Identity governance in Entra ID is used to manage the identity lifecycle of external users, access packages, Teams and groups, as well as reviews and auditing. These are the four use cases defined in Entra ID Identity Governance portal in Azure.
- Control your external users lifecycle
- Manage group membership
- Protect resources with role assignments
- Audit and create reports
I will cover these as we go along and I will start with Control your external users lifecycle.
External users lifecycle
In many businesses the identity governance of users, and especially external users can be hard to manage. There might be a lack of policies or processes when certain events occur. One of the more common is to have an external user that has access to business resources and the users leaves the company. Now you are in the mercy of the external company, that owns the identity of the user. You don’t know they have processes in place to block or remove access to login to the cloud. The customer doesn’t often give notice that the user has quit, is of the project or for some other reason won’t participate any longer. You might just get a new request for access for a different user account.
Identity governance helps you take control of the identity and access management of the external user account. You can do this by provide an onboarding process with approval. This way the external user can request access and approval requests are sent to the correct persons in the organization. Once the access is granted the user will be reviewed for access requirements on a regular basis using the access review feature. The access review feature can also remove access to applications or Teams and groups based on the replies, or lack of reply. This way inactive users are stripped of rights.
Requirements
There are license requirements to use the feature. You can have 50 000 MAU (montly active users) for both Entra ID P1 and P2 licenses without cost (external users). More on the licensing in the link. MAU billing model for Azure AD External Identities – Microsoft Entra | Microsoft Docs
Internal users will require the appropriate Entra ID Premium 1 or 2 license, based on features, i.e all group owners doing access reviews will require the Entra ID P2 license.
Use cases
The benefits from using these models for external users can be quite big. It’s often easy to loose track of external users and what resources they have access to. So when is the right time to start using the features?
- When you need to have complete control of what resources, applications or access an external user have in your cloud environment.
- When you need owners of Teams, Groups or Applications to validate users access to a resource.
- You need to remove access to users no longer requiring that access.
- Implement principle of least privilege
You are ready to begin, but where do you start?
The easiest way is to start doing an external user inventory by identifying
- Users that haven’t logged in to the system for X days/months
- Users that don’t belong to any M365 groups
- Users that are missing the new “Sponsor” attribute (in preview as I’m writing this)
I would start with these items first. Users that doesn’t belong to any M365 groups may still require access to Azure subscriptions or landing zones in your environment. If you are unsure you can always add the users at a later point.
The key is to identify who needs access and remove the rest, and from there you can start to figure out how you want to handle external users.
Policies and processes
Parallel to the major cleanup you probably are about to do, it’s a good practice to establish the policies and routines that you are needing to govern external users. Since there are several ways to do this, and automation functionality it’s based on what license you have, you need to get into the administrative part of this. Some procedures are not related to Entra ID and require automation or manual steps to be completed. Therefor it’s a good practice to have these documented.
So for this scenario I’m going to say we have the following policy that we need to adhere to;
- External users will require a sponsor in the business
- External users can request access to resources and roles by themselves
- Delivery of access to roles, applications, teams and sites should be automatic, as long as this is possible
- A quarterly review of external users access to Teams and Sites is required
The above policy requires Entra ID P2 license for all internal users that are going to do the review (Team, Site and application owners). You have a 50 000 MAU (monthly active users) that can use P2 from the external users.