In a digital world, where Collaboration, Identity Management, and Secure Remote Working are proving to be some of the core functionalities  that organisations need to manage efficiently, Azure AD Identity Governance offers the foundation to build upon.

We have seen many customers, who suffer from the dilemma of managing access lifecycles, granting external access to a suite of resources with partners or vendors they work with, or even ensuring that internal users only have access to resources they need.

Some real-life scenarios are;

  • New starters are onboarded to an organisation, but from day one, they don’t have access to the M365 Groups, SharePoint sites, or Teams. It can take several days to raise requests, get approvals etc and then hope that the tickets are fulfilled correctly.
  • You start to work with a 3rd party on a regular basis, who are contracted to deliver a project that is going to take 18 months. You need the supplier to be able to access content that is held in various SharePoint sites, and collaborate with other members of project in Microsoft Teams.
  • Compliance and Audit have highlighted that there is a flaw in your process of internal users still having access to resources when they were in previous roles, or no longer work on a project. Guest users also still seem to have access to these resources even though their engagement has completed

With Azure AD Identity Governance, you can enable and configure the following services to help secure, protect and govern your resources.

Access Packages

Access Packages can be used to manage the membership of the following resources;

  1. Microsoft 365 Groups
  2. Azure AD Security Groups
  3. SharePoint Online sites
  4. Microsoft Teams
  5. Azure AD Applications

By creating an Access Package, we are able to package together, the resource, the request process, the approval process, and also the lifecycle management process. This give Administrators a quick, light-touch service that they can deploy to manage the access to their organisational data hosted in Microsoft 365 or access to Azure AD applications.

The internal users will be able to request access to resources through the My Access portal in Microsoft 365, and external users can use an external link to the Access Package to request access to the resource.

Access Reviews

If you need to keep control of both internal and external users who have access to your cloud resources, Access Reviews provide you with the ability to re-request approval for those users on a weekly, monthly, quarterly, semi-annual, or annual period.  You can configure who does the reviews, it can be;

  1. Self Review – The end-user reviews their access and decides whether they need to continue having that access
  2. Group Owners – The owner of the resource now can review who has access to the resource and decide if it is still appropriate
  3. Selected Users or Groups – This could be IT Security, Data Owners, or Business Managers, who are not the Owner of the resource but might need to provide a review of the access
  4. Users Manager (Preview) – Using the Azure AD attributes, Managers of users will be access to review the level of access their Direct Reports have

Access Reviews, when configured, also come with some additional features that help the Reviewer make decisions, such as highlighting accounts that have not logged in for 30 days.

Admins can also require that Reviewers provide justification for why they have approved the access, which is able to provide an audit trail for the Compliance and Audit teams. Other settings such as email notifications and reminders also add to the workflow.

Connected Organisations

With a recent client, this has proved to be a solution that will help them control who has access to their M365 and Azure AD services. The client had been using Azure AD Domain Whitelist to control from which domains users could be invited as Guest accounts. But the whitelist has a limit – 25,000 characters (or 25KB to be precise). Once that was reached, they could not whitelist any additional domains.

Connected Organisations, has a soft limit of 10,000 domains, therefore allows the Admins to create a larger set of controls.

You use Connected Organisations to control who has access to Access Packages that you create. For example, I might want to create an Access Package that gives external users access to a particular Site, Group, Team or App, but I only want that to be available to users from, so I configure a Connected Organisation and apply it to that Access Package. As part of the configuration of a Connected Organisation, I also can specify Internal and External Sponsors. These can be useful when you need the Approval Process to go via an initial review in the 3rd party domain first. Maybe they want to approve them before they come to your organisation for approval.


In Summary

In this brief overview, we have talked about how Admins can configure Azure AD Identity Governance, for both internal and external users, who need access to your M365 and Azure AD resources. This service helps you provision, govern, and review, who has access to your resources in an automated workflow, without the need for any additional 3rd party services.

If you would like to know more, or see a deep-dive on how your organisation can adopt this, please do get in touch.