What is Microsoft Entra ID Governance?

Microsoft Entra ID Governance is an identity governance solution that enables organizations to improve productivity, strengthen security and more easily meet compliance and regulatory requirements. You can use Microsoft Entra ID Governance to automatically ensure that the right people have the right access to the right resources, with identity and access process automation, delegation to business groups, and increased visibility. With the features included in Microsoft Entra ID Governance, along with those in related Microsoft Entra, Microsoft Security and Azure products, you can mitigate identity and access risks by protecting, monitoring, and auditing access to critical assets.

Specifically, Microsoft Entra ID Governance helps organizations address these four key questions, for access across services and applications both on-premises and in clouds:

  • Which users should have access to which resources?
  • What are those users doing with that access?
  • Are there organizational controls in place for managing access?
  • Can auditors verify that the controls are working effectively?

With Microsoft Entra ID Governance you can implement the following scenarios for employees, business partners and vendors:

  • Govern the identity lifecycle
  • Govern the access lifecycle
  • Secure privileged access for administration

Identity lifecycle

Identity Governance helps organizations achieve a balance between productivity - How quickly can a person have access to the resources they need, such as when they join my organization? And security - How should their access change over time, such as due to changes to that person's employment status? Identity lifecycle management is the foundation for Identity Governance, and effective governance at scale requires modernizing the identity lifecycle management infrastructure for applications.

Identity lifecycle

For many organizations, identity lifecycle for employees and other workers is tied to the representation of that person in an HCM (human capital management) or HR system. Organizations need to automate the process of creating an identity for a new employee that is based on a signal from that system so that the employee can be productive on day 1. And organizations need to ensure those identities and access are removed when the employee leaves the organization.

In Microsoft Entra ID Governance, you can automate the identity lifecycle for these individuals using:

Organizations also need additional identities, for partners, suppliers and other guests, to enable them to collaborate or have access to resources.

In Microsoft Entra ID Governance, you can enable business groups to determine which of these guests should have access, and for how long, using:

  • entitlement management in which you can specify the other organizations whose users are allowed to request access to your organization's resources. When one of those users's request is approved, they're automatically added by entitlement management as a B2B guest to your organization's directory, and assigned appropriate access. And entitlement management automatically removes the B2B guest user from your organization's directory when their access rights expire or are revoked.
  • access reviews that automates recurring reviews of existing guests already in your organization's directory, and removes those users from your organization's directory when they no longer need access.

For more information, see Govern the employee and guest lifecycle.

Access lifecycle

Organizations need a process to manage access beyond what was initially provisioned for a user when that user's identity was created. Furthermore, enterprise organizations need to be able to scale efficiently to be able to develop and enforce access policy and controls on an ongoing basis.

Access lifecycle

With Microsoft Entra ID Governance, IT departments can establish what access rights users should have across various resources, and what enforcement checks such as separation of duties or access removal on job change are necessary. Microsoft Entra ID has connectors to hundreds of cloud and on-premises applications, and you can integrate your organization's other apps that rely upon AD groupsFor example, Conditional Access policies can include displaying a terms of use and ensuring the user has agreed to those terms prior to being able to access an application.

Access changes across apps and groups can be automated based on attribute changes. Microsoft Entra entitlement management automatically add and remove users into groups or access packages, so that access to applications and resources is updated. Users can also be moved when their condition within the organization changes to different groups, and can even be removed entirely from all groups or access packages.

Furthermore, IT can delegate access management decisions to business decision makers. For example, employees that wish to access confidential customer data in a company's marketing application in Europe could need approval from their manager, a department lead or resource owner, and a security risk officer. Entitlement management enables you to define how users request access across packages of group and team memberships, app roles, and SharePoint Online roles, and enforce separation of duties checks on access requests.

Organizations can also control which guest users have access. These access rights can then be regularly reviewed using recurring Microsoft Entra access reviews for access recertification.

Privileged access lifecycle

Governing privileged access is a key part of modern Identity Governance especially given the potential for misuse associated with administrator rights can cause to an organization. The employees, vendors, and contractors that take on administrative rights need to have their accounts and privileged access rights governed.

Privileged access lifecycle

Microsoft Entra Privileged Identity Management (PIM) provides additional controls tailored to securing access rights for resources, across Microsoft Entra, Azure, other Microsoft Online Services and other applications. The just-in-time access, and role change alerting capabilities provided by Microsoft Entra PIM, in addition to multifactor authentication and Conditional Access, provide a comprehensive set of governance controls to help secure your organization's resources (directory roles, Microsoft 365 roles, Azure resource roles and group memberships). As with other forms of access, organizations can use access reviews to configure recurring access re-certification for all users in privileged administrator roles.

License requirements

Using this feature requires Microsoft Entra ID Governance or Microsoft Entra Suite licenses. To find the right license for your requirements, see Microsoft Entra ID Governance licensing fundamentals.

Getting started

Check out the Prerequisites before configuring Microsoft Entra ID for identity governance. Then, visit the Governance dashboard in the Microsoft Entra admin center to start using entitlement management, access reviews and Privileged Identity Management.

There are also tutorials for managing access to resources in entitlement management, onboarding external users to Microsoft Entra ID through an approval process.

While each organization may have its own unique requirements, the following configuration guides also provide the baseline policies Microsoft recommends you follow to ensure a more secure and productive workforce.

Simplifying identity governance tasks with automation

Once you've started using these identity governance features, you can easily automate common identity governance scenarios. The following table shows how to get started with automation for each scenario:

Scenario to automate Automation guide
Updating the membership of a group, based on changes to the member user's attributes Create a dynamic group
Assigning licenses group-based licensing
Adding and removing a user's group memberships, application roles, and SharePoint site roles, based on changes to the user's attributes Configure an automatic assignment policy for an access package in entitlement management
Adding and removing a user's group memberships, application roles, and SharePoint site roles, on a specific date Configure lifecycle settings for an access package in entitlement management
Running custom workflows when a user requests or receives access, or access is removed Trigger Logic Apps in entitlement management
Regularly having memberships of guests in Microsoft groups and Teams reviewed, and removing guest memberships that are denied Create an access review
Removing guest accounts that were denied by a reviewer Review and remove external users who no longer have resource access
Removing guest accounts that have no access package assignments Manage the lifecycle of external users
Other scheduled tasks Automate identity governance tasks with Azure Automation and Microsoft Graph via the Microsoft.Graph.Identity.Governance PowerShell module

Next steps