Azure AD Identity Governance

October 30, 2020 Lavayna Murthy


In the post-world of cloud and mobile perimeter-based technology, the castle and moat approach to security no longer works. Zero trust approach to security is imperative and it starts with identity. The number of workforce identities in the enterprise is growing dramatically thanks in part to modern collaboration applications that make it easy for employees to share information, data, and files with external users (i.e. vendors, business partners, contractors and customers). Identity compromise has also dramatically increased, and organizations can protect from these threats with Azure AD identity security features such as Multi-Factor Authentication, Identity Protection, Conditional Access, Password Protection, Password-less, Defender for Identity and other features.

Identity governance also plays a crucial role by avoiding excessive access, access longer than needed, and effectively manage the risk associated with access. Cloud based access governance as an industry trend is gaining momentum. Organizations are not only looking for traditional identity management tasks like creating users but also identity governance capabilities from an IDaas solution, especially in highly regulated verticals.


With Azure AD Identity Governance features, organizations can govern identities and access across all applications and provide self-service to support business level decisions. Policy-driven automation for reviews, request, and approvals as well as analytics-driven insights are extensible through standards, APIs, and partnerships. You can also alter to address compliance reporting needs.

The first step to provide centralized governance through Azure AD Identity governance is to bring all users and applications into Azure Active Directory. You can bring users into Azure AD in several ways:

  • Integrate Azure AD with HR systems, whether hosted in cloud or on-premises servers. They can become part of the entire Join-Move-Leave (JML) process
  • Bring users from acquisitions or subsidiaries from multiple disconnected Active Directory environments
  • Bring users from others Azure AD tenants, federated environments, or social IDPS

The second step on Azure AD Identity governance journey is to bring in apps that the users need access to into Azure AD. Forrester’s Total Economic Impact of Securing Apps with Azure AD found that by leveraging Azure AD single sign on across applications, companies reduced 50% of operational overhead and 75% of password reset requests.

  • Azure AD provides single sign on and supports over 3,000+ SaaS apps and classic/legacy applications, regardless of where they are hosted.
  • You can leverage Azure App proxy to provide secure hybrid remote access to internal resources or leverage the integration with several Application Delivery Controllers (ADC) partnerships.
  • Azure AD not only provides single sign on across apps. It also secures this access with Multi Factor Authentication (MFA), conditional access, role-based access controls, OAuth authorization services, and consent permissions.

Once all the users are in Azure AD and the applications are integrated, Azure AD Identity governance features such as access reviews, entitlement management, Terms of Use, Privileged Identity Management, and Administrative Units can be leveraged across regular users, applications, and privileged accounts.

  • Terms of Use – You can have Terms of Use require employees or guests to accept your terms of use before getting access, accept on a periodic basis, accept prior to registering security information in Azure Multi-Factor Authentication (MFA), present specific terms of use based on a user persona, and meet compliance and audit needs.
  • Access Reviews – One of the problems in many organizations is access is granted during onboarding, but removal of access is not followed through in all cases. The user account may be disabled, but access is not removed.  A side effect of the ease of modern collaboration is guest account proliferation and ongoing access to an organization. Access reviews help to ensure that only the right people have access to a particular resource and for the duration needed. Excessive access can be identified with access reviews, mitigating the associated risk. Access reviews on employees, guests, and applications can be triggered by a lifecycle event through entitlement management or on ad-hoc basis. You can require users to self-attest their access on a periodic basis and require approval workflow after self-attestation.
  • Entitlement Management – Traditionally, employees were dependent on IT for an access request they needed. With Entitlement Management, IT can empower business units and end users by delegating access decisions without needing to be in the middle of every request, while ensuring controls such as multistage approvals, time-bound access, and requiring re-certification of access on periodic basis via Access Reviews. IT can delegate the catalog and access package creation and maintenance to business units.

Role Based Access Control (RBAC) has existed for a long time in the on-premises world and was the primary solution for ensuring least privilege access for administrators. Azure AD supports several RBAC roles out of box; custom roles with granular permissions can also be created. In addition to RBAC, organizations can leverage Privileged Identity Management (PIM) and Administrative Units (AUs) to further protect and govern the accounts with admin privileges.

  • Privileged Identity Management (PIM) – Helps reduce/eliminate persistent privileged access and provides Just-In-Time Access. It can require users step up the authentication with MFA, provide a justification for audit purposes, require approval, and provide time bound access.  PIM integrates with Access Reviews to ensure that privileged access is limited to a subset of users. Just-In-Time Access can be required on Azure AD built-in and custom roles, Azure resources built-in and custom roles, and Azure AD groups. When PIM access is setup at the Azure AD groups, global admins can then delegate the role management access and approvals to workload admins and still retain oversight and auditability.
  • Administrative Units (AUs) – Administrative units allow you to grant admin permissions that are restricted to a department, region, or other segment of your organization. You can use administrative units to delegate permissions to regional administrators or independent divisions.

These features also provide rich reporting and insights and leverage signal exchange, event correlation, and insights from the integrated Microsoft Security stack.

About the Author
Lavanya Murthy is a senior consultant in Intelligent Workplace at New Signature- Cognizant’s Microsoft Business Group. Her expertise is in helping clients strengthen their security posture and implement a Zero Trust framework with M365\Azure identity and security solutions and modernizing SecOps. In her free time, Lavanya enjoys reading, knitting, and teaching coding to kids.

Previous Article
Be Cyber Smart with Tips from Our Experts
Be Cyber Smart with Tips from Our Experts

Keeping your organization safe is extremely important. Cyber Security Awareness Month may have wrapped a fe...

Next Article
Office 365 Security with Expert Ella Wright
Office 365 Security with Expert Ella Wright

The New Signature team, including Modern Workplace expert Ella Wright, discuss the best ways to ensure that...