This chapter covers Microsoft Entra ID Governance Portal, a critical component of the Identity and Access Management domain. On the MS-102 exam, this topic appears in approximately 10-15% of questions, primarily under objective 2.3: Implement and manage identity governance. You will learn how to configure access reviews, entitlement management, and lifecycle workflows to enforce least-privilege access and automate identity lifecycle processes. Mastery of this portal is essential for passing the exam and for real-world Microsoft 365 administration.
Jump to a section
Imagine a large public library with thousands of members and millions of books. Members can borrow books, but the library must ensure that only authorized people can check out books, that books are returned on time, and that membership is revoked when someone leaves the community. The library uses a computerized system: each member has a card with a barcode, and each book has a unique identifier. When a member checks out a book, the librarian scans both, and the system records that the member has the book and sets a due date. If the book is overdue, the system sends reminders. If a member moves away, the system automatically cancels their card and flags any books still checked out. The library also has special sections (like rare books) that require extra approval. In this analogy, the library system is Microsoft Entra ID Governance. Members are users, books are resources (groups, apps, SharePoint sites), the checkout process is access assignment, due dates are access reviews, and the automated cancellation is lifecycle workflows. Just as the library system prevents lost books and ensures compliance, Entra ID Governance prevents unauthorized access and enforces least privilege. The librarian’s scanning action is like an access review—verifying that each user still needs each book. The automated reminders and revocations are like Microsoft’s scheduled review tasks and automatic removal of stale access.
What is Entra ID Governance?
Microsoft Entra ID Governance is a set of capabilities within Microsoft Entra ID (formerly Azure Active Directory) that enables organizations to govern identity and access lifecycle at scale. It encompasses three main pillars: Entitlement Management, Access Reviews, and Lifecycle Workflows. The governance portal, accessible at https://entra.microsoft.com under Identity Governance, provides a unified interface to configure and monitor these features.
Why It Exists
Traditional identity management often relies on manual processes for granting and revoking access, leading to security risks (over-privileged users) and compliance gaps. Entra ID Governance automates these processes, ensuring that users have only the access they need, when they need it, and that access is regularly certified. This is critical for meeting regulatory requirements like SOX, HIPAA, and GDPR.
How It Works Internally
Entra ID Governance operates through a combination of policies, workflows, and scheduled tasks. At its core, it uses the Microsoft Graph API to interact with directory objects. For example, an access review creates a review resource in the directory, assigns reviewers, and tracks decisions. When a review completes, the system processes the results (approve or deny) and automatically removes or retains access based on the decisions.
Entitlement Management uses catalogs and access packages. A catalog is a container for related resources (groups, apps, SharePoint sites). An access package defines which resources a user can request, the approval workflow, and the expiration policy. When a user requests access, the system triggers an approval workflow (via Microsoft Entra Identity Governance approvals). If approved, the system automatically assigns the user to the underlying resources (e.g., adds the user to a group).
Lifecycle Workflows are automated workflows triggered by events (e.g., new hire, leave, move). They can execute tasks like sending a welcome email, assigning temporary access pass, or disabling an account. Workflows are defined using a JSON-based definition and run on a schedule or in near real-time.
Key Components, Values, Defaults, and Timers
- Access Reviews: - Review scope: Can be all users, specific users, or group members. - Review recurrence: One-time, weekly, monthly, quarterly, or annually. Default is one-time. - Duration (in days): The review must be completed within this period; after that, the review is stopped and decisions are auto-applied (if configured). Default is 30 days. - Auto-apply: If enabled, decisions are applied automatically after the review duration expires. Default is disabled. - Decision helpers: The system can provide recommendations (based on sign-in activity) to reviewers.
- Entitlement Management: - Catalogs: Each catalog has a unique ID. Resources are added to catalogs. - Access Packages: - Expiration: Access can expire after a set number of days (default 365) or on a specific date. - Approval stages: Up to 2 approval stages. Default is 1 stage. - Requestor must be approved: Default is yes. - Connected organizations: External organizations that can request access. Configured via a list of domains.
- Lifecycle Workflows:
- Trigger types: employeeHire, employeeLeave, employeeMove.
- Tasks:
- sendEmail (sends a custom email)
- addUserToGroup
- removeUserFromGroup
- enableUserAccount
- disableUserAccount
- generateTemporaryAccessPass
- Execution conditions: Workflows can be scheduled to run at a specific time (e.g., 5 days after hire) or immediately.
Configuration and Verification Commands
Using Microsoft Graph PowerShell:
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "EntitlementManagement.ReadWrite.All", "AccessReview.ReadWrite.All", "LifecycleWorkflows.ReadWrite.All"
# List access reviews
Get-MgIdentityGovernanceAccessReviewDefinition | Select-Object Id, DisplayName, Status
# Create an access package
New-MgEntitlementManagementAccessPackage -DisplayName "Sales Access" -CatalogId $catalogId
# Get lifecycle workflows
Get-MgIdentityGovernanceLifecycleWorkflowWorkflow | Select-Object Id, DisplayName, StateUsing Azure CLI:
az rest --method get --uri "https://graph.microsoft.com/v1.0/identityGovernance/accessReviews/definitions"Interaction with Related Technologies
Microsoft Entra ID Governance integrates with Microsoft Entra ID (user directory), Microsoft 365 Groups, Teams, SharePoint Online, and Azure AD applications.
It uses Microsoft Graph API for all operations.
Identity Protection can feed risk signals into access reviews (e.g., flag risky users for review).
Privileged Identity Management (PIM) can be used to provide just-in-time privileged access, but governance covers broader access.
Step-by-Step: Configuring an Access Review
Navigate to Entra admin center > Identity Governance > Access reviews.
Click "New access review".
Select what to review (e.g., Microsoft 365 group).
Set scope: All users or specific users.
Set recurrence: Quarterly, duration 30 days.
Specify reviewers: Group owner(s) or selected users.
Enable auto-apply and decision helpers.
Click "Create".
The review will appear in the reviewer's My Access portal. After completion, the system applies decisions (e.g., remove denied users from the group).
Step-by-Step: Creating an Access Package
Go to Identity Governance > Entitlement management > Catalogs.
Create a new catalog or use default.
Add resources (e.g., a group) to the catalog.
Create a new access package in the catalog.
Define resource roles (e.g., member of group).
Set approval: Require manager approval.
Set expiration: 180 days.
Publish the access package.
Users can request through the My Access portal.
Lifecycle Workflows Example
Go to Lifecycle workflows > Workflows.
Create a workflow for "employeeHire".
Add tasks: Send welcome email, enable user account, add user to "All Employees" group.
Set execution schedule: Run 1 day after hire.
Enable the workflow.
When a new user is provisioned (via HR source), the workflow triggers automatically.
Configure an Access Review
Navigate to Microsoft Entra admin center > Identity Governance > Access reviews. Click 'New access review'. Choose what to review (e.g., Azure AD role, group, or application). Select scope: 'All users' or 'Specific users'. Set recurrence (e.g., Quarterly) and duration (default 30 days). Specify reviewers (e.g., group owners). Optionally enable auto-apply and recommendations. Click 'Create'. The system creates a review resource in the directory, assigns reviewers, and sends email notifications. Reviewers complete the review via the My Access portal. After the duration expires, the system processes decisions: if auto-apply is enabled, denied users are automatically removed from the resource. The system logs all actions in the audit log.
Create an Access Package
Go to Identity Governance > Entitlement management > Catalogs. Create a new catalog (or use default). Add resources: groups, teams, apps, or SharePoint sites. Then create a new access package in the catalog. Define resource roles (e.g., member of a group). Configure approval: up to 2 stages. Set expiration policy (e.g., 180 days). Optionally set access reviews for the package. Publish the package. Users can request access via the My Access portal (https://myaccess.microsoft.com). The system triggers approval workflows, and upon approval, automatically assigns the user to the resources. The system also tracks expiration and can auto-renew or revoke.
Set Up a Lifecycle Workflow
Navigate to Lifecycle workflows > Workflows. Click 'Create workflow'. Choose a trigger: employeeHire, employeeLeave, or employeeMove. Add one or more tasks from the list (e.g., send email, add to group, disable account). Configure execution conditions: e.g., run 7 days after hire. Set scope: all users or a specific group. Review and create. The workflow is stored as a JSON definition in the directory. When the trigger event occurs (e.g., a user is created with a specific attribute), the system evaluates conditions and executes tasks. Workflows run on a schedule (e.g., daily) or near real-time. Monitor execution via the workflow history.
Review and Certify Access
As a reviewer, you receive an email notification to review access. Click the link to go to My Access portal. You see a list of users and their access. For each user, you can approve or deny. The system may show a recommendation (e.g., 'Deny' if user hasn't signed in for 90 days). You can add a justification. After you submit, the system records your decision. If auto-apply is enabled, after the review period ends, the system automatically removes denied users. If not, an administrator must manually apply decisions. The audit log records all reviewer actions.
Audit Governance Activities
All governance actions are logged in the Microsoft Entra audit log. Navigate to Identity > Monitoring & health > Audit logs. Filter by category 'AccessReview' or 'EntitlementManagement' or 'LifecycleWorkflows'. You can see who created a review, who approved a request, and what changes were made. Use the audit log to troubleshoot and prove compliance. The logs are retained for 30 days (default) but can be exported to Azure Monitor for longer retention. Common audit events: 'Create access review', 'Update access review', 'Apply review decision', 'Assign user to access package', 'Workflow execution completed'.
Enterprise Scenario 1: Quarterly Access Certification for Finance Team
A multinational corporation must comply with SOX by certifying access to its financial systems every quarter. The company uses Entra ID Governance to create quarterly access reviews for the Finance department's group. The review is set to recur every 3 months with a duration of 30 days. Reviewers are the Finance managers. The system auto-applies decisions after the period ends. The company also enables recommendations based on last sign-in activity. In production, this review covers 500 users and 10 groups. The review process reduces manual effort by 80% and ensures compliance. A common misconfiguration is setting the duration too short (e.g., 7 days), causing managers to miss the deadline and auto-apply revoking access incorrectly. The correct approach is to set duration to at least 14 days and enable reminders.
Enterprise Scenario 2: Self-Service Access for Contractors
A tech company uses Entitlement Management to allow external contractors to request access to specific projects. They create a catalog called 'Project X' with a group and a SharePoint site. An access package is published with a two-stage approval: first by the project lead, then by the security team. Access expires after 90 days and can be renewed for another 90 days with a new approval. Contractors request via My Access portal. The system automatically provisions access within minutes. The challenge is managing connected organizations: the company must add the contractor's domain to the allowed list. Without this, external users cannot request. Also, expiration must be enforced to prevent lingering access; a common mistake is setting expiration to 'never'.
Scenario 3: Automated User Lifecycle for New Hires
A large enterprise with 10,000 employees uses Lifecycle Workflows to automate onboarding. When a new hire is created in the HR system (Workday) and synchronized to Entra ID, the 'employeeHire' workflow triggers after 1 day. It sends a welcome email, enables the user account, and adds the user to the 'All Employees' group. For offboarding, an 'employeeLeave' workflow disables the account after 7 days and removes the user from all groups. The workflows run on a daily schedule. A common issue is that the workflow fails if the user object doesn't have the correct attributes (e.g., 'employeeHireDate' not set). The admin must ensure HR sync populates these attributes. Also, workflows cannot remove the user from dynamic groups; they only work with assigned groups.
What MS-102 Tests
Objective 2.3: Implement and manage identity governance. The exam focuses on:
Configuring access reviews: scope, recurrence, duration, auto-apply, reviewers, recommendations.
Creating and managing access packages: catalogs, resources, roles, approval, expiration, connected organizations.
Lifecycle workflows: triggers (employeeHire, employeeLeave, employeeMove), tasks, execution conditions.
Troubleshooting common issues: why a review didn't apply, why an access package request failed, why a workflow didn't run.
Common Wrong Answers and Why Candidates Choose Them
1. Wrong answer: 'Access reviews can be set to automatically remove access immediately after a reviewer denies.' Why chosen: Candidates think auto-apply means instant removal. Reality: auto-apply only applies after the review duration expires, not immediately. 2. Wrong answer: 'Entitlement management requires Azure AD Premium P2 licenses for all users.' Why chosen: Candidates confuse with PIM. Reality: Entitlement management requires P2 licenses only for users who are active in governance (e.g., reviewers, requestors). Not all users need P2. 3. Wrong answer: 'Lifecycle workflows can trigger on user attribute changes.' Why chosen: Candidates think any change can trigger. Reality: Only three predefined triggers (hire, leave, move) are supported. 4. Wrong answer: 'Access package expiration can be set to never expire.' Why chosen: Candidates think it's an option. Reality: Expiration is required; you can set a long duration (e.g., 3650 days) but not 'never'.
Specific Numbers and Terms on the Exam
Access review default duration: 30 days.
Maximum approval stages in access package: 2.
Lifecycle workflow triggers: employeeHire, employeeLeave, employeeMove.
Access review recurrence options: One-time, Weekly, Monthly, Quarterly, Annually.
Connected organizations: used for B2B collaboration in entitlement management.
My Access portal URL: https://myaccess.microsoft.com.
Edge Cases and Exceptions
Access reviews for dynamic groups: The review will show the membership at the time the review started; if membership changes during the review, it may cause inconsistencies.
Access packages: If a user is removed from a group manually (outside the package), the package still shows them as having access; the next review will detect the discrepancy.
Lifecycle workflows: If a user is deleted and recreated, the workflow might not trigger again if the same event is detected as duplicate.
How to Eliminate Wrong Answers
If a question mentions 'immediate removal', look for 'auto-apply' as a distractor; immediate removal is not possible without manual action.
If a question asks about licensing, remember that only active participants in governance need P2, not all users.
If a question mentions 'custom triggers' for lifecycle workflows, it's wrong; only three predefined triggers exist.
Access reviews default duration is 30 days; auto-apply applies decisions only after duration expires.
Entitlement management access packages require expiration; you cannot set 'never'.
Lifecycle workflows support exactly three triggers: employeeHire, employeeLeave, employeeMove.
Maximum approval stages in access packages is 2.
Connected organizations are required for external users to request access packages.
My Access portal URL is https://myaccess.microsoft.com.
Only users actively involved in governance (requestors, approvers, reviewers) need Azure AD P2 licenses.
These come up on the exam all the time. Here's how to tell them apart.
Access Reviews
Focuses on certifying existing access (attestation).
Reviewer-based: managers or owners decide whether access should continue.
Can be one-time or recurring (weekly, monthly, quarterly, annually).
Results in removal of access if denied by reviewer.
Used for compliance and auditing of current access.
Entitlement Management
Focuses on granting new access (request and approval).
Requestor-based: users request access, and approvers grant it.
Access is time-limited with expiration policies.
Results in assignment of access if approved.
Used for self-service access and provisioning.
Mistake
Access reviews can automatically remove access immediately after a reviewer denies a user.
Correct
Auto-apply only applies decisions after the review duration expires (default 30 days). There is no immediate removal; the change occurs when the review completes.
Mistake
All users in the tenant must have Azure AD Premium P2 licenses to use Entitlement Management.
Correct
Only users who actively participate in governance (e.g., request access, approve, review) need P2 licenses. Regular users who never use governance features do not need P2.
Mistake
Lifecycle workflows can trigger on any user attribute change, such as department update.
Correct
Lifecycle workflows only support three predefined triggers: employeeHire, employeeLeave, and employeeMove. Custom triggers based on attribute changes are not supported.
Mistake
Access packages can be configured with no expiration, granting permanent access.
Correct
Expiration is mandatory. You can set a long duration (e.g., 3650 days) but not 'never'. Access must expire at some point.
Mistake
Access reviews can be assigned to any user, including external users, as reviewers.
Correct
Reviewers must be internal users (members or guests) who have the necessary permissions. External users cannot be assigned as reviewers unless they are B2B guests with appropriate roles.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
An access review is a certification process where reviewers approve or deny existing access for users. It is used to remove stale or inappropriate access. An access package is a set of resources that users can request, with approval and expiration policies. Access reviews are for attestation; access packages are for provisioning. Both are part of Entra ID Governance.
No. Entra ID Governance features (access reviews, entitlement management, lifecycle workflows) require Azure AD Premium P2 licenses for users who actively participate. However, not all users in the tenant need P2; only those who request access, approve, or review. Read-only users do not need P2.
You can create an access review for a dynamic group just like any other group. However, the review will capture the membership at the time the review is started. If membership changes during the review, the review results may not reflect the latest membership. It's recommended to use assigned groups for reviews to avoid inconsistencies.
If auto-apply is enabled, the system will apply the default decision (usually 'Deny' if not responded) after the review duration expires. If auto-apply is disabled, the administrator must manually apply the decisions. The review status will show as 'Completed' but decisions are not enforced until applied.
No. Lifecycle workflows are triggered automatically based on the predefined triggers (employeeHire, employeeLeave, employeeMove). There is no manual trigger option. However, you can test a workflow by using the 'Test' feature in the portal, which simulates the trigger without affecting real users.
First, add the external user's domain as a connected organization in Entitlement Management. Then, when creating the access package, ensure that 'New users not in the directory' are allowed to request. The external user will receive an email with a link to the My Access portal where they can sign in with their external identity.
The maximum expiration duration is 3650 days (10 years). However, best practice is to set shorter durations (e.g., 90-180 days) and allow renewal. Expiration is mandatory; you cannot set 'no expiration'.
You've just covered Entra ID Governance Portal — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?