Lately, there has been a lot happened/ changed/ introduced in the Microsoft Entra ID Governance space and this is one of my favorite topics to write and explain as well. The main reason is that Entra ID Governance features are all interconnected and organizations can easily create an eco-system and start using its features. Not to mention this can be automated heavily to ease your ID governance workloads.
Are you using Microsoft Entra ID Governance? Not long ago, Microsoft announced a change in licensing models and features for this service. Keep an eye out for updates regarding Microsoft Entra ID Governance and Microsoft Entra ID Governance Step Up for Microsoft Entra ID P2. Stay informed to ensure your organization is utilizing the most effective identity governance strategies.
What I will be covering 🚀
- Ad-hoc Tasks we are carrying out today – A real-life scenario (sort of)
- What’s lacking in the above practice?
- The Dashboard
- Building The Identity Governance Eco-System
- Using Life Cycle Workflows (LCW)
- Introducing New Attributes
- Using Dynamic groups
- Using Entitlement Management
- Using Privileged Identity Management
- Using Privileged Identity Management Based Groups
- Using Access Reviews
- Coming Back to LCW – Leaver Template
- Audit Logs
- Licensing
- Licensing Prerequisites
- Resources
- Licesning Scenarios
- Implementing an ID Governance Strategy
- Entitle Management with External Users
- Wrapping Up
Ad-hoc Tasks we are carrying out today – A real-life scenario (sort of)
- New Joiner
For a new joiner request most of the time it’s a ticket to the IT Service Desk from HR to create the user account prior to the start date, new hire’s details along with the department, manager, etc. This is a very standard and no-brainer situation. Some organizations use Power Automate to set up a workflow and make everything automated up to some extent while some organizations use 3rd party HR applications with hooks to the On-premises AD or to Azure AD to create users once they fill out the form. These are all acceptable practices as the basic objects are getting created etc.
- Adding to Groups
Once the user account is created, it’s most likely another IT Service Desk manual task to add the user to the relevant mail distribution lists, Teams, SharePoint sites, etc.
- Admin Access (in some cases)
During the user’s time at the organization, there are many access requests to sensitive data and in most cases, someone needs to provide access with the relevant RBAC (Role Based Access Control) but forgets to remove that when the task or the period is finished.
- User moves to another department
Inter-departmental moves happen very often and once the user is moved they will be getting more access to resources on top of the existing access and added to more groups but most of the time the previous access is not removed and chances are the user ends up with a bunch of access that doesn’t require anymore.
- New user’s manager/ team leader winging it
Or the chances are sometimes the user doesn’t know which access to ask for when they joined the organization so they might check with a team member and advise IT to mirror the access. This approach will have a 50/50 chance of that user ending up having access that is not required.
When was the last time you advised IT Service Desk to remove these users as they no longer need access to that sensitive Team? Usually, group membership reviews are done not very often or not done at all. Users might ask IT to remove them from some mail distribution lists as they see the mails are coming in that they are not needed, but access to systems, RBAC, and other resources – this can result in piling up members that do not need any access anymore to that resource as the access is sitting there silently.
- User resigns
When the user resigns, again the HR would send the last working day, etc. IT does the necessary work to disable the account. Sometimes mistakenly the account can remain in the system without any changes being made despite the HR request. This can be a challenge when auditing comes into play and generally to your whole identity management practices and to the overall Security.
Above all are ad-hoc type activities which are not most of the time not interconnected. If everything is interconnected in some way or another – Kudos to you 🎇
What’s lacking in the above practice?
In three words – Modern Identity Capabilities. That starts with Automation. Setting up will take some time as you need to plan your scenarios and run a proof of concept or run a Pilot for a while, but it can be an investment and the right use of the licenses. Most of the time, it’s a question where you utilize the full capability list of the licenses. Most of the time the answer is NO. Mainly because of the incorrect understanding of the usages or not knowing the capabilities of a connected scenario.
The Dashboard
Entra Portal > Identity Governance > Dashboard
This gives you all things ID Governance at a glance for you to understand the current picture of your tenant.
![Identity Governance Dashboard]()
Building The Identity Governance Eco-System
![Identity Governance Dashboard]()
![Identity Governance Dashboard]()
The above figures can be a bit confusing to understand. But let me explain.
I’m taking the example of a Hybrid Environment.
![Hybrid Environment]()
Using Life Cycle Workflows (LCW)
- New user will be created in the on-prem AD and will be given a CustomExtention1
- The CustomExtentionAttributes can be set up from the Local AD that will be mapped onto these cloud attributes accordingly.
If you are in a hybrid environment, you can set up the Custom Attributes of the user object which will correspond to these attributes, and depending on the workflow, the user object will be added to the scope. Ideally, these can be set up using Sync Rules in AAD Connect Sync.
Introducing New Attributes
employeeHireDate
employeeType
employeeLeaveDateTime
- Using Lifecycle Workflows
- Creating the scope for the new joiner requests.
![]()
Add the tasks to the workflow
![]()
![]()
In the above screenshot, you can see the Generate Temporary Access Pass and Send welcome email tasks. This is under the assumption that a mailbox has been provisioned at this stage.
Adding to the groups is the key to this. Because my idea is to manage access via Entitlement Management’s Access Packages, I will not add the user to any Teams.
Now that the onboarding has been done, we can look at the next steps of the employee journey.
Using Dynamic groups
Let’s chat about Dynamic Groups. Even though it’s not an Identity Governance feature, it can be very helpful in building your solution. Dynamic Groups are not allowed in LCWs. And I think that’s for a reason. Simply LCWs dynamically add the user to groups already.
Especially when the user resigns and if you create your LCW to run a Leaver schedule, you have the option to disable the user account. That will make the user.accountEnabled -eq false and remove the users from the group.
![Dynamic groups]()
When you run a Mover schedule, you can use Dynamic Groups with the attribute department to provide access to resources and licensing.
Using Entitlement Management
![Entitlement Management]()
The goal is not to explain what Entitlement Management is, however, I want to use the Access Packages in it to make sure users get the right access to resources.
There are a few things you can do here. Either set a base package for the users that you have added to the groups in the LCW. So when the user is added to the group, in this step, they will get the assigned package access by default. If you don’t want to provide auto access, you can set it to ask for approval when the user needs access. In this case, they have to know the URL to go to and ask for the Access Package access.
The example below is for a new user who came to the IT team. Because he was added to a group in the LCW depending on the department, he will get this specific Access package.
Additionally, if you need more access you can do the same by creating more Access Packages. Time them or set them to never expire.
![Creating Access Packages]()
![Creating Access Packages]()
Tip: If you are creating more Access Packages later, you can assign them to Dynamic Groups and make sure you have added the additional membership rule with an AND operator (user.accountEnabled -eq true)
What this means is, when the user account is disabled, they will lose access to this Access Package automatically. Pretty neat ha?
Using Privileged Identity Management
The next thing I want to look at is Privileged Identity Management (PIM). PIM plays (Must play, if it hasn’t yet) a major role in the Identity Governance landscape and is a must-have as Just In Time Access and Just Enough Access is the recommended method to provide access to resources. Again, I’m not going to deep dive into how to set up access, but you can use Entra ID Dynamic groups to provide necessary access. Also, use (user.accountEnabled -eq true) in your rule so when the user account is disabled, the user will be removed from the Dynamic Group.
Using Privileged Identity Management Based Groups
Initially, I wanted to add the PIM-enabled groups in the LCWs, but in the real world, that access will come later. As well as other access-related requests. You can deliver the base access package by adding groups to the LCW tasks, but if you need to provide more access to Teams and other resources, it is best to go with more access packages.
This article below is something I wrote a while ago regarding Group Based Admin roles, but the same can be used to create a Dynamic Group, rule and the required RBAC
Using Access Reviews
It’s a no-brainer to have Access Reviews set up in your groups which has access to resources in this day and age. If you haven’t, you are not too late 🙂 This is another main feature and it is vital to set this automation for your groups. As I mentioned earlier the chances of you or the group owner reviewing access periodically is an additional task and it is hard to keep track of all the groups and what access the users got and go through each and every member.
You can set Access Reviews when you are creating your Access Packages or manually set it for your Groups. Once you set it, it will run periodically for you. However, this should be a part of your Identity Governance practices so you or the group owners are aware of the members in them.
Coming Back to LCW - Leaver Template
![Leaver Template]()
I want to quickly touch base on this template as well. Same to the joiner template, there are some tasks that will be running to make sure the employee’s access has been revoked.
![Leaver Template]()
In a result the access will be blocked as below.
![Leaver Template]()
Further to this, they will be removed from the group.
And now because the account is disabled, they will be removed from the Dynamic Groups automatically.
Example: Account disable Syntax (user.accountEnabled -eq False) and (user.jobTitle -eq "SysEng_L3")
This will be removed from the RBAC groups.
Audit Logs
Audit logs can be useful when it comes to understanding the activities that took place in this landscape. This will record all activities and furthermore if you can connect the Azure AD to an Azure Log Analytics workspace. You can query the AuditLogs table using KQL.
For all the Identity Governance features, there is a separate Audit Logs section where you can explore the activities and have the ability to download the CSV as well.
![Audit Logs]()
Licensing
As always licensing plays a huge role in the Entra ID Governance world. Microsoft has recently introduced two new licenses.
AAD_Premium and AAD_Premium_P2 Service plans are already covering a huge chunk of Entra ID Governance features, however, the new license will make sure you will close any gaps in that space.
- Microsoft Entra ID Governance (Entra ID Governance (User SL))
- Microsoft Entra ID Governance Setup Up to Microsoft Entra ID P2 (Entra ID Governance P2)
Licensing Prerequisites
- To use Microsoft Entra ID Governance [Entra ID Governance (User SL)], you need to have a product that contains AAD_Premium or AAD_Premium_P2 service plan (Microsoft Entra ID P1, Microsoft 365 E3/E5/A3/A5/G3/G5, Enterprise Mobility + Security E3/E5 or Microsoft 365 F1/F3)
- To use Microsoft Entra ID Governance Step Up to Microsoft Entra ID P2, you must have a product that contains AAD_Premium_P2 service plan (Microsoft Entra ID P2, Microsoft 365 E5/A5/G5, Enterprise Mobility + Security E5, Microsoft 365 E5/F5 Security or Microsoft 365 F5 Security + Compliance)
Microsoft has created the below chart to showcase the features depending on the Licensing model.
Resources
Licesning Scenarios
Implementing an ID Governance Strategy
Wrapping Up
Identity Governance is a vital part of your security posture and if you are doing manual tasks or do not have a process now is the best time to think of one. I hope this post helped you to do a deep dive into the features and to understand how everything connects. Onboarding a user is no longer an ad-hoc task. It’s a journey and Azure AD has the tools to support that journey if you are ready to unlock the full potential of its capabilities.