Microsoft Entra ID Governance is an identity governance solution that enables organizations to improve productivity, strengthen security and more easily meet compliance and regulatory requirements. You can use Microsoft Entra ID Governance to automatically ensure that the right people have the right access to the right resources, with identity and access process automation, delegation to business groups, and increased visibility. With the features included in Microsoft Entra ID Governance, along with those in related Microsoft Entra, Microsoft Security and Microsoft Azure products, you can mitigate identity and access risks by protecting, monitoring, and auditing access to critical assets.

Specifically, Microsoft Entra ID Governance helps organizations address these four key questions, for access across services and applications both on-premises and in clouds:

• Which users should have access to which resources?
• What are those users doing with that access?
• Are there organizational controls in place for managing access?
• Can auditors verify that the controls are working effectively?

With Microsoft Entra ID Governance you can implement the following scenarios for employees, business partners and vendors:

• Govern the identity lifecycle
• Govern access lifecycle
• Secure privileged access for administration

Identity Governance helps organizations achieve a balance between productivity - How quickly can a person have access to the resources they need, such as when they join my organization? And security - How should their access change over time, such as due to changes to that person's employment status? Identity lifecycle management is the foundation for Identity Governance, and effective governance at scale requires modernizing the identity lifecycle management infrastructure for applications.

For many organizations, identity lifecycle for employees is tied to the representation of that user in an HCM (human capital management) system. Microsoft Entra ID P1 or P2, through inbound provisioning, automatically maintains user identities for people represented in Workday and SuccessFactors in both Active Directory and Microsoft Entra ID, as described in the cloud HR application to Microsoft Entra user provisioning planning guide. You can then fulfill identity assignments through automatic user provisioning and deprovisioning into Microsoft Entra connected apps, including via SCIM, LDAP and SQL. Microsoft Entra ID P1 or P2 also includes Microsoft Identity Manager, which can import records from on-premises HCM systems such as SAP HCM, Oracle eBusiness, and Oracle PeopleSoft.

Increasingly, scenarios require collaboration with people outside your organization. Microsoft Entra B2B collaboration enables you to securely share your organization's applications and services with guest users and external partners from any organization, while maintaining control over your own corporate data. Microsoft Entra entitlement management enables you to select which organization's users are allowed to request access and be added as B2B guests to your organization's directory, and ensures that these guests are removed when they no longer need access.

Organizations are able to automate the identity lifecycle management process by using Lifecycle Workflows. Workflows can be created to automatically run tasks for a user before they enter the organization, as they change states during their time in the organization, and as they leave the organization. For example, a workflow can be configured to send an email with a temporary password to a new user's manager, or a welcome email to the user on their first day.

Organizations need a process to manage access beyond what was initially provisioned for a user when that user's identity was created. Furthermore, enterprise organizations need to be able to scale efficiently to be able to develop and enforce access policy and controls on an ongoing basis.

Typically, IT delegates access approval decisions to business decision makers. Furthermore, IT can involve the users themselves. For example, users that access confidential customer data in a company's marketing application in Europe need to know the company's policies. Guest users may be unaware of the handling requirements for data in an organization to which they've been invited.

Organizations can automate the access lifecycle process through technologies such as dynamic groups, coupled with user provisioning to SaaS apps or apps integrated with SCIM. Microsoft Entra ID can also provision access to apps that use AD groups, other on-premises directories or databases, or that have a SOAP or REST API including SAP. Organizations can also control which guest users have access to on-premises applications. These access rights can then be regularly reviewed using recurring Microsoft Entra access reviews for access recertification. Microsoft Entra entitlement management also enables you to define how users request access across packages of group and team memberships, application roles, and SharePoint Online roles. For more information, see the simplifying identity governance tasks with automation section below to select the appropriate Microsoft Entra features for your access lifecycle automation scenarios.

Lifecycle access can be automated using workflows. Workflows can be created to automatically add users to groups or access packages, so that access to applications and resources are granted. Users can also be moved when their condition within the organization changes to different groups, and can even be removed entirely from all groups.

When a user attempts to access applications, Microsoft Entra ID enforces Conditional Access policies. For example, Conditional Access policies can include displaying a terms of use and ensuring the user has agreed to those terms prior to being able to access an application. For more information, see govern access to applications in your environment.

Historically, privileged access has been described by other vendors as a separate capability from Identity Governance. However, at Microsoft, we think governing privileged access is a key part of Identity Governance especially given the potential for misuse associated with those administrator rights can cause to an organization. The employees, vendors, and contractors that take on administrative rights need to be governed.

Microsoft Entra Privileged Identity Management (PIM) provides additional controls tailored to securing access rights for resources, across Microsoft Entra, Azure, and other Microsoft Online Services. The just-in-time access, and role change alerting capabilities provided by Microsoft Entra PIM, in addition to multi-factor authentication and Conditional Access, provide a comprehensive set of governance controls to help secure your company's resources (directory, Microsoft 365, and Azure resource roles). As with other forms of access, organizations can use access reviews to configure recurring access re-certification for all users in administrator roles.

[!INCLUDE active-directory-entra-governance-license.md]

Check out the Prerequisites before configuring Microsoft Entra ID for identity governance. Then, visit the Governance dashboard in the Microsoft Entra admin center to start using entitlement management, access reviews, lifecycle workflows and Privileged Identity Management.

There are also tutorials for managing access to resources in entitlement management, onboarding external users to Microsoft Entra ID through an approval process, governing access to your applications and the application's existing users.

While each organization may have its own unique requirements, the following configuration guides also provide the baseline policies Microsoft recommends you follow to ensure a more secure and productive workforce.

• Plan an access reviews deployment to manage resource access lifecycle
• Zero Trust identity and device access configurations
• Securing privileged access

You may also wish to engage with one of Microsoft's services and integration partners to plan your deployment or integrate with the applications and other systems in your environment.

If you have any feedback about Identity Governance features, click Got feedback? in the Microsoft Entra admin center to submit your feedback. The team regularly reviews your feedback.

Once you've started using these identity governance features, you can easily automate common identity governance scenarios. The following table shows how to get started with automation for each scenario:

It's a best practice to use the least privileged role to perform administrative tasks in Identity Governance. We recommend that you use Microsoft Entra PIM to activate a role as needed to perform these tasks. The following are the least privileged directory roles to configure Identity Governance features:

• What are Lifecycle Workflows?
• What is Microsoft Entra entitlement management?
• What are Microsoft Entra access reviews?
• What is Microsoft Entra Privileged Identity Management?
• What can I do with Terms of use?