Substantive Overview
Identity Governance and Administration (IGA) has traditionally been the domain of heavy, on-premises platforms like SailPoint IIQ or Saviynt. These tools excelled at complex, cross-platform orchestration but were expensive to deploy and maintain.
Microsoft has aggressively expanded Entra ID (formerly Azure AD) to include "Entra ID Governance," a suite of IGA capabilities native to the platform. The strategic question for architects is no longer "Do I need an IGA tool?" but "Is Entra ID Governance enough?"
For 80% of organizations—those primarily using M365, Azure, and SaaS apps supporting SCIM—Entra ID Governance is sufficient and superior due to its integration with the authentication path. For the remaining 20% with complex mainframe, SAP, or disconnected legacy systems requiring fine-grained entitlement management, a dedicated IGA tool (or a hybrid approach) may still be required.
Architecture & Patterns
Pattern 1: Entra ID Native Governance (The Modern Path)
Entra ID acts as the central brain for lifecycle and access. HR drives provisioning; Entra drives downstream apps via SCIM.
Pattern 2: Hybrid / Co-existence (The Complex Reality)
Using a traditional IGA tool for "heavy lifting" (fine-grained SAP roles, mainframes) while Entra handles access management and simple apps.
Key Design Decisions
| Decision | Options | Recommendation | Context |
|---|---|---|---|
| Provisioning Engine | Entra ID (SCIM) vs. 3rd Party IGA | Entra ID (First) | Use Entra for everything that supports SCIM. It's real-time and free (mostly). Use IGA only for what Entra can't reach (e.g., on-prem legacy database connectors). |
| Joiner/Mover/Leaver | Lifecycle Workflows vs. Custom Scripts | Lifecycle Workflows | Scripts are fragile. Lifecycle Workflows (native) provide a visual, managed way to handle onboarding/offboarding tasks. |
| Access Reviews | Entra Access Reviews vs. Manager Email | Entra Access Reviews | "Email verification" is audit failure. Entra Reviews provide an immutable audit trail and auto-remediation (revocation). |
| Request Model | Entitlement Management vs. ITSM Ticket | Entitlement Management | "Access Packages" allow self-service with approval workflows and automatic expiry. Tickets often result in permanent access. |
| Privileged Access | PIM vs. Permanent Admin | PIM (Privileged Identity Mgmt) | Zero Standing Access. All admin access must be JIT (Just-in-Time), time-bound, and approved. |
Implementation Strategy
Phase 0: Data Cleanliness
- HR Linkage: Ensure unique identifiers (EmployeeID) exist in both HR and AD/Entra.
- Manager Data: Governance fails without accurate "Manager" attributes. Fix the org chart first.
Phase 1: Lifecycle Automation (JML)
- Inbound Provisioning: Connect Workday/SuccessFactors to Entra ID directly (bypass flat files if possible).
- Lifecycle Workflows: Configure "Leaver" workflow to disable account, revoke sessions, and remove licenses 24 hours after termination.
Phase 2: Access Management
- Entitlement Management: Bundle resources (Teams, SharePoint, Apps) into "Access Packages" for roles (e.g., "Marketing Onboarding").
- Self-Service: Enable "My Access" portal for users to request these packages.
Phase 3: Certification
- Access Reviews: Pilot quarterly reviews for "Guest Users" and "Global Admins".
- Expansion: Roll out reviews for all "High Business Impact" applications.
Phase 4: Privileged Access (PIM)
- Role Activation: Require MFA + Ticket Number to activate "Global Admin".
- Discovery: Use PIM Discovery to find who has permanent admin rights and convert them to eligible.
Risks & Anti-Patterns
| Risk | Likelihood | Impact | Mitigation |
|---|---|---|---|
| "Rubber Stamping" | High | Medium | Managers approving all access reviews without looking. Mitigation: Use "Decision Helper" (recommendations) and "Multi-stage" reviews. |
| Orphaned Accounts | Medium | High | Leaver process fails to trigger. Mitigation: Reconciliation checks; "Last Sign-in" monitoring. |
| Over-Engineering | High | Low | Trying to model every permission in Entra. Mitigation: Focus on "Birthright" access first. 80/20 rule. |
| Circular Dependencies | Low | High | PIM requiring MFA, but MFA requiring PIM to configure. Mitigation: Break-glass accounts. |
| Notification Fatigue | High | Medium | Sending too many review emails. Mitigation: Batch reviews; set longer durations. |
KPIs & Outcomes
- Onboarding Speed: New hire has access in under 4 hours (target: under 1 hour).
- Offboarding Reliability: 100% of leavers revoked within 24 hours of HR termination.
- Review Coverage: 100% of sensitive roles reviewed quarterly.
- Standing Privileges: 0 permanent Global Admins (all PIM).
Workshop Questions
- What is the "Source of Truth" for identities? (HR? AD? Excel?)
- How do you handle "Leavers" today? Is it manual or automated?
- Do you have "non-employee" identities (contractors) in the HR system?
- Do you need to provision accounts into legacy on-prem systems (Mainframe, AS/400)?
- What is the current process for requesting access to a folder/app?
- Are managers accurate in the directory?
- Do you require multiple levels of approval for sensitive access?
- How do you audit who has access to what today?
- Do you have a "Separation of Duties" (SoD) requirement? (Entra has limited SoD).
- Are you using PIM today?
- What "Birthright" access does every employee get?
- Do you have "Role Based Access Control" (RBAC) defined conceptually?
- How do you handle "Transfers" (Movers)? Do they keep old access? (Accumulation of privileges).
- Do you need to write back email addresses to the HR system?
- What is the budget? (IGA tools are expensive; Entra Governance is often included in E5).
Checklist
- License Check: Verify Entra ID Governance or E5 licenses.
- PIM Activation: Enable PIM for all Azure AD Roles.
- HR Connection: Configure inbound provisioning agent.
- Catalog: Create a Catalog in Entitlement Management.
- Access Package: Create the first "Pilot" access package.
- Leaver Workflow: Configure the "Real-time termination" flow.
- Review Schedule: Define the calendar for Access Reviews (e.g., Feb/May/Aug/Nov).
