Adopting Microsoft Entra ID Governance

Lately, there has been a lot happened/ changed/ introduced in the Microsoft Entra ID Governance space and this is one of my favorite topics to write and explain as well. The main reason is that Entra ID Governance features are all interconnected and organizations can easily create an eco-system and start using its features. Not to mention this can be automated heavily to ease your ID governance workloads.

Are you using Microsoft Entra ID Governance? Not long ago, Microsoft announced a change in licensing models and features for this service. Keep an eye out for updates regarding Microsoft Entra ID Governance and Microsoft Entra ID Governance Step Up for Microsoft Entra ID P2. Stay informed to ensure your organization is utilizing the most effective identity governance strategies.

What I will be covering 🚀

  1. Ad-hoc Tasks we are carrying out today – A real-life scenario (sort of)
  2. What’s lacking in the above practice?
  3. The Dashboard
  4. Building The Identity Governance Eco-System
  5. Using Life Cycle Workflows (LCW)
  6. Introducing New Attributes
  7. Using Dynamic groups
  8. Using Entitlement Management
  9. Using Privileged Identity Management
  10. Using Privileged Identity Management Based Groups
  11. Using Access Reviews
  12. Coming Back to LCW – Leaver Template
  13. Audit Logs
  14. Licensing
  15. Licensing Prerequisites
  16. Resources
  17. Licesning Scenarios
  18. Implementing an ID Governance Strategy
  19. Entitle Management with External Users
  20. Wrapping Up

Ad-hoc Tasks we are carrying out today – A real-life scenario (sort of)

  • New Joiner
    For a new joiner request most of the time it’s a ticket to the IT Service Desk from HR to create the user account prior to the start date, new hire’s details along with the department, manager, etc. This is a very standard and no-brainer situation. Some organizations use Power Automate to set up a workflow and make everything automated up to some extent while some organizations use 3rd party HR applications with hooks to the On-premises AD or to Azure AD to create users once they fill out the form. These are all acceptable practices as the basic objects are getting created etc.
  • Adding to Groups
    Once the user account is created, it’s most likely another IT Service Desk manual task to add the user to the relevant mail distribution lists, Teams, SharePoint sites, etc.
  • Admin Access (in some cases)
    During the user’s time at the organization, there are many access requests to sensitive data and in most cases, someone needs to provide access with the relevant RBAC (Role Based Access Control) but forgets to remove that when the task or the period is finished.
  • User moves to another department
    Inter-departmental moves happen very often and once the user is moved they will be getting more access to resources on top of the existing access and added to more groups but most of the time the previous access is not removed and chances are the user ends up with a bunch of access that doesn’t require anymore.
  • New user’s manager/ team leader winging it
    Or the chances are sometimes the user doesn’t know which access to ask for when they joined the organization so they might check with a team member and advise IT to mirror the access. This approach will have a 50/50 chance of that user ending up having access that is not required.
    When was the last time you advised IT Service Desk to remove these users as they no longer need access to that sensitive Team? Usually, group membership reviews are done not very often or not done at all. Users might ask IT to remove them from some mail distribution lists as they see the mails are coming in that they are not needed, but access to systems, RBAC, and other resources – this can result in piling up members that do not need any access anymore to that resource as the access is sitting there silently.
  • User resigns
    When the user resigns, again the HR would send the last working day, etc. IT does the necessary work to disable the account. Sometimes mistakenly the account can remain in the system without any changes being made despite the HR request. This can be a challenge when auditing comes into play and generally to your whole identity management practices and to the overall Security.

Above all are ad-hoc type activities which are not most of the time not interconnected. If everything is interconnected in some way or another – Kudos to you 🎇

What’s lacking in the above practice?

In three words – Modern Identity Capabilities. That starts with Automation. Setting up will take some time as you need to plan your scenarios and run a proof of concept or run a Pilot for a while, but it can be an investment and the right use of the licenses. Most of the time, it’s a question where you utilize the full capability list of the licenses. Most of the time the answer is NO. Mainly because of the incorrect understanding of the usages or not knowing the capabilities of a connected scenario.

The Dashboard

Entra Portal > Identity Governance > Dashboard

This gives you all things ID Governance at a glance for you to understand the current picture of your tenant.

Identity Governance Dashboard

Building The Identity Governance Eco-System

Identity Governance Dashboard

Identity Governance Dashboard

The above figures can be a bit confusing to understand. But let me explain.

I’m taking the example of a Hybrid Environment.

Hybrid Environment

Using Life Cycle Workflows (LCW)

  1. New user will be created in the on-prem AD and will be given a CustomExtention1
  2. The CustomExtentionAttributes can be set up from the Local AD that will be mapped onto these cloud attributes accordingly.

If you are in a hybrid environment, you can set up the Custom Attributes of the user object which will correspond to these attributes, and depending on the workflow, the user object will be added to the scope. Ideally, these can be set up using Sync Rules in AAD Connect Sync.

Introducing New Attributes

employeeHireDate
employeeType
employeeLeaveDateTime

  1. Using Lifecycle Workflows
    • Creating the scope for the new joiner requests.

Add the tasks to the workflow

In the above screenshot, you can see the Generate Temporary Access Pass and Send welcome email tasks. This is under the assumption that a mailbox has been provisioned at this stage.

Adding to the groups is the key to this. Because my idea is to manage access via Entitlement Management’s Access Packages, I will not add the user to any Teams.

Now that the onboarding has been done, we can look at the next steps of the employee journey.

Using Dynamic groups

Let’s chat about Dynamic Groups. Even though it’s not an Identity Governance feature, it can be very helpful in building your solution. Dynamic Groups are not allowed in LCWs. And I think that’s for a reason. Simply LCWs dynamically add the user to groups already.

Especially when the user resigns and if you create your LCW to run a Leaver schedule, you have the option to disable the user account. That will make the user.accountEnabled -eq false and remove the users from the group.

Dynamic groups

When you run a Mover schedule, you can use Dynamic Groups with the attribute department to provide access to resources and licensing.

Using Entitlement Management

Entitlement Management

The goal is not to explain what Entitlement Management is, however, I want to use the Access Packages in it to make sure users get the right access to resources.

There are a few things you can do here. Either set a base package for the users that you have added to the groups in the LCW. So when the user is added to the group, in this step, they will get the assigned package access by default. If you don’t want to provide auto access, you can set it to ask for approval when the user needs access. In this case, they have to know the URL to go to and ask for the Access Package access.

The example below is for a new user who came to the IT team. Because he was added to a group in the LCW depending on the department, he will get this specific Access package.

Additionally, if you need more access you can do the same by creating more Access Packages. Time them or set them to never expire.

Creating Access Packages

Creating Access Packages

Tip: If you are creating more Access Packages later, you can assign them to Dynamic Groups and make sure you have added the additional membership rule with an AND operator (user.accountEnabled -eq true)

What this means is, when the user account is disabled, they will lose access to this Access Package automatically. Pretty neat ha?

Using Privileged Identity Management

The next thing I want to look at is Privileged Identity Management (PIM). PIM plays (Must play, if it hasn’t yet) a major role in the Identity Governance landscape and is a must-have as Just In Time Access and Just Enough Access is the recommended method to provide access to resources. Again, I’m not going to deep dive into how to set up access, but you can use Entra ID Dynamic groups to provide necessary access. Also, use (user.accountEnabled -eq true) in your rule so when the user account is disabled, the user will be removed from the Dynamic Group.

Using Privileged Identity Management Based Groups

Initially, I wanted to add the PIM-enabled groups in the LCWs, but in the real world, that access will come later. As well as other access-related requests. You can deliver the base access package by adding groups to the LCW tasks, but if you need to provide more access to Teams and other resources, it is best to go with more access packages.

This article below is something I wrote a while ago regarding Group Based Admin roles, but the same can be used to create a Dynamic Group, rule and the required RBAC

Using Access Reviews

It’s a no-brainer to have Access Reviews set up in your groups which has access to resources in this day and age. If you haven’t, you are not too late 🙂 This is another main feature and it is vital to set this automation for your groups. As I mentioned earlier the chances of you or the group owner reviewing access periodically is an additional task and it is hard to keep track of all the groups and what access the users got and go through each and every member.

You can set Access Reviews when you are creating your Access Packages or manually set it for your Groups. Once you set it, it will run periodically for you. However, this should be a part of your Identity Governance practices so you or the group owners are aware of the members in them.

Coming Back to LCW - Leaver Template

Leaver Template

I want to quickly touch base on this template as well. Same to the joiner template, there are some tasks that will be running to make sure the employee’s access has been revoked.

Leaver Template

In a result the access will be blocked as below.

Leaver Template

Further to this, they will be removed from the group.

And now because the account is disabled, they will be removed from the Dynamic Groups automatically.

Example: Account disable Syntax (user.accountEnabled -eq False) and (user.jobTitle -eq "SysEng_L3")

This will be removed from the RBAC groups.

Audit Logs

Audit logs can be useful when it comes to understanding the activities that took place in this landscape. This will record all activities and furthermore if you can connect the Azure AD to an Azure Log Analytics workspace. You can query the AuditLogs table using KQL.

For all the Identity Governance features, there is a separate Audit Logs section where you can explore the activities and have the ability to download the CSV as well.

Audit Logs

Licensing

As always licensing plays a huge role in the Entra ID Governance world. Microsoft has recently introduced two new licenses.

AAD_Premium and AAD_Premium_P2 Service plans are already covering a huge chunk of Entra ID Governance features, however, the new license will make sure you will close any gaps in that space.

  • Microsoft Entra ID Governance (Entra ID Governance (User SL))
  • Microsoft Entra ID Governance Setup Up to Microsoft Entra ID P2 (Entra ID Governance P2)

Licensing Prerequisites

  • To use Microsoft Entra ID Governance [Entra ID Governance (User SL)], you need to have a product that contains AAD_Premium or AAD_Premium_P2 service plan (Microsoft Entra ID P1Microsoft 365 E3/E5/A3/A5/G3/G5Enterprise Mobility + Security E3/E5 or Microsoft 365 F1/F3)
  • To use Microsoft Entra ID Governance Step Up to Microsoft Entra ID P2, you must have a product that contains AAD_Premium_P2 service plan (Microsoft Entra ID P2Microsoft 365 E5/A5/G5Enterprise Mobility + Security E5Microsoft 365 E5/F5 Security or Microsoft 365 F5 Security + Compliance)

Microsoft has created the below chart to showcase the features depending on the Licensing model.

Feature Free Microsoft Entra ID P1 Microsoft Entra ID P2 Microsoft Entra ID Governance
API-driven provisioning  
HR-driven provisioning  
Automated user provisioning to SaaS apps
Automated group provisioning to SaaS apps  
Automated provisioning to on-premises apps  
Conditional Access – Terms of use attestation  
Entitlement management – Basic entitlement management    
Entitlement management – Conditional Access Scoping    
Entitlement management MyAccess Search    
Entitlement management with Verified ID      
Entitlement management + Custom Extensions (Logic Apps)      
Entitlement management + Auto Assignment Policies      
Entitlement management – Directly Assign Any User(Preview)      
Entitlement management – Guest Conversion API      
Entitlement management – Grace Period(Preview)    
My Access portal    
Entitlement management – Sponsors Policy(Preview)      
Privileged Identity Management (PIM)    
PIM For Groups    
PIM CA Controls    
Access Reviews – Basic access certifications and reviews    
Access reviews – PIM For Groups(Preview)      
Access reviews – Inactive Users reviews      
Access Reviews – Inactive Users recommendations    
Access reviews – Machine learning assisted access certifications and reviews      
Lifecycle Workflows (LCW)      
LCW + Custom Extensions (Logic Apps)      
Identity governance dashboard (Preview)  
Insights and reporting – Inactive guest accounts(Preview)      

Resources

Licesning Scenarios

Implementing an ID Governance Strategy

Wrapping Up

Identity Governance is a vital part of your security posture and if you are doing manual tasks or do not have a process now is the best time to think of one. I hope this post helped you to do a deep dive into the features and to understand how everything connects. Onboarding a user is no longer an ad-hoc task. It’s a journey and Azure AD has the tools to support that journey if you are ready to unlock the full potential of its capabilities.