This chapter covers Identity Governance and Entitlement Management in Microsoft 365, a critical topic for the MS-900 exam. These technologies help organizations control who has access to what, enforce least privilege, and automate access lifecycle. Expect about 10-15% of exam questions to touch on governance, access reviews, and entitlement management concepts. Understanding the difference between identity governance and identity administration is key to passing.
Jump to a section
Imagine a large public library that has thousands of books, each with different sensitivity levels — some are publicly available, others are restricted to certain members. The library uses a key system: each member gets a keycard that grants access to specific rooms and bookshelves. The library manager (identity governance) defines policies: who can access which books, for how long, and under what conditions. When a member wants to borrow a restricted book, they must present their keycard at the desk. The librarian checks the card against the policy database (entitlement management) — does this member have permission? If yes, the librarian logs the access, sets a due date, and gives the book. The keycard itself doesn't contain all permissions; it's just an identifier. The real permissions are stored in the library's central system. If a member's role changes (e.g., from student to staff), the manager updates the policies, and the next time the member tries to access a restricted book, the system enforces the new rules. This decoupling of identity (keycard) from entitlements (database) is exactly how Azure AD Identity Governance works: users have identities, but their access rights are managed through policies, access reviews, and entitlement management packages. The library also periodically reviews who has access to rare books — this is an access review. If a member hasn't borrowed a rare book in a year, their access is automatically revoked. This mirrors Microsoft's automated access reviews that remove stale permissions.
What is Identity Governance?
Identity governance is the process of managing and controlling user identities and their access to resources throughout the identity lifecycle. It encompasses policies, processes, and technologies that ensure the right people have the right access to the right resources at the right time. In Microsoft 365, identity governance is delivered through Azure Active Directory (Azure AD) Identity Governance, which includes features like entitlement management, access reviews, privileged identity management (PIM), and terms of use.
Why Identity Governance Matters for MS-900
The MS-900 exam focuses on the fundamentals of Microsoft 365, including security and compliance. Identity governance is a core component of the 'Security and Compliance' domain (objective 3.3: Describe identity governance and entitlement management). Microsoft expects candidates to understand the key capabilities, use cases, and how these features help organizations meet compliance requirements.
Entitlement Management
Entitlement management is a feature of Azure AD Identity Governance that enables organizations to manage the entire access lifecycle — from requesting access to reviewing and removing access. It automates access request workflows, approvals, and periodic reviews. Key components:
Catalogs: Containers that group related resources (e.g., apps, groups, SharePoint sites). Catalogs are managed by catalog owners who can add resources and delegate access management.
Access Packages: Define the resources (from one or more catalogs) that a user can get access to, along with policies for requesting, approving, and reviewing access. Each access package has one or more assignment policies.
Assignment Policies: Specify who can request access (users in directory, users from other connected organizations, etc.), approval requirements (single-stage, multi-stage, with specific approvers), duration of access (fixed or time-limited), and access review schedule.
Connected Organizations: External Azure AD tenants or domains that can be added as partners. Users from connected organizations can request access to access packages.
Access Reviews: Periodic reviews of user access to ensure only authorized users retain access. Reviews can be done by group owners, app owners, or selected reviewers. Results can be automatically applied (remove access for denied users).
How Entitlement Management Works Internally
When a user requests access to an access package: 1. The user submits a request via the My Access portal (https://myaccess.microsoft.com). 2. The request is evaluated against the assignment policy — does the user meet the criteria (e.g., member of a specific group, from a connected organization)? 3. If approval is required, the request is routed to the designated approver(s). Approvers can approve, deny, or request more information. 4. After approval, the system provisions access to the resources defined in the access package. Provisioning can be immediate or scheduled. 5. At the end of the access duration (or after a review denies access), the system deprovisions access — removes the user from groups, deletes app assignments, etc.
Access Reviews
Access reviews are a core governance feature that allows organizations to periodically verify that users still need their access. Reviews can be scheduled (e.g., quarterly) or triggered manually. Key settings:
Scope: Choose which users to review (e.g., members of a group, users assigned to an app, users with privileged roles).
Reviewers: Can be group owners, app owners, selected users, or the users themselves (self-review).
Duration: How long reviewers have to complete the review.
Auto-apply: If enabled, results are automatically applied after review ends — denied users lose access.
Recurrence: Set frequency (e.g., weekly, monthly, quarterly, annually).
Privileged Identity Management (PIM)
PIM provides just-in-time (JIT) privileged access to Azure AD roles and Azure resources. Key features:
Activation: Users must activate their role assignment for a limited time (e.g., 1 hour) with justification and optional approval.
Approval: Role activation can require approval from designated approvers.
Audit: All activations are logged for auditing.
Time-bound: Assignments can be permanent or time-bound (eligible or active).
Terms of Use
Organizations can present terms of use (ToU) policies to users before granting access to applications. Users must accept the ToU before accessing the resource. ToU can be versioned and require re-acceptance periodically.
Identity Governance Lifecycle
The identity governance lifecycle includes: 1. Provisioning: Create identity and grant initial access. 2. Access Requests: Users request additional access as needed. 3. Access Reviews: Periodic reviews to validate access. 4. De-provisioning: Remove access when no longer needed (e.g., employee leaves).
Integration with Other Microsoft 365 Services
Microsoft 365 Groups: Access packages can include group membership. When access is granted, user is added to the group; when revoked, removed.
SharePoint Online: Access packages can include SharePoint site membership.
Enterprise Applications: Access packages can include assignments to enterprise apps (SaaS apps, custom apps).
Azure AD Roles: PIM manages privileged role assignments.
Compliance and Reporting
Identity governance features help meet compliance standards like SOC 2, ISO 27001, and GDPR by providing: - Audit logs: All access requests, approvals, and reviews are logged. - Reports: Generate reports of who has access to what, review history, etc. - Automation: Reduce manual effort and human error.
Licensing Requirements
Entitlement management: Requires Azure AD Premium P2 licenses for users who are members of access packages. External users need no license if they are from connected organizations.
Access reviews: Requires Azure AD Premium P2 for users who are reviewed or who perform reviews.
PIM: Requires Azure AD Premium P2.
Terms of use: Requires Azure AD Premium P1 or P2.
Configuration Examples
To create an access package via PowerShell:
Connect-AzureAD
New-AzureADMSAccessPackage -DisplayName "Salesforce Access" -Description "Access to Salesforce app" -CatalogId $catalogIdTo create an access review:
New-AzureADMSAccessReview -DisplayName "Quarterly Review of Sales Group" -ReviewedEntityId $groupId -ReviewerType "GroupOwner" -DurationInDays 14 -StartDate (Get-Date) -EndDate (Get-Date).AddDays(14)Default Values and Limits
Maximum number of access packages per catalog: 30.
Maximum number of catalogs per tenant: 30.
Access review duration default: 30 days (can be set 1-180 days).
PIM activation maximum duration: 8 hours (default 1 hour).
Terms of use expiration: can be set to never, annually, or on a specific date.
Common Exam Traps
Trap 1: Confusing entitlement management with PIM. Entitlement management is for general access, PIM is for privileged roles.
Trap 2: Thinking access reviews require Premium P1. They require P2.
Trap 3: Assuming external users need licenses for entitlement management. They do not.
Trap 4: Believing that access packages can only contain one resource. They can contain multiple resources from one or more catalogs.
Create a Catalog
Navigate to Azure AD > Identity Governance > Entitlement Management > Catalogs. Click 'New catalog'. Provide a name and description. Optionally, add resource owners as catalog owners. Catalogs are containers that hold resources (groups, apps, SharePoint sites). Only catalog owners can add resources to the catalog. A tenant can have up to 30 catalogs.
Add Resources to Catalog
In the catalog, click 'Resources' and add the desired resources: Microsoft 365 groups, enterprise applications, or SharePoint Online sites. Each resource must be added once; it can be used in multiple access packages within the same catalog. Resources cannot be removed if they are referenced by an access package.
Create an Access Package
In the catalog, click 'Access packages' and then 'New access package'. Specify a name, description, and select the resources from the catalog. Configure assignment policies: who can request (users in directory, users from connected organizations, or direct assignment), approval settings (single or multi-stage, with specific approvers), and access duration (days, months, or specific end date).
Configure Access Review
In the access package, under 'Access reviews', create a review schedule. Set the scope (all users or specific groups), reviewers (group owner, app owner, selected users, or self-review), duration, recurrence (weekly, monthly, quarterly, annually), and auto-apply settings. Access reviews ensure continued justification for access.
User Requests Access
Users access the My Access portal (https://myaccess.microsoft.com) and browse available access packages. They select the desired package, provide justification, and submit. The request is evaluated against the assignment policy. If approval is required, the request is sent to the approver. After approval, the system provisions access to the resources (adds user to groups, assigns apps, etc.).
Review and Revoke Access
At the end of the access duration or when an access review concludes with a 'deny' decision, the system automatically deprovisions access. The user is removed from groups, app assignments are deleted, and SharePoint site permissions are removed. Audit logs capture all changes.
Scenario 1: Onboarding Contractors
A large enterprise regularly hires contractors for 6-month projects. Using entitlement management, they create an access package 'Contractor - Project X' that includes a Microsoft 365 group, a SharePoint site, and a Salesforce app. The assignment policy requires approval from the project manager and sets access duration to 6 months. A connected organization is created for the contracting company's Azure AD tenant. Contractors request access via My Access, get approved, and automatically receive access. After 6 months, access expires and is revoked. This eliminates manual provisioning and reduces security risks from stale accounts.
Scenario 2: Quarterly Access Reviews for Compliance
A financial services company must comply with SOX regulations requiring quarterly reviews of access to sensitive financial systems. They configure access reviews for all users assigned to the 'Financial Systems' enterprise app. Reviews are assigned to the app owner. The review recurs quarterly, with auto-apply enabled. Reviewers see a list of users and must approve or deny each. Denied users are automatically removed from the app. The company passes audits with detailed review history.
Scenario 3: Just-in-Time Privileged Access
An IT department uses PIM to manage Azure AD Global Administrator role. Instead of permanent assignments, eligible admins must activate the role for up to 2 hours with a ticket number. Activation requires approval from the security team. All activations are logged and reported monthly. This reduces the attack surface by ensuring no standing privileged access. Misconfiguration: If activation duration is set too long (e.g., 8 hours), it defeats the purpose of JIT. Best practice: set duration to the minimum required for the task.
Common Pitfalls in Production
Licensing: Forgetting that entitlement management requires P2 licenses for internal users. External users do not need licenses.
Catalog Limits: Exceeding 30 catalogs or 30 access packages per catalog. Plan accordingly.
Reviewer Assignment: Assigning wrong reviewers (e.g., group owner instead of app owner) leads to inaccurate reviews.
Auto-apply: Enabling auto-apply without testing can accidentally revoke critical access. Always test with a pilot group first.
MS-900 Objective 3.3: Describe identity governance and entitlement management
The exam tests your understanding of the purpose and capabilities of Azure AD Identity Governance features. You must know:
Entitlement management: What it is (manages access lifecycle), key components (catalogs, access packages, assignment policies, connected organizations).
Access reviews: Purpose (periodic verification of access), settings (scope, reviewers, recurrence, auto-apply).
Privileged Identity Management (PIM): Just-in-time access, activation, approval, time-bound roles.
Terms of use: Presenting policies to users before granting access.
Common Wrong Answers and Why
'Entitlement management requires Azure AD Premium P1.' Wrong — it requires P2. P1 includes self-service group management but not entitlement management.
'Access reviews can only be done by the resource owner.' Wrong — reviewers can be group owners, app owners, selected users, or self-review.
'PIM is used to manage access to all applications.' Wrong — PIM is for privileged roles (Azure AD roles and Azure resources), not general app access.
'External users need a P2 license to use entitlement management.' Wrong — external users from connected organizations do not need licenses.
Specific Numbers and Terms on the Exam
Licensing: Premium P2 for entitlement management, access reviews, PIM. Premium P1 for terms of use.
Maximum catalogs per tenant: 30.
Maximum access packages per catalog: 30.
PIM activation max duration: 8 hours (default 1 hour).
Access review duration default: 30 days (range 1-180 days).
My Access portal URL: https://myaccess.microsoft.com.
Edge Cases and Exceptions
Guest users: Guest users can be included in access packages but require a P2 license for the tenant that owns the access package (if they are internal guests). External B2B guests from connected organizations do not require a license.
Access package with no resources: Not allowed — must have at least one resource.
Deleting a catalog: Cannot delete if it contains access packages. Must remove all packages first.
PIM activation for Azure resources: Supports management groups, subscriptions, resource groups, and individual resources.
How to Eliminate Wrong Answers
If the question mentions 'just-in-time' or 'privileged roles', the answer is PIM, not entitlement management.
If the question mentions 'periodic review of access', the answer is access reviews.
If the question mentions 'catalogs' and 'access packages', the answer is entitlement management.
Pay attention to licensing: P1 vs P2. P2 is required for governance features.
Identity governance in Microsoft 365 is delivered via Azure AD Identity Governance, which includes entitlement management, access reviews, PIM, and terms of use.
Entitlement management automates the access lifecycle using catalogs, access packages, and assignment policies.
Access reviews allow periodic verification of access; they require Azure AD Premium P2.
PIM provides just-in-time privileged access to Azure AD roles and Azure resources; also requires P2.
Terms of use require Azure AD Premium P1 or P2.
External users from connected organizations do not need licenses for entitlement management.
My Access portal (https://myaccess.microsoft.com) is where users request and manage their access.
Maximum of 30 catalogs per tenant and 30 access packages per catalog.
PIM activation maximum duration is 8 hours (default 1 hour).
Access review default duration is 30 days (can be 1-180 days).
These come up on the exam all the time. Here's how to tell them apart.
Entitlement Management
Manages access to general resources: groups, apps, SharePoint sites.
Uses access packages with assignment policies.
Supports access requests, approvals, and periodic reviews.
Requires Azure AD Premium P2.
Users get access for a defined duration (e.g., 30 days).
Privileged Identity Management (PIM)
Manages privileged access to Azure AD roles and Azure resources.
Uses role assignments with activation (just-in-time).
Supports activation with justification and optional approval.
Requires Azure AD Premium P2.
Users activate roles for a short time (e.g., 1 hour).
Access Reviews
Periodic review of existing access to verify need.
Can be performed on groups, apps, or roles.
Reviewers approve or deny each user's access.
Auto-apply removes denied users.
Requires Azure AD Premium P2.
Entitlement Management
Manages the entire access lifecycle: request, approval, provisioning, review, removal.
Uses access packages to bundle resources.
Includes assignment policies and connected organizations.
Access reviews can be part of an access package policy.
Requires Azure AD Premium P2.
Mistake
Entitlement management is the same as Azure AD Privileged Identity Management.
Correct
Entitlement management manages access to general resources (groups, apps, sites), while PIM manages privileged access to Azure AD roles and Azure resources. They are separate features with different use cases.
Mistake
Access reviews require Azure AD Premium P1 license.
Correct
Access reviews require Azure AD Premium P2. P1 does not include access reviews.
Mistake
External users need an Azure AD Premium P2 license to be included in an access package.
Correct
External users from connected organizations do not need a license. Only internal users who are members of the tenant need a P2 license.
Mistake
Access packages can only contain one resource.
Correct
Access packages can contain multiple resources from one or more catalogs, such as groups, apps, and SharePoint sites.
Mistake
Once an access review is completed, changes are applied immediately.
Correct
Changes are applied after the review duration ends (if auto-apply is enabled) or manually by an administrator. There is a delay (up to 24 hours) for provisioning/deprovisioning.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Entitlement management manages access to general resources like groups, apps, and SharePoint sites. It uses access packages that bundle resources with policies for request, approval, and review. PIM manages privileged access to Azure AD roles (e.g., Global Administrator) and Azure resources. PIM provides just-in-time activation with time-limited assignments. Both require Azure AD Premium P2, but they serve different purposes: entitlement for everyday access, PIM for elevated privileges.
No, external users from connected organizations do not require an Azure AD Premium P2 license. The license is required only for internal users (members of the tenant) who are assigned to access packages. External B2B guests who are not from connected organizations may need a license if they are included in access packages, but typically they are covered by the tenant's licenses if they are invited as guests.
If auto-apply is enabled, the system automatically removes the user's access to the resources in the scope of the review. For example, if the review is on a group membership, the user is removed from the group. If auto-apply is disabled, an administrator must manually apply the results. The removal is logged in Azure AD audit logs.
Entitlement management can grant access to cloud resources only: Microsoft 365 groups, enterprise applications (SaaS apps, custom apps integrated with Azure AD), and SharePoint Online sites. For on-premises resources, you would need to integrate them with Azure AD (e.g., via Azure AD Application Proxy or group writeback) or use other tools.
The My Access portal (https://myaccess.microsoft.com) is a web-based interface where users can request access to access packages, view their current access, and perform self-service access reviews. It is the user-facing component of entitlement management. Administrators can customize the portal's branding and policies.
Provisioning is typically near-instant (within a few minutes), but it can take up to 24 hours in some cases, depending on the resource type and system load. For groups, it's usually fast; for enterprise apps, it may take longer if the app requires synchronization.
No, access packages must belong to a catalog. You must create a catalog first, add resources to it, and then create access packages within that catalog.
You've just covered Identity Governance and Entitlement Management — now see how well it sticks with free MS-900 practice questions. Full explanations included, no account needed.
Done with this chapter?