workflows (In preview)

Lifecycle workflows are automated processes that manage Azure Active Directory (Azure AD) users throughout their lifecycle.

Workflows consist of tasks and execution conditions. Tasks are specific actions triggered automatically, while execution conditions define the scope and trigger of the workflow.

For example, a workflow can send an email to a manager (the task) seven days before a new employee starts (the execution conditions).

Lifecycle workflows can integrate with logic apps to handle more complex scenarios.

They offer benefits such as:

  • Streamlining the onboarding process.
  • Timely access revocation for departing users.
  • Simplified troubleshooting.
  • Scalability for user lifecycle management.

These workflows are useful for user orientation and HR provisioning, as they:

  • Automate group membership.
  • Manage workflow history and auditing.
  • Automate user account management.
  • Integrate with logic apps for complex scenarios.

To use the lifecycle workflows feature, an Azure AD Premium P2 license is required.

During the preview, users can create, manage, and delete up to 50 workflows, trigger on-demand and scheduled executions, configure tasks, and create custom task extensions.

Conclusion

Effective management of user identities and access is crucial for organisations to mitigate risks and enhance security in their work environments.

Microsoft Entra’s Identity Governance tools provide solutions such as entitlement management, access reviews, privileged identity management, provisioning, and lifecycle workflows.

These tools enable greater control over identities and access privileges. Simplifying onboarding processes, reducing complexities in security groups, and automating user account management.

By implementing these identity governance measures, organisations can protect against cyber attacks and data breaches. Ensuring a secure and efficient digital work environment.

Key takeaways

  • Poor administration of identities and permissions increases vulnerability to cyber attacks and data breaches.

  • Risks associated with improper access to data and resources are higher in the current digital landscape.

  • Effective identity governance measures help organisations protect their sensitive data, mitigate cyber risks, and maintain a secure and efficient digital work environment.

  • Microsoft Entra’s Identity Governance tools offer solutions for entitlement management, access reviews, privileged identity management, provisioning, and lifecycle workflows.

  • Implementing these tools provides greater control over identities and access privileges, simplifies onboarding, reduces security group complexities, and automates user account management.

tag icon

Free Guide

The Complete Guide to Microsoft Entra [New for 2024]

The most comprehensive guide to Microsoft Entra. Over 40 pages. Plus, Microsoft licensing simplified.

Discover how you can:

  • Cut costs by removing 50% management effort
  • Elevate security – reduce breach chances by 45%
  • Automate provisioning to ensure compliance
tag icon

Great emails start here

Sign up for free resources and exclusive invites

Subscribe to the Kocho mailing list if you want:

  • Demos of the latest Microsoft tech
  • Invites to exclusive events and webinars
  • Resources that make your job easier
Butterfly overlay image
Marcus Idle profile headshot

Author

Marcus Idle

Head of External Identity

Marcus has built a busy External Identity practice working with Azure AD B2C, B2B, and Identity Governance features. He’s passionate about bringing cloud and external identity to life to solve our clients’ business problems.

Butterfly overlay image

Got a question? Need more information?

Our expert team is here to help.