This chapter covers identity governance in Microsoft Entra, a critical component of the SC-900 exam domain 'Identity Access' (Objective 2.3). Identity governance ensures that the right people have the right access to the right resources at the right time, and that access is regularly reviewed and certified. Approximately 15-20% of exam questions touch on identity governance concepts, including entitlement management, access reviews, and Privileged Identity Management. Mastering this topic is essential for understanding how organizations enforce least-privilege principles and comply with regulatory requirements.
Jump to a section
Imagine a large public library with thousands of books and hundreds of members. The library doesn't just give every member a key to the building and let them take any book indefinitely. Instead, it has a structured checkout system. Each member gets a library card (their identity). When they borrow a book, the librarian records who took it, which book, and the due date (access assignment and entitlement). The library has rules: some books are reference only and cannot leave the building (sensitive roles), others can be borrowed for two weeks, with a maximum of five books at a time (access policies and limits). Periodically, the librarian reviews the checkout records: if a book is overdue, they send a reminder (access review). If a member hasn't borrowed anything in a year, their card is deactivated (automated lifecycle management). If a member moves to a different city, their card is revoked (deprovisioning). The library also has a policy that every checkout must be approved by a senior librarian if the book is rare (approval workflow). This entire system — from issuing cards, setting borrowing rules, reviewing who has what, and revoking access when no longer needed — is exactly what identity governance does in Microsoft Entra. It ensures that the right people have the right access to the right resources for the right reasons, and that access is continuously validated and cleaned up.
What Is Identity Governance?
Identity governance is the set of policies, processes, and technologies that manage who has access to what resources, why they have it, and whether that access remains appropriate over time. In Microsoft Entra, identity governance encompasses several capabilities: entitlement management, access reviews, Privileged Identity Management (PIM), terms of use, and identity lifecycle management. The goal is to automate the request, approval, assignment, review, and revocation of access, reducing the risk of excessive permissions and ensuring compliance with regulations like GDPR, SOX, and HIPAA.
Why Identity Governance Exists
Before identity governance, organizations often granted access manually or through static group memberships. Once granted, access was rarely reviewed, leading to 'permission creep' — users accumulating more access than they need. This creates security risks (e.g., an employee who left still has access) and compliance risks (e.g., auditors cannot prove access is appropriate). Identity governance automates these processes: access requests go through approval workflows, access is time-limited, and periodic reviews ensure only current, necessary access remains.
How Identity Governance Works Internally
Microsoft Entra identity governance is built on top of Entra ID (formerly Azure AD). It uses several key components:
Entitlement Management: This feature enables organizations to manage access to groups, applications, and SharePoint Online sites through access packages. An access package is a bundle of resources that a user can request. The request goes through an approval workflow, and access is automatically assigned for a defined duration. After the duration expires, access is automatically removed.
Access Reviews: These are recurring campaigns where reviewers (often managers or resource owners) certify whether users still need access. If a reviewer does not respond within a configurable period (default 30 days), the access can be automatically revoked. Access reviews can target groups, applications, or privileged roles.
Privileged Identity Management (PIM): PIM provides just-in-time (JIT) access to privileged roles in Entra ID, Azure resources, and other Microsoft services. Users must activate their role for a limited time (configurable from 1 to 8 hours default, up to 24 hours) and can require approval. PIM also generates audit logs for every activation.
Terms of Use: Admins can create PDF documents that users must accept before accessing certain resources. This is often used for compliance purposes, e.g., accepting data handling policies.
Lifecycle Workflows (Preview): These automate user lifecycle events such as onboarding, offboarding, and role changes. For example, when a new hire is created in HR system, Lifecycle Workflows can automatically assign access packages, send welcome emails, and trigger access reviews.
Key Components, Values, Defaults, and Timers
Access Package: Contains one or more resource roles (e.g., membership in a group, access to an app). Default duration for an access package assignment is 365 days, but can be customized. Access packages can require approval from one or two stages.
Access Review: Frequency can be weekly, monthly, quarterly, semi-annually, or annually. Default duration for reviewers to respond is 30 days. If reviewer does not respond, the action can be 'Approve', 'Deny', or 'Take no action' (which defaults to deny in some configurations).
PIM Activation: Maximum activation duration for Entra ID roles is 8 hours by default (configurable up to 24 hours for Azure roles). For Azure resource roles, it can be up to 8 hours. Activation requires multi-factor authentication (MFA) by default. Approval workflow can be required for certain roles.
Lifecycle Workflows: Tasks include 'Send email', 'Assign access package', 'Remove access package', 'Add to group', 'Remove from group'. Workflows can be triggered by user attribute changes (e.g., department change) or HR events (e.g., hire date).
Configuration and Verification Commands
While SC-900 does not require PowerShell, understanding configuration via Microsoft Entra admin center is important. For example, to create an access package:
Navigate to Identity Governance > Entitlement Management > Access packages.
Click 'New access package'.
Specify name, description, and catalog.
Add resource roles (e.g., group membership).
Configure request settings: who can request (users in directory, external users), approval settings, and access duration.
Review and create.
To create an access review:
Go to Identity Governance > Access reviews.
Click 'New access review'.
Select what to review (e.g., group memberships, application assignments).
Set scope (all users or specific users).
Set schedule (frequency, start date, duration of review).
Configure auto-apply settings (if reviewer doesn't respond, deny access).
Review and create.
Interaction with Related Technologies
Identity governance integrates with:
Microsoft Entra ID: The core identity provider. All governance features rely on Entra ID for authentication and authorization.
Microsoft Purview Compliance Portal: Access reviews can be initiated from compliance portal for compliance-related reviews.
Azure AD Identity Protection: Risk-based policies can trigger access reviews automatically.
Microsoft Graph API: All governance features can be automated via Graph API. For example, GET /identityGovernance/accessReviews/definitions lists access review definitions.
HR Systems: Lifecycle Workflows can integrate with HR systems like SAP SuccessFactors and Workday via HR provisioning.
Exam-Relevant Details
Access reviews can be self-review (users review their own access) or delegated review (manager or resource owner reviews).
PIM activation requires MFA by default. You can also require approval and justification.
Entitlement management supports connected organizations (external tenants) for B2B collaboration.
Terms of use must be in PDF format, up to 5 MB.
Lifecycle Workflows is currently in preview and requires Entra ID P2 license.
Summary of Key Numbers
Access package default duration: 365 days
Access review default response period: 30 days
PIM default activation duration: 1 hour (configurable up to 24 hours for Azure roles)
Maximum PIM activation duration for Entra ID roles: 8 hours
Terms of use max file size: 5 MB
Lifecycle Workflows: Preview, requires Entra ID P2
Common Exam Traps
Trap: Thinking access reviews are only for privileged roles. Reality: Access reviews can be applied to any group or application assignment.
Trap: Believing PIM is only for Entra ID roles. Reality: PIM also supports Azure resource roles and other Microsoft services.
Trap: Assuming entitlement management requires P2 license. Reality: Entitlement management requires Entra ID P2 license, but some basic features may be available with P1.
Trap: Confusing access reviews with PIM activation approvals. Access reviews are periodic certifications; PIM activation approvals are per-request approvals for role activation.
Create an Access Package
Navigate to Microsoft Entra admin center > Identity Governance > Entitlement Management > Access packages. Click 'New access package'. Provide a name (e.g., 'Salesforce Sales Team Access') and description. Select a catalog (a container for related access packages). Add resource roles: for example, select a security group that grants access to Salesforce, and assign the 'Member' role. Configure the policy: specify who can request (users in the directory, external users, or members of specific groups). Set approval settings: require one or two approvers. Set access duration (default 365 days). Optionally, enable 'Require access justification' and 'Require emergency access'. Review and create. The access package is now ready for users to request.
Request Access via My Access Portal
Users visit the My Access portal (https://myaccess.microsoft.com) and sign in. They see available access packages. They select the desired package and click 'Request'. They must provide a justification (if required). The request is submitted. The system creates an access request object and sends an email to the designated approvers. The request status appears as 'Pending Approval' in the user's My Access portal. The system uses Microsoft Entra ID to check if the user is eligible (e.g., if the policy restricts to certain groups). If eligible, the request proceeds; otherwise, it is denied immediately.
Approve or Deny Access Request
Approvers receive an email notification with a link to the My Access portal. They sign in and see pending requests. They can review the request details: user, access package, justification, and requested duration. They can approve or deny. If multi-stage approval is configured, the first approver must approve before the second approver sees the request. Approvers can also delegate approval to another user. If the approver does not respond within the configured duration (default 30 days), the request expires and is automatically denied. After approval, the system provisions access: the user is added to the underlying group or assigned the application role.
Periodic Access Review
An administrator creates an access review definition. For example, a quarterly review of all members of the 'Salesforce Sales Team' group. The review scope includes all members. The review is assigned to the group owner as reviewer. When the review starts, reviewers receive an email with a link to the My Access portal. They see each user and decide 'Approve' or 'Deny'. If the reviewer does not act within the review period (default 30 days), the system can automatically deny access. After the review ends, the results are applied: approved users retain access, denied users are removed from the group. The administrator can view the review history and export results for compliance.
Activate Privileged Role with PIM
A user eligible for a privileged role (e.g., Global Administrator) signs in to the Azure portal or uses the PIM activation page. They select the role and activate it. They must provide a justification and optionally a ticket number. MFA is required by default. They select activation duration (e.g., 4 hours). If approval is required, the request goes to designated approvers. After approval, the role is activated for the specified duration. The user now has elevated privileges. The activation is logged in the PIM audit history. When the duration expires, the role is deactivated automatically. The user can also deactivate manually earlier.
Enterprise Scenario 1: Onboarding New Employees
A large multinational company hires 500 new employees each month. Previously, IT manually added each new hire to dozens of groups and applications, taking days and often missing some. With identity governance, the company uses Lifecycle Workflows (preview) integrated with Workday HR. When a new hire is created in Workday, an automated workflow triggers: the user is provisioned in Entra ID, assigned to an access package containing all necessary resources (e.g., email, CRM, intranet), and a welcome email is sent. The access package has a 90-day duration, after which an access review is triggered. The manager must certify that the employee still needs access. This reduces onboarding time from days to minutes and ensures access is temporary unless reviewed. Performance: the system handles thousands of simultaneous provisioning actions without issue, as Entra ID is built for scale. Misconfiguration: if the access package duration is set too short, users lose access prematurely, causing productivity loss. If too long, compliance risk increases.
Enterprise Scenario 2: Contractor Offboarding
A consulting firm uses contractors who need access to client environments for 6 months. Using entitlement management, the firm creates an access package for each client project. Contractors request access, which is approved by the project manager. The access package has a 180-day duration. When the contract ends, the access expires automatically. Additionally, a quarterly access review of all contractors ensures that any who left early are removed. Without this, contractors often retained access long after their contract ended, posing a security risk. Common issue: if the access review auto-apply setting is misconfigured (e.g., set to 'Take no action' for non-responding reviewers), access is never revoked. The firm learned to set auto-apply to 'Deny' for non-response.
Enterprise Scenario 3: Privileged Access Management
A financial institution needs to comply with SOX regulations requiring that privileged access be time-limited and approved. They use PIM for all Entra ID roles (e.g., Global Admin, Exchange Admin) and Azure resource roles. Users must activate roles with MFA and justification. For high-risk roles like Global Admin, a second approval is required. All activations are logged and audited quarterly. The default activation duration is set to 4 hours, the maximum allowed for compliance. Misconfiguration: initially, they set activation duration to 8 hours for all roles, which auditors flagged as too long. They reduced it to 4 hours. Also, they forgot to require MFA for activation on some roles, which was a security gap quickly fixed. PIM audit logs are exported to a SIEM for real-time monitoring.
Exam Focus: Identity Governance in SC-900
Objective Code: Domain 2 (Identity Access), Objective 2.3: Describe the capabilities of identity governance in Microsoft Entra.
What SC-900 Tests: The exam expects you to understand the core concepts, not deep configuration. Focus on: - Entitlement management: What it is, what an access package is, the request/approval flow, and that it supports external users (B2B). - Access reviews: Purpose (periodic certification), types (self-review, delegated review), default duration (30 days), and auto-apply behavior. - Privileged Identity Management (PIM): Just-in-time access, activation duration (default 1 hour, max 8 hours for Entra ID roles), MFA requirement, and approval workflows. - Terms of use: PDF format, acceptance required before access. - Lifecycle Workflows: Preview feature, automates onboarding/offboarding.
Common Wrong Answers and Why: 1. 'Access reviews are only for privileged roles.' Wrong – they can review any group or application assignment. Candidates confuse with PIM. 2. 'PIM provides permanent access to roles.' Wrong – PIM provides temporary, just-in-time access. Candidates may think 'eligible assignment' means always active. 3. 'Entitlement management is available with Entra ID P1.' Wrong – it requires P2. Candidates often confuse licensing. 4. 'Terms of use can be any document format.' Wrong – only PDF, up to 5 MB.
Specific Values:
Access review default period: 30 days
PIM default activation duration: 1 hour (configurable up to 8 hours for Entra ID roles, up to 24 hours for Azure roles)
Access package default duration: 365 days
Terms of use max size: 5 MB
Edge Cases:
If a user is a member of multiple access packages that grant conflicting roles, the last assignment wins.
Access reviews can be applied to guests (external users) as well.
PIM activation can be approved by multiple stages (up to 2 approvers).
How to Eliminate Wrong Answers:
If an answer says 'permanent' or 'always on', it's likely wrong for PIM.
If an answer says 'only for internal users', it's wrong for entitlement management (supports B2B).
If an answer says 'requires manual removal', it's likely wrong because governance automates revocation.
Look for keywords like 'periodic', 'certification', 'just-in-time', 'time-limited' to identify correct answers.
Identity governance includes entitlement management, access reviews, PIM, terms of use, and lifecycle workflows.
Access reviews allow periodic certification of group memberships and application assignments; default review period is 30 days.
PIM provides just-in-time privileged access; default activation duration is 1 hour, max 8 hours for Entra ID roles.
Entitlement management uses access packages to bundle resources; default assignment duration is 365 days.
Terms of use must be PDF format, up to 5 MB, and users must accept before accessing resources.
Lifecycle Workflows (preview) automate user lifecycle events like onboarding and offboarding.
Entitlement management and PIM require Entra ID P2 license.
Access reviews can be self-review, manager review, or delegated to resource owners.
PIM activation requires MFA by default; approval workflow can be added for extra security.
Identity governance helps enforce least privilege and supports compliance with regulations like GDPR and SOX.
These come up on the exam all the time. Here's how to tell them apart.
Entitlement Management
Manages access to groups, apps, and sites via access packages
Access is typically long-term (default 365 days) with periodic reviews
Supports approval workflows for access requests
Can be used for both regular users and privileged roles (though PIM is better for privileged)
Integrates with My Access portal for self-service requests
Privileged Identity Management (PIM)
Manages just-in-time access to privileged roles (e.g., Global Admin)
Access is temporary (default 1 hour, max 8 hours for Entra ID roles)
Requires MFA and justification for activation; optional approval
Designed specifically for high-risk administrative roles
Provides activation history and alerts for suspicious activity
Mistake
Access reviews can only be performed by managers.
Correct
Access reviews can be delegated to resource owners, group owners, or even allow users to self-review their own access. The reviewer is configurable.
Mistake
Privileged Identity Management (PIM) is only for Azure AD roles.
Correct
PIM also supports Azure resource roles (e.g., Contributor, Owner at subscription level) and roles in other Microsoft services like Exchange Online.
Mistake
Entitlement management access packages require users to be in the same tenant.
Correct
Access packages can be configured to allow requests from users in other Microsoft Entra tenants (connected organizations) using B2B collaboration.
Mistake
Once an access review is completed, the results are automatically applied immediately.
Correct
The auto-apply setting can be configured to apply results after the review ends, but there is an optional grace period before removal. Also, administrators can choose to not auto-apply and manually process results.
Mistake
Lifecycle Workflows are generally available and fully supported.
Correct
Lifecycle Workflows are currently in preview. Microsoft recommends testing in non-production environments. Full GA may have different behavior.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Eligibility means a user is assigned a role but does not have active permissions. They must activate the role to gain temporary access. Activation requires MFA, justification, and possibly approval. Once activated, the user has the role for a limited time (default 1 hour). This differs from a permanent active assignment where the user always has the role. PIM allows both types: eligible and active. Eligible is the common choice for least privilege.
Yes, access reviews are created as recurring campaigns (e.g., weekly, monthly, quarterly, annually). The system sends reminders to reviewers. If reviewers do not respond within the configured duration (default 30 days), the system can automatically deny access. The results are applied automatically if auto-apply is enabled. This makes the process largely automated, though human review is still required for decision making.
Entitlement management and PIM require Microsoft Entra ID P2 licenses for users. Access reviews require P2 licenses for the users being reviewed (or the reviewers, depending on scenario). Terms of use are available with any Entra ID license (Free, P1, P2). Lifecycle Workflows (preview) require P2 licenses. Some limited features may be available with P1, but the full governance suite needs P2.
Entitlement management supports connected organizations. You can create an access package that allows users from a specific external tenant to request access. The external user authenticates with their home tenant and is granted a guest account in your tenant. Access reviews can also include guest users. PIM can manage guest access to privileged roles if needed. Terms of use can be presented to guests before access.
The administrator can configure the 'action to take on non-response' setting. Options include 'Approve', 'Deny', or 'Take no action'. The default is often 'Deny' to enforce least privilege. The system will apply the chosen action after the review period ends. Additionally, the reviewer receives reminder emails (configurable frequency). If the reviewer never responds, the access is automatically revoked if set to 'Deny'.
Yes, PIM supports Azure resource roles, such as Owner, Contributor, or Reader at subscription or resource group level. You can configure eligible assignments for these roles, require activation with MFA, and set maximum activation duration (up to 8 hours). This is especially useful for managing access to critical Azure infrastructure.
An access package is a container that bundles one or more resource roles (e.g., group membership, app role, SharePoint site access). It provides a governance wrapper: request/approval workflow, time-limited assignment, and access reviews. A group is just a collection of users. Access packages often use groups as underlying resources, but they add governance capabilities on top.
You've just covered Identity Governance in Microsoft Entra — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?