Overview of Identity Governance– Planning and Implementing Secure Access
Security and identity are some of the most important parts of managing a Microsoft 365 tenant.
As an administrator, you may need to provide a mechanism that allows users to share information with others outside your Microsoft 365 tenant. Planning an access strategy for both internal and external users is critical to maintaining a secure operating environment.
There are a lot of areas that touch on access, specifically around governance and access policies. In this chapter, we’ll look at the following areas:
- Planning and implementing access reviews in Azure AD Identity Governance
- Planning and implementing entitlement packages in Azure AD Identity Governance
- Planning for identity protection
- Implementing and managing Azure AD Identity Protection
- Planning Conditional Access policies
- Implementing and managing Conditional Access policies
By the end of this chapter, you should be able to describe the various authentication methods and supporting tools, as well as have an understanding of where to go to troubleshoot authentication issues.
The following main topics will be covered:
- Overview of Identity Governance
- Planning and implementing Identity Governance
- Working with secure access
Let’s go!
Overview of Identity Governance
Microsoft Entra Identity Governance is a set of policy-based tools for managing the identity and access life cycle across an organization. Identity Governance helps organizations identify which users should have access to which resources under which circumstances while providing audit data to support the access controls.
From the perspective of the MS-100 exam, you’ll need to understand three Identity Governance areas:
- Identity life cycle
- Access life cycle
- Privileged access life cycle
Let’s review each of these areas.
What is the identity life cycle?
The identity life cycle encompasses everything from the moment an identity is provisioned into your organization until that identity is no longer needed. While the identity life cycle frequently focuses on employees and contractors, it can (and should) also include identities for vendors, partners, or other individuals to whom you grant access to your applications and data.
The diagram in Figure 8.1 shows a general process flow, starting with someone who has no access. Upon being assigned their first job role, an identity is provisioned. As they move throughout the organization, this identity is updated to reflect their job role until, at some point, they leave the organization:
Figure 8.1 – Identity life cycle overview
Identities, from an employee or contractor perspective, are frequently managed through the use of a human resources information system (HRIS), which is used to track information about the individual’s personal and employment information (name, address, dependents, start date, job role, pay rate, and so forth). Platforms such as Workday and SuccessFactors can be integrated with Azure AD and Active Directory to facilitate tracking an individual’s data throughout their tenure.
In addition to individuals whose source of identity is managed in your directory, the identity life cycle can also include users in business-to-business (B2B) scenarios – users from other directories, tenants, or environments that have been granted access to your organization’s resources.