Identity Governance: Entra vs Dedicated IGA

Substantive Overview

Identity Governance and Administration (IGA) has traditionally been the domain of heavy, on-premises platforms like SailPoint IIQ or Saviynt. These tools excelled at complex, cross-platform orchestration but were expensive to deploy and maintain.

Microsoft has aggressively expanded Entra ID (formerly Azure AD) to include "Entra ID Governance," a suite of IGA capabilities native to the platform. The strategic question for architects is no longer "Do I need an IGA tool?" but "Is Entra ID Governance enough?"

For 80% of organizations—those primarily using M365, Azure, and SaaS apps supporting SCIM—Entra ID Governance is sufficient and superior due to its integration with the authentication path. For the remaining 20% with complex mainframe, SAP, or disconnected legacy systems requiring fine-grained entitlement management, a dedicated IGA tool (or a hybrid approach) may still be required.

Decision	Options	Recommendation	Context
Provisioning Engine	Entra ID (SCIM) vs. 3rd Party IGA	Entra ID (First)	Use Entra for everything that supports SCIM. It's real-time and free (mostly). Use IGA only for what Entra can't reach (e.g., on-prem legacy database connectors).
Joiner/Mover/Leaver	Lifecycle Workflows vs. Custom Scripts	Lifecycle Workflows	Scripts are fragile. Lifecycle Workflows (native) provide a visual, managed way to handle onboarding/offboarding tasks.
Access Reviews	Entra Access Reviews vs. Manager Email	Entra Access Reviews	"Email verification" is audit failure. Entra Reviews provide an immutable audit trail and auto-remediation (revocation).
Request Model	Entitlement Management vs. ITSM Ticket	Entitlement Management	"Access Packages" allow self-service with approval workflows and automatic expiry. Tickets often result in permanent access.
Privileged Access	PIM vs. Permanent Admin	PIM (Privileged Identity Mgmt)	Zero Standing Access. All admin access must be JIT (Just-in-Time), time-bound, and approved.

Implementation Strategy

Phase 0: Data Cleanliness

HR Linkage: Ensure unique identifiers (EmployeeID) exist in both HR and AD/Entra.
Manager Data: Governance fails without accurate "Manager" attributes. Fix the org chart first.

Phase 1: Lifecycle Automation (JML)

Inbound Provisioning: Connect Workday/SuccessFactors to Entra ID directly (bypass flat files if possible).
Lifecycle Workflows: Configure "Leaver" workflow to disable account, revoke sessions, and remove licenses 24 hours after termination.

Phase 2: Access Management

Entitlement Management: Bundle resources (Teams, SharePoint, Apps) into "Access Packages" for roles (e.g., "Marketing Onboarding").
Self-Service: Enable "My Access" portal for users to request these packages.

Phase 3: Certification

Access Reviews: Pilot quarterly reviews for "Guest Users" and "Global Admins".
Expansion: Roll out reviews for all "High Business Impact" applications.

Phase 4: Privileged Access (PIM)

Role Activation: Require MFA + Ticket Number to activate "Global Admin".
Discovery: Use PIM Discovery to find who has permanent admin rights and convert them to eligible.

Risks & Anti-Patterns

Risk	Likelihood	Impact	Mitigation
"Rubber Stamping"	High	Medium	Managers approving all access reviews without looking. Mitigation: Use "Decision Helper" (recommendations) and "Multi-stage" reviews.
Orphaned Accounts	Medium	High	Leaver process fails to trigger. Mitigation: Reconciliation checks; "Last Sign-in" monitoring.
Over-Engineering	High	Low	Trying to model every permission in Entra. Mitigation: Focus on "Birthright" access first. 80/20 rule.
Circular Dependencies	Low	High	PIM requiring MFA, but MFA requiring PIM to configure. Mitigation: Break-glass accounts.
Notification Fatigue	High	Medium	Sending too many review emails. Mitigation: Batch reviews; set longer durations.

KPIs & Outcomes

Onboarding Speed: New hire has access in under 4 hours (target: under 1 hour).
Offboarding Reliability: 100% of leavers revoked within 24 hours of HR termination.
Review Coverage: 100% of sensitive roles reviewed quarterly.
Standing Privileges: 0 permanent Global Admins (all PIM).

Workshop Questions

What is the "Source of Truth" for identities? (HR? AD? Excel?)
How do you handle "Leavers" today? Is it manual or automated?
Do you have "non-employee" identities (contractors) in the HR system?
Do you need to provision accounts into legacy on-prem systems (Mainframe, AS/400)?
What is the current process for requesting access to a folder/app?
Are managers accurate in the directory?
Do you require multiple levels of approval for sensitive access?
How do you audit who has access to what today?
Do you have a "Separation of Duties" (SoD) requirement? (Entra has limited SoD).
Are you using PIM today?
What "Birthright" access does every employee get?
Do you have "Role Based Access Control" (RBAC) defined conceptually?
How do you handle "Transfers" (Movers)? Do they keep old access? (Accumulation of privileges).
Do you need to write back email addresses to the HR system?
What is the budget? (IGA tools are expensive; Entra Governance is often included in E5).

Checklist

License Check: Verify Entra ID Governance or E5 licenses.
PIM Activation: Enable PIM for all Azure AD Roles.
HR Connection: Configure inbound provisioning agent.
Catalog: Create a Catalog in Entitlement Management.
Access Package: Create the first "Pilot" access package.
Leaver Workflow: Configure the "Real-time termination" flow.
Review Schedule: Define the calendar for Access Reviews (e.g., Feb/May/Aug/Nov).