Managing the Identity Lifecycle with Azure AD Identity Governance

Managing the Identity Lifecycle with Azure AD Identity Governance

01/01/2025

This technical and educational article aims to guide security analysts, IT administrators, and systems engineers in implementing and managing the identity lifecycle using Azure AD Identity Governance. In modern corporate environments, where internal and external users access an increasing variety of resources and applications, managing who has access to what, for how long and for what reason has become a complex challenge. Azure AD Identity Governance provides tools to ensure that identities and their access are managed effectively, securely, and in compliance with organization policies [1].

Introduction

The life cycle of an identity ranges from its creation, through the granting of access and permissions, to its deactivation. Without robust management, organizations can accumulate excessive or unnecessary access (known as "privilege creep"), which increases the attack surface and the risk of data breaches. Complexity increases with the need to manage identities of employees, partners, suppliers and customers, each with different access requirements and validity periods. Manual processes for managing this lifecycle are error-prone, inefficient, and difficult to audit [2].

Azure AD Identity Governance is a set of Microsoft Entra ID (formerly Azure Active Directory) capabilities designed to help organizations manage and govern the lifecycle of identities and access in an automated and scalable way. It includes features such as Access Reviews, Entitlement Management and Lifecycle Workflows, which allow organizations to ensure that the right people have the right access to the right resources at the right time. This is critical to maintaining security posture, achieving regulatory compliance, and optimizing IT operations [3].

This practical guide will cover the key components of Azure AD Identity Governance, with a focus on configuring and using Access Reviews and Rights Management. Step-by-step instructions, practical examples, and concise explanations will be provided so that the reader can implement and validate these features. In addition, security tips, compliance checks and best practices will be discussed to ensure effective, autonomous, professional and reliable identity and access management.

Why is Azure AD Identity Governance crucial?

  • Principle of Least Privilege: Ensures that users only have the access necessary for their functions, reducing the risk of excessive access.
  • Regulatory Compliance: Helps meet auditing and compliance requirements (such as LGPD, GDPR, HIPAA) that require periodic access reviews and strict control over who can access sensitive data.
  • Visibility and Auditing: Provides detailed reports on access, allowing organizations to audit and demonstrate compliance.
  • Lifecycle Automation: Automates provisioning, access assignment and deactivation of identities, reducing administrative burden and minimizing errors.
  • Guest Access Management: Simplifies identity and access management for external users (partners, suppliers), ensuring that access is granted and revoked in a timely manner.
  • Risk Reduction: Minimizes the risk of orphaned or overprivileged accounts that can be exploited by attackers.

Prerequisites

To use Azure AD Identity Governance, you will need the following items:

  1. Licensing: Azure AD Identity Governance requires a Microsoft Entra ID P2 license (formerly Azure AD Premium P2) [4].
  2. Administrative Access: An account with the role of Global Administrator, Identity Governance Administrator or User Administrator in the Azure portal (https://portal.azure.com).
  3. Existing Groups and Applications: Azure AD groups and/or enterprise applications for which you want to manage access.

Step by Step: Implementing Azure AD Identity Governance

Let's configure Access Reviews and Rights Management.

1. Accessing Azure AD Identity Governance

  1. Open your browser and navigate toSee the Azure portal: https://portal.azure.com.
  2. Log in with an account that has the necessary permissions.
  3. In the top search field, type Identity Governance and select it from the results.

2. Configuring an Access Review

Access Reviews allow organizations to periodically review user access to privileged groups, applications or functions, ensuring that access is still necessary and appropriate.

  1. In the Identity Governance left navigation pane, select Access Reviews.

  2. Click +New Access Review.

  3. Select what to review: Choose the type of resource to review:

    • Teams + groups
    • Applications
    • Azure AD roles (for directory roles such as Global Administrator)
    • Azure resource roles (for Azure RBAC roles such as Subscription Owner)
    • For this example, select Teams + groups.

  4. Scope of Review: Select Select Groups and add a specific group (e.g. Finance_Group) or All Guest Groups.

  5. Review Scope: Select Invited Users Only or All Users.

  6. Reviewers: Define who will carry out the review:

    • Group Owners (recommended for groups)
    • Managers (to review access for your subordinates)
    • Selected users
    • For this example, select Group Owners.

  7. Frequency: Define the frequency of the review (ex: Monthly, Quarterly, Annually, Once).

  8. Duration: Define how many days the review will be active.
  9. Start Date: Set the start date for the review.

  10. Click Next: Settings.

  11. Settings:

    • Auto-apply results to resource: Select Enable to have the system automatically remove access for users who have not been approved.
    • Action to take upon completion: Select Remove access.
    • If reviewers do not respond: Select Remove access (to ensure access is removed if there is no response).
    • Decision Assistance: Enable Recommendations and set No logins in X days to help reviewers make informed decisions.
    • Notifications: Configure whether reviewers should be notified by email.
    • Reminders: Enable Reminders.

  12. Click Next: Review + create.

  13. Review + create: Give the review a name (ex: Revisao_Acesso_Financeiro_Trimestral) and a description. Click Create.

    • Explanation: This access review will be performed quarterly for Finance_Group. Group owners will be notified and must review member access. If a member is not approved or the reviewer does not respond, their access to the group will be automatically removed.

3. Configuring Entitlement Management

Rights Management allows organizations to manage the resource access lifecycle for internal and external users by automating the process of requesting, approving, provisioning and deprovisioning access through "access packages".

  1. In the Identity Governance left navigation pane, select Rights Management.

  2. Catalogs: First, create a catalog to organize your access packages.

    • Select Catalogs > + New catalog.
    • Display name: Catalogo_Projetos.
    • Description: Catalog for accessing project-specific resources.
    • Enabled: Yes.
    • Click Create.

  3. Access packages: Now, create an access package.

    • Select Access packages > + New access package.
    • Basics:
      • Name: Acesso_Projeto_Alfa.
      • Description: Access to Project Alpha resources.
      • Catalog: Select Project_Catalog.
    • Click Next.

  4. Resources: Add the resources this access package will grant.

    • Click on + Add groups and teams and add a group (ex: Grupo_Projeto_Alfa).
    • Click on +Add applications and add an application (ex: App_Projeto_Alfa).
    • Click + Add resource roles (e.g. Contributor in a specific resource group).
    • Click Next.

  5. Suncitations: Define who can request this package and the approval process.

    • Users who can request access: Select For users in your directory or For users not in your directory (for guests).
    • Requires approval: Select Yes.
    • First Approver: Select Manager or Selected Users (e.g. Alpha Project Manager).
    • Requires justification: Yes.
    • Require approval from all selected approvers: No (or Yes, depending on your policy).
    • Enable new requests: Yes.
    • Require second approver approval: No (or Yes for two-stage approval).
    • Click Next.

  6. Requester Information: Add custom questions that requesters must answer. Click Next.

  7. Lifecycle: Define how long access is granted and whether it should expire.

    • Expiration: Select In number of days (ex: 30) or Specific date.
    • Require access review to extend access: Yes (to review whether access is still required before it expires).
    • Allow users to extend access: Yes.
    • Require approval to grant extension: Yes.
    • Click Next.

  8. Review + create: Review the settings and click Create.

    • Explanation: This access package allows internal users to request access to Project Alpha resources. The request will require approval from the Project Manager, and the access granted will expire after 30 days, with the possibility of extension upon review.

4. Testing Rights Management (User Experience)

  1. Share the Link: After creating the access package, copy the link from "My Access" (My Access Portal) to the access package.
  2. User Experience: Ask a test user (who does not have access to Project Alfa features) to navigate to the "My Access" link and request the Accesso_Projeto_Alfa package.
  3. Approver Experience: The configured approver (Alpha Project Manager) will receive an email notification and must approve or deny the request in the "My Access" portal or the Azure portal.
  4. Verification: After approval, the test user must have access to the resources specified in the access package. Check if the user can access Grupo_Projeto_Alfa and App_Projeto_Alfa.

5. Managing External Users with Connected Organizations

To manage external users who come from partner organizations, you can configure Connected Organizations.

  1. In the Identity Governance left navigation pane, select Connected Organizations.
  2. Click + New connected organization.

  3. Basics:

    • Name: Partner_X.
    • Description: Partner organization for collaboration.
    • Status: Configured.
    • Identity type: Azure AD (if the partner uses Azure AD) or External Directory.
    • Add directory: Search for the partner's domain (ex: parceirox.com).
    • Click Create.

  4. Now, when creating an access package, you can configure the request policy to allow users from Partner_X to request access, simplifying the onboarding process for external collaborators.

Security Tips and Best Practices

  • Principle of Least Privilege: Always design your access packages and reviews to grant the least privilege necessary. Regularly review granted permissions.
  • Automation Wherever Possible: Use Lifecycle Workflows to automate user provisioning and deprovisioning, especially for employees and guests.
  • Regular Access Reviews: Schedule periodic access reviews for all groups, applications and privileged roles. This ensures that access is continually validated.
  • Access Expiration Policies: Configure access expiration for access packages and guest users. This ensures that access is automatically revoked after a set period unless explicitly extended.
  • Suitable Approvers: Select approvers who have sufficient knowledge to make informed decisions about access needs (e.g., resource owners, managers).
  • Clear Documentation: Keep aClear documentation about your catalogs, access packages, access policies and reviews. This makes your access model easier to audit and understand.
  • Monitoring and Alerting: Monitor Azure AD audit logs for Identity Governance-related activities such as access package creations, access requests, approvals, and removals. Set up alerts for suspicious activity.
  • User and Approver Education: Train users on how to request access via the "My Access" portal and approvers on their responsibilities in reviewing and approving requests.

Common Troubleshooting

  • User is unable to request access package:
    • Check whether the user is included in the access package request policy (e.g. For users in your directory or For users not in your directory).
    • Make sure the access package is Enabled for new requests.
    • Verify that the user has the appropriate Azure AD P2 license.
  • Approver does not receive request notification:
    • Check email settings in access package request policy.
    • Make sure the approver's email is correct and that notifications are not being filtered by spam.
    • Check the Azure AD audit logs to see if the request was sent and if there were any errors.
  • Access review does not start or does not notify reviewers:
    • Check the Start Date and Frequency of access review.
    • Make sure email notification settings are enabled in Access Review.
    • Check Azure AD audit logs for events related to access review.
  • Access is not automatically removed after review:
    • Make sure the Auto-apply results to resource option is On in the access review.
    • Make sure the Action to take upon completion is set to Remove access.
    • It may take some time for access removals to be processed after the review is complete.
  • Problems with external/guest users:
    • Verify that the connected organization is configured correctly and that the identity type matches the partner directory.
    • Ensure that external collaboration settings in Azure AD allow external user invitation and access.

Conclusion

Azure AD Identity Governance is a powerful solution for managing the complex lifecycle of identities and access in modern environments. By implementing Access Reviews, Rights Management, and Lifecycle Workflows, organizations can ensure that access to resources is always appropriate, reviewed, and revoked in a timely manner. This not only strengthens your security posture, but also helps you achieve regulatory compliance and optimize operational efficiency. With this practical guide, security professionals and IT administrators will be well-equipped to configure, validate, and manage Azure AD Identity Governance, building a more secure, controlled, and automated identity and access environment for their organizations.

References:

[1] Microsoft Learn. What is Microsoft Entra ID Governance?. Available at: https://learn.microsoft.com/pt-br/entra/id-governance/identity-governance-overview [2] Microsoft Learn. Govern the employee lifecycle with Microsoft Entra Identity Governance. Available at: https://learn.microsoft.com/pt-br/entra/id-governance/scenarios/govern-the-employee-lifecycle [3] Microsoft Learn. Automate identity lifecycle management with Microsoft Entra ID Governance. Available at: https://learn.microsoft.com/pt-br/entra/id-governance/scenarios/automate-identity-lifecycle [4] Microsoft Learn. Licensing requirements for Microsoft Entra ID Governance. Available at: https://learn.microsoft.com/pt-br/entra/id-governance/licensing [5] Microsoft Learn. Create a group and application access review in Microsoft Entra ID. Available at: https://learn.microsoft.com/pt-br/entra/id-governance/create-access-review [6] Microsoft Learn. What is Microsoft Entra rights management?. Available at: https://learn.microsoft.com/pt-br/entra/id-governance/entitlement-management-overview [7] Microsoft Learn. Create an access package in Microsoft Entra rights management. Available at: https://learn.microsoft.com/pt-br/entra/id-governance/entitlement-management-access-package-create [8] Microsoft Learn. What are connected organizations in Microsoft Entra rights management?. Available at: https://learn.microsoft.com/pt-br/entra/id-governance/entitlement-management-connected-organization