As organization start to move faster and faster into the cloud, adoption service after service, they can sometimes find themselves asking whether they are secure and compliant. Identity is a main pillar of the Zero Trust model and a foundation of any cloud infrastructure. With cloud-based accounts, synchronized accounts, B2B, and B2C, access to resources within your environment can quickly become out of control.
Identity Governance is a component of an Identity and Access Management solution (IAM). It provides the means of centrally managing and maintaining user identity entitlements, role-based access, and privileges across an organization by linking people, data, and applications to determine who requires access to resources. It provides policy-based controls to enforce and review your IAM solution to evaluate and govern identity and access lifecycle as well as privileged access for administration.
Azure Active Directory (Azure AD) Identity Governance allows you balance productivity with security. When certain access is granted, it is not necessarily meant to be permanent, but only for as long as your job dictates it necessary. In addition, as time goes on and your job evolves, IT admins need to assure that they not only remove permissions, but also make available the necessary resources to users to perform new tasks that may be required from them. Finally, with a wide variety of administrative controls and Role Based Access Control groups, IT admins also need some checks and balances when it comes to privileged access.
Azure AD Identity Governance provides the tools to manage three life cycles within the IAM solution: Identity, Access, and Privileged Access.
To maintain these lifecycles, Azure AD has four primary features:
- Access Reviews
- Entitlement management
- Privileged Identity Management
Azure AD Identity Governance Features
Access Reviews are the first component of Azure AD Identity Governance. They allow for organizations to efficiently review access to applications and group membership within Azure AD. Access Reviews can be configured to run on a reoccurring basis to constantly check and verify access is still required.
Access Reviews can help organizations ensure new and former employees have access needs processed accordingly and prevent too many rights from being granted that can lead to compromises or audit failures. When proactively reviewing resource access, you can ensure you meet your security and compliance regulations. Use cases for Access reviews include:
- Screening privileged roles like Global Administrator
- Group membership review such as groups for Conditional Access Exclusions
- Verifying Application access is still necessary
- Business critical asset access
- Guest user access reviews
- Automated and Recurring reviews for compliance needs.
Who can create and manage Access reviews depends on the Resource type. The chart below defines who can create, manage, and review Access reviews.
Entitlement Management is an Azure AD Identity Governance feature that provides administrators the ability to create, automate, and categorically group together necessary resources into what is called an access package. Entitlement management managed both Identity and Access lifecycles by providing access workflows, assignments, reviews, and expirations.
Entitlement management helps users get the access they need even when they did not know they need certain access to resources. This access can be time limited and B2B accounts automatically removed.
Global and User administrators have rights to create and manage entitlement management. Creation of access packages can be delegated to non-administrators, such as a project lead or managers. Users can also request access to a package.
Entitlement management can manage of the following resources:
- Azure AD security group membership
- Microsoft 365 Group membership (including Teams)
- Azure AD application assignments
- SharePoint Online site membership
This allows organizations to manage and assign several core features of Azure AD, including licenses via group-based licensing, other resources already having group assignments or conditional access requirements, but also productivity platforms in Microsoft Teams and SharePoint.
Privileged Identity Management
Azure AD Privileged Identity Management (PIM) provides an approval-based activation system for certain Azure AD roles to grant limited, or “Just-in-time” access to resources. With PIM, you can not only control and limit the length of access, but you can also:
- Enforce the use of Azure MFA for privileged roles
- Require approvals before activation
- Enforce written justifications,
- Get notified when roles are activated
- Integrate with Entitlement Management and Access Reviews
- Provide audit history
Only Global and Privileged Role Administrators can manage PIM. However, you can delegate control for PIM approvals to any Azure AD user or group. Each user assignment grants the role to users in an eligible state where they can request to activate that specific role at any time. All requests are audited, and PIM can be incorporated into Access reviews to configure recurring evaluation of access needs.
The latest feature of PIM, Privileged Access Groups, also allows the use of Azure AD role-assignable groups. This allows administrators to use group-based assignments to have privileged roles rather than direct user assignments. When a user request access, they are essentially being added to a group that indirectly grants the appropriate rights. When time is up, they are removed from the group. This allows for application of different policies for different groups of users, rather than on a single role.
Each of these features will be discussed further in the next parts of this series providing insights and best practices on how to deploy each feature within your environment.
Enabling Technologies can help you properly prepare for moving to the cloud based on Microsoft Best Practices and utilizing a secure and productive environment. You can check out more in the Security section of our website.