ThirdSpace ThirdSpace
Close 0 Reset Search Run Search What are you looking for? Type at least three characters to search. Filter Search Results
  • All Content
  • Blog
  • Case Studies
  • Event
  • Resources
  • News
  • Careers
  • Access Centre
  • Technologies
  • Workshops
  • Solutions
  • People
Load more
19 August 2019

Understanding Azure AD Identity Governance

  • Identity and access management
  • Azure AD
  • Office 365
Marcus Idle

Let's explore the identity governance tools enabling greater levels of security and control for Azure AD administrators.

Azure Active Directory (AAD) provides many opportunities for consolidating access around your users’ identities, provisioning your staff onto AAD-aware applications (and ultimately your organisation’s data), and granting access to external users (partners, suppliers, etc.) too.

At the same time, granting access to individuals comes with risks to that data – particularly where, for example:

  • There are too many users in privileged roles.
  • Automation of access rules is difficult or there are many exceptions to the access rules.
  • There is a proliferation of security groups that nobody understands.
  • Guest (external) users are invited but not well managed.

Azure AD’s Identity Governance tools can help get all of this under control, giving you the control you need to liberate your users.


What is Azure AD Identity Governance?

There are some key areas that make up the governance suite within Azure AD. Let’s look at how each of these enable greater control over your identities and their levels of access.

Entitlement management

Entitlement management in Azure Active Directory gives you the ability to create ‘access packages’ to group together sets of resources that you would normally provide to many users. Resources can be security or Office365 groups, applications, or SharePoint sites.

Managers can define how the access packages are rolled out – for example:

  • Who can apply for the package.
  • Whether it needs approval.
  • Who can approve the assignment.

This means that entitlements can be grouped into manageable sets, simplifying employee onboarding, but also reducing the number of ‘loose ends’ produced by mover and leaver processes.

Access reviews

Access reviews allow you to periodically review membership of a group or access to an application.

  • You can review everyone in a group, or just guest users.
  • You can decide who does the review – group owners, the users themselves, or other specific users.
  • Reviewers will receive an email which takes them to a web page for carrying out the review.

The process can provide automated access removal if users do not respond to the access review emails.

This mitigates against unchecked growth of security groups or access to other resources.

Over time, the membership of a group can become bloated or diffuse. An example of this could be a group based around a specific project. The original group is set up following a request to the service desk and is populated with the relevant users.

However, this type of group does not have a static membership. Over time, additional users will be added to the group as and when they join the project. It is very likely that users who leave the project remain in the group as there is not normally a request for people to be removed.

This type of growth leaves access in place for people who do not need it anymore.

An access review does exactly what you think it should do. The group owners – for example, the project or application manager – are asked to review the membership of the group and mark those who should no longer be members. These can then be automatically removed from the group.

Access reviews can be applied to groups or applications and can be set to repeat on a regular basis allowing for ongoing governance.

Watch our identity governance webinar

View 'An integrated identity solution with Microsoft and Saviynt' to learn:

  • How to accelerate identity governance and administration adoption
  • How you can provide a single view of access governance across all apps and data
Watch now

Privileged Identity Management (PIM)

When we look at the administration of cloud services, particularly Azure, many organisations create multiple accounts for their administrative users. These accounts are given the relevant roles in Azure to accomplish their job.

While this seems straightforward, the administration user should have access to email (for alerts and information) and so will require a full license. It also means that the user has another ID and password to remember and gives an attacker another account to attack.

Rather than give a user access all the time, the relevant users should be allowed to use Privileged Identity Management (PIM). This allows a user to request elevation to a specific role from a list that is available to them. This is then approved, and the user granted the relevant permissions.

Terms of Use

The ‘terms of use’ feature helps you to fulfil your requirements under GDPR and to keep your users (both internal and external) informed of their obligations when accessing your organisation’s data.

As the user accesses any of the Azure services and authenticates they are asked to accept the “Terms of Use”. This acceptance is then stored and the user object in the directory tagged with the date and time of the acceptance.

The acceptance can then be expired on a regular basis (annually, bi-annually, quarterly or monthly).

This will then ensure that all of the users must accept the terms before they can use the Azure services.


Achieving greater governance

Using the identity governance tools within Azure AD will enable you to automate more of your lifecycle processes whilst affording you a greater degree of control and security to ensure that only those users eligible for access have it.

If you have, or are considering using Azure AD, it’s well worth factoring in and applying the governance options available to you, as it will ensure that you make the most of your investment while streamlining and consistently improving the health of your identities and IT infrastructure.

You can even take these controls a step further, watch our identity governance webinar on-demand to discover how you can take your Azure AD governance to the next level.

You may also like...


Uniting disparate directories: What is Azure AD Connect cloud provisioning?


The definitive guide to Azure AD: Everything you need to know


What is SCIM and how do I make the magic happen?

Recent Blog Articles

View All
Marcus Idle
Head of CIAM and IP Development
Learn More

Need advice? Our experts are waiting...

Simply request a free Vision Call. We can help you with solution ideas, technology education, best practice advice and more.

Request Vision Call
Award-winning solutions Award-winning solutions

Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, and Security and Compliance.

ThirdSpace Please upgrade your browser

You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:

Windows Mac

Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.