Access Governance
Microsoft Entra ID Governance provides the controls that determine who gets access, how that access is verified at provisioning time, how much standing privilege exists in the environment, and how external users are scoped and reviewed. Together these controls address the full identity lifecycle: onboarding, elevation, collaboration, and offboarding.
User Onboarding and Identity Verification
The Helpdesk Attack Surface
Deploying phishing-resistant authentication (passkeys, FIDO2 keys, certificate-based auth) removes the primary attack vector against end users. But it shifts attacker focus to the one flow that cannot require a hardware token: helpdesk provisioning and account recovery. Social engineering a helpdesk agent to issue a Temporary Access Pass or reset MFA enrollment is now the path of least resistance into a phishing-resistant tenant.
This is not theoretical. Microsoft's own analysis of identity attacks shows that after organizations deploy phishing-resistant MFA broadly, the next wave of attacks targets the provisioning workflow — impersonating employees, fabricating urgency ("I'm traveling and need my key replaced"), or exploiting gaps in identity verification procedures.
The technical countermeasure is to make the provisioning and recovery flows as rigorous as the authentication flow. Entra Verified ID and Face Check provide this for both initial onboarding and recovery scenarios.
Entra Verified ID and Face Check
Entra Verified ID is a decentralized identity framework based on W3C Verifiable Credentials. It allows a user to present a cryptographically signed credential — issued by a trusted verifier — to prove their identity without sharing the underlying document data with the relying party.
Face Check extends this with a real-time liveness check: the user presents a government-issued ID credential and performs a facial comparison against their Entra profile photo or the photo on the credential itself. This happens at onboarding or at MFA re-enrollment, not at every login.
The practical workflow for a new employee onboarding:
1. HR issues a Verified ID invite link to the new hire's personal email
2. New hire scans government ID (passport, driver's license) in the Microsoft Authenticator app
3. Identity verifier (Au10tix, IDEMIA, or TrueCredential) validates the document authenticity
and performs liveness detection
4. A signed Verifiable Credential is issued to the hire's Authenticator wallet
5. The hire presents this credential during account setup — before their corporate credentials exist
6. Entra accepts the credential as proof of identity; account is provisioned
At MFA re-enrollment (e.g., lost key, new device), the same Face Check flow can be required before a Temporary Access Pass is issued — eliminating the helpdesk social engineering vector entirely.
Identity Verifiers
Microsoft Entra Verified ID works with certified identity verification partners. Three are relevant for defense contractor and regulated commercial deployments:
| Verifier | Strengths | GCC High Available |
|---|---|---|
| Au10tix | Document authentication across 190+ countries; high-speed automated verification; proven in financial services and government | Yes |
| IDEMIA | Deep US government heritage (TSA PreCheck, DoD CAC programs); biometric accuracy; supports PIV/CAC credential linkage | Yes |
| TrueCredential | Purpose-built for Microsoft Entra Verified ID; native integration with Entra External ID and MyAccess workflows | Yes |
All three integrate with Entra via the Verified ID SDK. The verification result is returned as a claim in the Verified Credential — Entra can then gate account provisioning, TAP issuance, or access package assignment on a verified identity claim.
Inbound HR Provisioning
Automate account creation and deprovisioning by connecting your HR system of record to Entra via inbound provisioning:
| HR System | Connector |
|---|---|
| Workday | Entra Workday Inbound Provisioning |
| SAP SuccessFactors | Entra SAP SuccessFactors Inbound Provisioning |
| Any HR system with a CSV/API export | Entra API-driven provisioning |
The provisioning mapping determines which HR attributes flow into Entra: department, job title, manager, country, contract end date. Critically, map the worker type field (employee vs. contractor) — this drives group membership, license assignment, and whether Entitlement Management routes the user through a verification workflow.
Lifecycle Workflows automate the actions that accompany these HR events:
| HR Event | Automated Action |
|---|---|
| New hire created | Send welcome email; assign licenses; add to onboarding groups; trigger Verified ID enrollment |
| Transfer (department/role change) | Remove old group memberships; add new groups; trigger access review for changed access |
| Termination | Disable account; revoke sessions; remove group memberships; remove licenses; retain account for 30 days for audit |
| Contract end date reached | Same as termination — triggered by contractEndDate attribute from HR system |
- GCC High (CMMC)
- Commercial
US Person Verification
CMMC requires that access to CUI be limited to authorized users. For defense contractors, "authorized" often has an additional constraint: US Persons only. This is not directly enforced by Entra, but the combination of Verified ID (government document verification) and HR provisioning attributes (employeeCountry, citizenship) creates an auditable basis for US Person access controls.
Implement a Conditional Access policy that requires membership in an sg-us-persons security group as a condition for accessing CUI-scoped applications. Maintain group membership via HR provisioning — only employees with citizenship = US or workAuthorization = US Person in the HR system flow into this group automatically.
The Face Check / IDEMIA verification at onboarding provides the government document basis for that HR attribute — creating a defensible chain: government-verified ID → HR attribute → security group → Conditional Access → CUI access.
CMMC Control Mapping
| NIST Control | Entra Governance Capability |
|---|---|
| 3.1.1 — Limit access to authorized users | HR provisioning + Lifecycle Workflows enforce account existence only for active personnel |
| 3.1.2 — Limit access to authorized processes | Entitlement Management scopes access packages to verified user populations |
| 3.9.1 — Screen individuals before access | Verified ID + Face Check provides government document-backed identity verification at onboarding |
| 3.9.2 — Terminate access upon separation | Lifecycle Workflow on HR termination event; revokes sessions within minutes of HR record update |
KYC and Regulatory Onboarding
For financial services (GLBA), healthcare (HIPAA), and higher education (FERPA), Verified ID + Face Check addresses Know Your Customer (KYC) and identity proofing requirements at account creation.
NIST SP 800-63-3 IAL2 (Identity Assurance Level 2) requires remote identity proofing using a validated identity evidence source. Au10tix or IDEMIA document verification + Face Check liveness detection satisfies IAL2 without requiring an in-person proofing event — enabling fully remote onboarding of high-trust accounts (financial advisors, HIPAA covered entity employees, student financial aid access).
NIST SP 800-171 Rev. 3 Control Mapping
| Control | Entra Governance Capability |
|---|---|
| 3.1.1 — Authorized access | HR provisioning scopes accounts to active personnel only |
| 3.9.1 — Screen individuals | Verified ID at onboarding; Face Check for account recovery |
| 3.9.2 — Terminate access | Lifecycle Workflow automation on HR termination |
Privileged Identity Management
Standing administrative access — accounts that are always Global Administrator, always Exchange Administrator, always have write access to production — is the single largest blast radius risk in any M365 tenant. A compromised credential with standing Global Admin access compromises the entire tenant immediately. Privileged Identity Management (PIM) eliminates standing access by replacing it with time-bound, approval-gated, just-in-time elevation.
Eligible vs. Active Assignments
The core PIM concept is the distinction between eligible and active assignments:
| Assignment Type | What It Means | When to Use |
|---|---|---|
| Eligible | The user can activate the role but does not hold it permanently. Activation requires MFA, optional approval, and produces an audit record. | All privileged roles for named admins |
| Active | The user holds the role permanently. No activation step required. | Break-glass accounts only; emergency access only |
| Active (time-bound) | Active assignment that expires after a set duration. | Temporary elevated access for a project or audit period |
The goal is zero standing active assignments for any role that can modify security configuration, add credentials to accounts, or access sensitive data at scale.
Roles That Must Be PIM-Gated
- GCC High (CMMC)
- Commercial
In a CMMC environment, the following roles must have no standing active assignments — all named admins must be eligible only:
| Role | Blast Radius if Compromised |
|---|---|
| Global Administrator | Full tenant takeover |
| Privileged Role Administrator | Can assign any role, including Global Admin |
| Security Administrator | Can modify Conditional Access, disable MFA |
| User Access Administrator | Can grant any Azure RBAC role |
| Exchange Administrator | Full mailbox access across all users |
| SharePoint Administrator | Full document library access |
| Intune Administrator | Can push malicious device configurations |
| Application Administrator | Can add credentials to any app registration |
| Authentication Administrator | Can reset MFA for non-privileged users |
Active (standing) assignments should exist only for break-glass accounts — two or more cloud-only accounts with Global Admin, excluded from all Conditional Access policies, credentials stored in a physical safe, and monitored for any sign-in via an Azure Monitor alert.
CMMC Control Mapping
| NIST Control | PIM Capability |
|---|---|
| 3.1.5 — Least privilege | Eligible-only assignments; no standing admin access |
| 3.1.6 — Non-privileged accounts for non-privileged functions | PIM requires separate activation step — admins use standard account for daily work |
| 3.1.15 — Privileged remote access | PIM activation requires phishing-resistant MFA; activation is logged in Entra audit log |
| 3.3.1 — Audit records | Every PIM activation generates an audit log entry: who activated, which role, duration, justification |
| 3.3.2 — Audit review | PIM alerts on activation of high-sensitivity roles; integrate with Sentinel for SOC review |
For commercial tenants, apply PIM at minimum to the top-tier roles (Global Admin, Privileged Role Admin, Security Admin) and to any role with access to regulated data (Exchange Admin for HIPAA environments, SharePoint Admin for GLBA document repositories).
NIST SP 800-171 Rev. 3 Control Mapping
| Control | PIM Capability |
|---|---|
| 3.1.5 — Least privilege | Eligible-only assignments eliminate standing access |
| 3.1.6 — Non-privileged accounts | Separate activation step enforces use of standard account for daily work |
| 3.3.1 — Audit records | PIM activation log provides timestamped record of every privilege use |
PIM Activation Settings
Configure these settings per role in Entra ID → Identity Governance → Privileged Identity Management → Entra ID roles → [Role] → Settings:
| Setting | Recommended Value |
|---|---|
| Maximum activation duration | 4 hours (Global Admin); 8 hours (workload-specific roles) |
| Require MFA on activation | Yes — phishing-resistant method required |
| Require justification on activation | Yes — justification text written to audit log |
| Require approval | Yes for Global Admin and Privileged Role Admin; No for workload roles (reduces friction) |
| Approvers | Security team lead; at least two approvers configured so no single person is a bottleneck |
| Send notifications | Yes — email to approvers and role owners on every activation |
Access Reviews for Privileged Roles
PIM eligible assignments should be reviewed quarterly. Configure Access Reviews in Entra ID Governance:
- Entra ID → Identity Governance → Access reviews → New access review
- Scope: Team + Application → Entra ID roles → select all roles with eligible assignments
- Reviewers: Manager of each user (or designated Security Officer if manager is not appropriate)
- Recurrence: Quarterly
- Upon completion: Auto-remove access if reviewer does not respond (deny-by-default)
The access review report is direct evidence for compliance assessors and auditors reviewing privilege management controls.
PIM for Azure Resource Roles
PIM also covers Azure RBAC roles on Azure Government subscriptions — not just Entra directory roles. Apply the same eligible-only policy to:
- Owner on any subscription containing session hosts, storage accounts, or Key Vault instances
- Contributor on resource groups containing sensitive workloads
- Key Vault Administrator on any Key Vault holding tenant encryption keys
Entitlement Management
Entitlement Management governs what access a user can request, who approves it, how long it lasts, and who reviews it periodically. It is particularly important for external users — contractors, auditors, partner personnel — who need access to specific resources but must not have the ability to self-provision broader access.
Access Packages
An access package bundles the resources a role needs — SharePoint sites, Teams, application roles, security groups — into a single requestable unit. A contractor working on a specific contract vehicle gets one access package; a government auditor gets a different, more restricted one.
Access package components:
| Component | What It Controls |
|---|---|
| Resource roles | SharePoint site access level, Team membership, app role assignments |
| Policy | Who can request, who approves, how long access lasts |
| Lifecycle | Expiration date; access review schedule; auto-extend or auto-expire |
| Catalog | Organizational grouping of packages (e.g., "Project Resources", "IT Operations") |
External User Access Packages
The most important use case for Entitlement Management in a regulated environment is controlling the external user lifecycle. Without it, B2B guests can be invited by any member, accumulate access over time, and remain in the tenant indefinitely after their engagement ends.
With Entitlement Management:
- External users can only gain access via a sponsored access package request — no ad-hoc invitations permitted (enforced via Entra External Collaboration Settings → restrict invitations to admins only)
- The access package policy specifies the exact resources the external user will receive — not broader SharePoint or Teams access
- Access expires automatically at the contract end date — no manual cleanup required
- An access review fires 30 days before expiration — the sponsor confirms whether access should be extended
- If the sponsor does not respond, access is removed automatically
- GCC High (CMMC)
- Commercial
CUI-Scoped External Access
For CMMC environments, external access packages should be scoped to the minimum resources needed for the contract scope:
| External User Type | Access Package Contents | Max Duration |
|---|---|---|
| Subcontractor (active contract) | Tented SharePoint site (CUI-Basic label); Teams channel | Contract end date |
| Government auditor / DCSA assessor | Read-only SharePoint site; no Teams | 90 days |
| Prime contractor program office | Specific document library; no email access | Contract period |
| Technical reviewer | Single SharePoint document library; view-only | 30 days |
Configure the access package policy to require connected organization approval — the external user's organization must be a pre-approved connected organization in Entra External Identities before their request can be submitted. This is the Entitlement Management equivalent of the DLP Allowed Domains list: only known partner tenants can request access.
Restricting Ad-Hoc Guest Invitations
In Entra ID → External Identities → External collaboration settings:
- Guest invite settings: set to
Only users assigned to specific admin roles can invite(orNo one in the organization can invite) - This forces all external access through Entitlement Management access packages — no backdoor invitations
CMMC Control Mapping
| NIST Control | Entitlement Management Capability |
|---|---|
| 3.1.1 — Limit access to authorized users | Access packages define the exact resources; auto-expiry removes access when engagement ends |
| 3.1.2 — Limit access to authorized processes | Package scope limits external users to specific sites/teams — not tenant-wide access |
| 3.1.3 — Control CUI flow | External packages scoped to CUI-labeled containers; combined with DLP Allowed Domains |
| 3.9.2 — Terminate access | Auto-expiry on contract end date; access review 30 days prior |
Vendor and Partner Access Governance
Commercial organizations face the same external access sprawl problem without a regulatory forcing function. Entitlement Management provides the governance structure that prevents contractor access from persisting after project completion.
Key policies for commercial environments:
- Time-limit all external access packages: maximum duration tied to contract or SOW end date
- Require internal sponsor: every external access request must have a named internal employee who is accountable for the access and receives the access review notification
- Separate catalogs by sensitivity: create distinct catalogs for general vendor access (SharePoint, Teams) and sensitive access (financial data, HR systems). Sensitive catalogs require manager or CISO approval.
- Access reviews quarterly: any external user with access longer than 90 days receives a quarterly review
NIST SP 800-171 Rev. 3 Control Mapping
| Control | Entitlement Management Capability |
|---|---|
| 3.1.1 — Authorized access | Access packages gate all external access behind approval |
| 3.1.2 — Authorized processes | Package scope limits external users to specific resource sets |
| 3.9.2 — Terminate access | Auto-expiry removes access without manual IT intervention |
Access Reviews for External Users
Configure a recurring access review specifically for external users with active access packages:
- Scope: All guest users across all catalogs
- Reviewers: Package sponsors (the internal employee who requested or approved the external access)
- Recurrence: Quarterly (or at contract expiry — whichever is sooner)
- Decisions: Approve to extend; Deny to remove; No response → auto-deny
- Notifications: Remind reviewers 7 days and 2 days before deadline
The access review completion report — including sponsor decisions and auto-denials — is direct audit evidence for compliance reviewers and auditors.
My Access Portal
myaccess.microsoft.com (commercial) / myaccess.microsoft.us (GCC High) is the self-service portal where users request access packages, view their current access, and extend or return access. For external users, the access package request link can be shared directly — the external user authenticates with their own organizational credentials and submits the request, which routes to the configured approvers without requiring IT involvement.
This eliminates the IT ticket workflow for access provisioning while maintaining full approval and audit trail.
📩 Don't Miss the Next Solution
Join the list to see the real-time solutions I'm delivering to my GCC High clients.