Identity governance is a core discipline for organizations running systems on-premises or in the cloud, such as Azure Active Directory. A user’s identity lets them sign into services in their own organization, or as a guest in external organizations. Ideally, users should be able to sign-in with a minimum of fuss while also being controlled in terms of the permissions assigned to their accounts and the resources they can access. Managing identities to achieve this balance can be challenging, and that’s where Identity Governance, part of Azure Active Directory Premium Plan 2, comes in. Identity Governance consists of the following features to assist with identity management: 

Assigning access through Identity Governance Entitlement Management 

Handling permissions and role-based access control (RBAC) can be a struggle. If users or IT administrators move between roles, permissions assigned to their account might not be adjusted or reviewed for their new role. Determining the best set of permissions for a role can also be a challenge. Sometimes, the permissions assigned to another user are copied without thought. The upshot is that users can end up with more privileges than their role requires. 

Entitlement Management within Identity Governance allows you to create access packages consisting of groups, applications, or SharePoint sites. Organizations can assign access packages to users or make the packages available for users to request. 

An example of an access package could be one created for the marketing department. People in this department might require the following access: 

  • Be a member of the ‘Marketing’ security group for access to Azure resources. 
  • Get access to the ‘Marketing’ team. 
  • Receive access to the main SharePoint site to update marketing-related content. 
  • Use the corporate Twitter and Instagram applications. 

By creating an access package, these permissions form a single, easy distributable package. This package can be made available to all users, but require approval from the marketing director. This means that no IT interaction is necessary when someone joins the department. After receiving their account, they can simply request access to the package. The marketing director will receive the request and choose to approve or deny it. 

Besides being an easy way to assign permissions, Access Packages have some additional benefits: 

  • A business justification can be required when requesting and approving access. 
  • All events are logged which provides an easy log trail. 
  • Permissions can be set to expire after a specific period. 

Entitlement Management within Identity Governance is a valuable capability for organizations that need to organize permissions according to functional need. To learn more, be sure to check out this existing Practical 365 series: A Guide to Entitlement Management

While Entitlement Management in itself is easy to configure, it is difficult to roll out in an organization. The reason for that is most of your time will go to identifying which groups of users require which permissions. This is work that will require people from both IT and HR. After a lot of preparation, I have seen organizations successfully adopting this feature in their organization, but it is important to know what kind of permissions you have in your organization before starting this journey. 

Learn about “Emerging Threats Against Cloud Application Identities in Azure AD”, “Protecting Your Identity Supply Chain”, and more from Microsoft’s team of Identity Security experts at The Experts Conference 2022 in Atlanta, GA September 20-21.

Check permissions through Access Reviews 

Often, when accounts receive permissions, they remain assigned for the lifecycle of that identity. If organizations don’t review permissions periodically, which means users can become overprivileged. Access Reviews allow administrators to require the review of a certain scope (groups or applications) by an IT admin or a business user. The reviewer decides whether the permissions are still applicable. If not, the review can remove the permissions from the account. 

Access Reviews are a process that takes time to implement for organizations. Performing reviews of permissions and the access people have to resources is a useful exercise, but it is important to start by identifying the correct use cases. Think about guest user access to Teams and SharePoint Online sites: a regular review of guest access can confirm that external people still need access to the resources in teams and sites.  

By using access reviews, these reviews can be easily governed and automated. But Access Reviews are only as effective as its reviewers. Reviewers need to be trained on what they should watch for and when access should be removed. The type of group will determine when access should be revoked: if this group provides guest users access to an application, access should be revoked when the corporation with the external company stops. When talking about groups that provide admin access, permission could be revoked when the role of an employee changes. Before rolling out access reviews, train the reviewers on what to look out for. 

Using Identity Governance’s Privileged Identity Management to protect administrator

Privileged Identity Management (PIM) is a powerful feature that I cover in ‘Ten ways to harden the security of your tenant’. It has a couple of use cases: 

  • Identify and audit the roles used in the environment, 
  • Require activation of a role before the role is granted, 
  • Require certain conditions to be met before a role can be activated. 

Without PIM, an administrative role assigned to an account (like Group administrator) is active all the time. With PIM, administrators still have assigned roles, but the roles must be activated before the administrators can use the role to perform actions. 

When explaining PIM to organizations, some don’t see the value of it as they say ‘Well, if an attacker has access to my account, they can simply activate the PIM role. What is the point?’. While this is a valid argument, PIM offers some additional benefits: 

  • The PIM policy can require a justification before a role is activated. This allows you to require a description of the tasks which will be executed. 
  • Each activation of a role is monitored and can be easily audited. This allows you to identify both internal and external abuse. 
  • An IT admin can have multiple assigned roles and choose which role to activate based on least privilege. This avoids the situation where highly-permissioned roles like the global administrator role are used when not necessary. 

Starting off with PIM is easy, but it is important to realize that PIM can be cumbersome for an IT administrator. If approval for activation is required and the activation is only valid for one hour, the ability of an administrator to do their job can be impacted. Finding the right balance between security and user experience is key. 

Use Terms of Use in Identity Governance to Comply with Regulations 

Terms of Use is the most forgotten feature of Identity Governance, but it is a powerful one. Terms of Use allow organizations to upload a policy (Terms of Use) that users (both internal and external) must review and accept. The feature is integrated with Azure Active Directory Conditional Access, which means that users must accept the policy before they can access resources. 

While this is a nice to have feature, I don’t recommend implementing Terms of Use just for the sake of having the policy in place. Terms of Use is not something that solves an issue for the IT department. Most organizations I work with do not use one because there is no legal base for it. But if your Human Resources or Legal team has a requirement for it, Identity Governance has got you covered. 

Setting it up is as easy as uploading the Terms of Use conditions and requiring approval through Conditional Access. During projects working as a consultant, I have never worked with a company who implemented this tenant-wide. I have seen a few organizations who require it for guest users, in order to inform them of the ‘acceptable use’ policy for dealing with Microsoft 365 and documents. 

Identity Governance is Worth Exploring 

Identity Governance is somewhat undervalued in the entire Microsoft 365 ecosystem. Not a lot of administrators know its value and capabilities. If you have access to an Azure AD Premium Plan 2, I recommend you start exploring Identity Governance to see what value it offers. While you might not have a use case immediately, you never know when you’ll need to use PIM or access reviews, or even integrate Terms of Use in a conditional access policy. 

Engage with Identity Governance and Azure Active Directory experts at The Experts Conference 2022 in Atlanta, GA September 20-21.

About the Author

Thijs Lecomte

Thijs is a security consultant out of Belgium, working at The Collective, an MSSP with a Microsoft-focused Security Operations Center. His work consists out of leading the SOC team and implementing Microsoft Security solutions (such as Microsoft Sentinel and Defender) as a consultant. He is an MVP in the Security category and is a regular speaker at events and user groups. His best-known publication is as co-author of the 'Microsoft 365 Security for the IT Pro' ebook.

Leave a Reply