What is Identity Governance? And Why is it important?
“Azure Active Directory (Azure AD) Identity Governance helps you to protect, monitor, and audit access to critical assets while ensuring employee productivity.”
As we know, cyber attackers seek to gain unauthorized access to your organization’s resources. Employees, vendors, partners are their number one target as they possess the permissions required to access and control your resources and therefore own to your data.
A Restrictive approach in this hyperconnected world is not an option; we have to find a balance.
“The goal is to govern access to your company resources in this hyperconnected world” Joseph Dadzie Principal Group PM Azure AD at Microsoft.
Employers interact with business partners everywhere; it is impossible to restrict their access; however, organizations, regulators, and auditors need to know who is accessing their resources. Identity Governance will help you verify their users’ Identity and cross-reference it with their authorization profile.
There are two concepts that we need to learn as we set up our Identity Governance on portal.azure.com
1) Entitlement Management
This feature allows your company to automate the access lifecycle. Entitlement management reduces the overhead and allows your organization to efficiently manage access to your defined groups and applications for both internal and external users.
- Office 365 Groups and Teams
- Azure AD Applications
- SharePoint Sites
One of the first steps is the creation of access packages; this is nothing but a set of resources that users can request, approve, and revoke when access expires.
For example, Imagine you work with a vendor that requires access to one of your SharePoint sites.
With Entitlement Management, you can create a package to grant specific vendor access to SharePoint.
One of the most important use cases of access packages is the ability to give users access to manage specific Azure Resources, for example, an Azure Application. All you need to do:
- Create a catalog
- Select a resource (Your Azure Application)
- Use an Azure AD Security Group
- Create an Azure Role Assignment for that group.
- Create an assignment to a specific user or a connected organization
Ideally, use access packages in situations that require time-sensitive/temporary access to specific resources.
2) The second important concept is the Access Reviews
Sometimes automation is not feasible, either because some users were added manually and forget about them or because we granted higher privileges than needed.
Access review is the process of periodically review your users to make sure they still require the same permissions and modify them if needed.
To see the steps required to create an access review, please visit the following link
Note: This feature requires an Azure AD Premium license
Note: I’m loyal to Microsoft, but I always add this section to understand the offering of the competitors
Google IAM – Cloud Identity and Access Management
AWS Identity and Access Management (IAM)