ThirdSpace ThirdSpace
ThirdSpace Contact Us
Close 0 Reset Search Run Search What are you looking for? Type at least three characters to search. Filter Search Results
  • All Content
  • Blog
  • Page
  • Case Studies
  • Event
  • Resources
  • News
  • Careers
  • Access Centre
  • Technologies
  • Workshops
  • Service
  • Solutions
  • People
Load more
19 August 2019

Understanding Azure AD Identity Governance

Profile photo for Marcus Idle - Head of CIAM.
Written by Marcus Idle

Let's explore the identity governance tools enabling greater levels of security and control for Azure AD administrators.

Azure Active Directory (AAD) provides many opportunities for consolidating access around your users’ identities, provisioning your staff onto AAD-aware applications (and ultimately your organisation’s data), and granting access to external users (partners, suppliers, etc.) too.

At the same time, granting access to individuals comes with risks to that data – particularly where, for example:

  • There are too many users in privileged roles.
  • Automation of access rules is difficult or there are many exceptions to the access rules.
  • There is a proliferation of security groups that nobody understands.
  • Guest (external) users are invited but not well managed.

Azure AD’s Identity Governance tools can help get all of this under control, giving you the control you need to liberate your users.

What is Azure AD Identity Governance?

There are some key areas that make up the governance suite within Azure AD. Let’s look at how each of these enable greater control over your identities and their levels of access.

Entitlement management

Entitlement management in Azure Active Directory gives you the ability to create ‘access packages’ to group together sets of resources that you would normally provide to many users. Resources can be security or Office365 groups, applications, or SharePoint sites.

Managers can define how the access packages are rolled out – for example:

  • Who can apply for the package.
  • Whether it needs approval.
  • Who can approve the assignment.

This means that entitlements can be grouped into manageable sets, simplifying employee onboarding, but also reducing the number of ‘loose ends’ produced by mover and leaver processes.

Access reviews

Access reviews allow you to periodically review membership of a group or access to an application.

  • You can review everyone in a group, or just guest users.
  • You can decide who does the review – group owners, the users themselves, or other specific users.
  • Reviewers will receive an email which takes them to a web page for carrying out the review.

The process can provide automated access removal if users do not respond to the access review emails.

This mitigates against unchecked growth of security groups or access to other resources.

Over time, the membership of a group can become bloated or diffuse. An example of this could be a group based around a specific project. The original group is set up following a request to the service desk and is populated with the relevant users.

However, this type of group does not have a static membership. Over time, additional users will be added to the group as and when they join the project. It is very likely that users who leave the project remain in the group as there is not normally a request for people to be removed.

This type of growth leaves access in place for people who do not need it anymore.

An access review does exactly what you think it should do. The group owners – for example, the project or application manager – are asked to review the membership of the group and mark those who should no longer be members. These can then be automatically removed from the group.

Access reviews can be applied to groups or applications and can be set to repeat on a regular basis allowing for ongoing governance.

Watch: 'An integrated identity solution with Microsoft and Saviynt'

Watch: 'An integrated identity solution with Microsoft and Saviynt'

Discover how you can get a powerful blend of provisioning, governance, and compliance capabilities. We'll show you:

  • How to accelerate identity governance and administration adoption
  • How you can provide a single view of access governance across all apps and data
Watch now

Privileged Identity Management (PIM)

When we look at the administration of cloud services, particularly Azure, many organisations create multiple accounts for their administrative users. These accounts are given the relevant roles in Azure to accomplish their job.

While this seems straightforward, the administration user should have access to email (for alerts and information) and so will require a full license. It also means that the user has another ID and password to remember and gives an attacker another account to attack.

Rather than give a user access all the time, the relevant users should be allowed to use Privileged Identity Management (PIM). This allows a user to request elevation to a specific role from a list that is available to them. This is then approved, and the user granted the relevant permissions.

Terms of Use

The ‘terms of use’ feature helps you to fulfil your requirements under GDPR and to keep your users (both internal and external) informed of their obligations when accessing your organisation’s data.

As the user accesses any of the Azure services and authenticates they are asked to accept the “Terms of Use”. This acceptance is then stored and the user object in the directory tagged with the date and time of the acceptance.

The acceptance can then be expired on a regular basis (annually, bi-annually, quarterly or monthly).

This will then ensure that all of the users must accept the terms before they can use the Azure services.

Achieving greater governance

Using the identity governance tools within Azure AD will enable you to automate more of your lifecycle processes whilst affording you a greater degree of control and security to ensure that only those users eligible for access have it.

If you have, or are considering using Azure AD, it’s well worth factoring in and applying the governance options available to you, as it will ensure that you make the most of your investment while streamlining and consistently improving the health of your identities and IT infrastructure.

You can even take these controls a step further, watch our identity governance webinar on-demand to discover how you can take your Azure AD governance to the next level.

Subscribe to the ThirdSpace mailing list and get your free buyer’s guide to Microsoft Enterprise Security

Subscribe to the ThirdSpace mailing list and get your free buyer’s guide to Microsoft Enterprise Security

Submit your business email to join our mailing list and we'll send you 'A buyer’s guide to Microsoft Enterprise Security'.

Profile photo for Marcus Idle - Head of CIAM.

About Marcus Idle

Head of CIAM and IP Development

Marcus Idle is our Head of Customer Identity and Access Management and IP Development at ThirdSpace. He is responsible for projects involving external identities. Expert in Microsoft’s Azure AD B2B...


You may also like...


How the SolarWinds breach highlights the dangers of federated authentication – and what you can do to protect against it


What is Microsoft Identity Manager (MIM)? Everything you need to know


Uniting disparate directories: What is Azure AD Connect cloud provisioning?

Recent Blog Articles

View All
Related topics

The power of Saviynt + Microsoft

Discover a powerful blend of provisioning, governance, and compliance capabilities.

Watch now

Need some help?

Send us your questions or feedback.

Friendly folks are standing by!

Contact Us
Award-winning solutions Award-winning solutions

Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, and Security and Compliance.

ThirdSpace Please upgrade your browser

You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:

Windows Mac

Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.