What is Identity Governance in Azure AD and How Can It Improve Your Access Management Strategy

Many organizations of all sizes are embracing Azure AD as their core platform for Identity and Access Management and rightfully so, but as the reliance on Azure AD grows so does the need for a strong Identity Governance backbone.

Firstly, I would like to welcome you to the first post in my Azure AD Identity Governance series.

This first post will serve as a basic summary around Azure AD, Identity Governance as a concept and what new Identity Governance features are available to us in Azure AD.

Later posts in the series will deep dive into which Identity Governance features are available to us in Azure AD, and how we can harness their power.

What is Azure AD?

Azure AD is a highly integrable Identity and Access Management (IAM) platform with very tight integration with Microsoft Active Directory Domain Services (AD DS) and Microsoft 365. All Microsoft 365 tenants leverage Azure AD (AAD) as an authentication backend for controlling access to their services.

Many application vendors now leverage the OAUTH authorization standard to offer out-of-the-box authorization integration with Azure AD, easily allowing IT admins to manage application access from the Azure AD portal, assigning application access authorization to users from a central directory.

This comes with many advantages for both the IT admins and the organization itself, such as minimizing the number of accounts a user owns, in-depth access logging, application access control, MFA Challenges and so much more.

While Identity and Access Management (IAM) and Identity Governance are two sides to the same coin, it is important to understand the differences between the two before designing a proper Identity Governance solution.

What is Identity Governance?

Identity Governance focuses on both the standardization and centralization of IAM. This encompasses all areas of access management in your IAM platform, from governing the lifecycle of identities in your directory, to governing the access these identities hold.

Through Identity Governance large enterprise and government organizations alike can easily meet strict compliance requirements, due to the highly structured policy-based nature of access rights and the reduced number of ad-hoc permissions assigned to the identities in your directory.

Identity Governance in Azure AD

Microsoft have been investing in their Identity Governance suite by releasing tools and ideologies to help raise awareness to Identity Governance, and allowing organizations govern the identities in their directories.

Before we start planning our identity governance strategy and learning about the tools provided in Azure AD, we should start by answering the 4 key questions outlined by Microsoft

  • Which users should have access to which resources?
  • What are those users doing with that access?
  • Are there effective organizational controls for managing access?
  • Can auditors verify that the controls are working?

While these questions are a great foundation, I personally believe that we need to answer one further question:

  • What kind of resources are we managing access to?

My reasoning for this question is that before we can select the right tools and create an effectively management framework for these resources, we need to understand how the resource is accessed and authenticated against from a technical perspective.

As of writing, Microsoft have implement 3 main features of their AAD Identity Governance Suite:

As mentioned above, my aim through this series of write-ups is to cover the capabilities of each feature listed above, outline business use case for each and provide configuration examples.

Stay tuned for the posts to come, and if you would like me to have an in-depth exploration of any specific features or use cases - please send me an email at nick@aldrid.ge

See you next time!