This is Part 2 of our Microsoft Entra Identity series. Find Part 1 here, and look for a new installment every week.
Modern organizations face a growing challenge: how to manage user access securely and efficiently across cloud apps, on-premises systems, and hybrid environments, without slowing down the business. The old approach of static group memberships, manual onboarding, and ad hoc access reviews simply can’t keep up with today’s speed and scale.
That’s where Microsoft Entra ID Governance comes in — and recent updates have made it even more powerful and relevant.
While Microsoft is a newer entrant in the formal identity governance and administration (IGA) product category, it brings with it a deep legacy in identity and access management (IAM). For decades, organizations have relied on Microsoft tools like Active Directory (AD), Active Directory Federation Services (AD FS), and Microsoft Identity Manager (MIM) to anchor their identity infrastructure. Microsoft Entra ID Governance is the evolution of that heritage — reimagined for a modern, cloud-first world.
In this post, we’ll explore what’s new in Microsoft Entra ID Governance, why these changes matter, and how you can leverage them to strengthen your identity lifecycle, automate compliance, and simplify access decisions.
What Is Microsoft Entra ID Governance? – The Basics
Microsoft Entra ID Governance is Microsoft’s enterprise-grade identity governance solution built directly into the Microsoft Entra platform. It provides a policy-based, automated framework to ensure that the right people have the right access to the right resources — and only for as long as they need it.
Core capabilities include:
- Lifecycle Workflows
- Access Reviews
- Entitlement Management
- Privileged Identity Management (PIM)
- Separation of Duties (SoD) Controls (Preview)
- Access History and Decision Insights
And critically, it’s designed to be tightly integrated with Microsoft 365, Azure, and thousands of other connected applications via SCIM and API connectors.
What’s New in Microsoft Entra ID Governance?
As Microsoft continues to enhance the platform, here are some of the most impactful updates:
1. Lifecycle Workflows Enhancements
- Custom Extensions: Utilize Logic Apps to build advanced automation (e.g., provisioning accounts in downstream systems, sending notifications to external ticketing systems).
- Scheduled Workflow Triggers: Initiate flows based on relative dates (e.g., X days before/after hire date).
- Bulk Execution and Testing Support: Execute and test workflows in bulk, simplifying deployment at scale.
- Manage refresh tokens for mover and leaver scenarios with Lifecycle Workflows Using a built-in task in Lifecycle Workflows, you can now revoke refresh tokens of employees that separate from the company and should no longer have access to company resources or employees that have role changes and should no longer have access to the resources of the previous role.
- Entitlement Management suggested access packages in My Access portal: Provide users with the most relevant access packages, based on their peers’ access packages and previous assignments, eliminating the need to scroll through a long list of items.
2. Separation of Duties (SoD) Policies (Preview)
- Define incompatible role combinations (e.g., a user shouldn't have both "Approver" and "Requester" access).
- Prevent access assignment violations during entitlement requests or PIM activations.
- Utilize built-in policy templates for common governance scenarios.
3. Access Reviews for Groups and Apps
- Expanded to cover Microsoft 365 groups, dynamic groups, and service principals.
- Reviewers can now leverage Access History and Decision Insights to make informed decisions, including last login, recent app usage, and role assignment history.
4. Improved API & Integration Support
- Enhanced Graph API endpoints for automating governance tasks (e.g., creating access packages, initiating reviews, and evaluating workflow status).
- SCIM provisioning integrations now support richer attribute mappings and expressions.
5. Global Secure Access + Governance Integration
- Access decisions can now factor in network context (e.g., block role activation if the user is outside a compliant network).
- Combine lifecycle policies with network trust enforcement for true Zero Trust alignment.
Why It Matters
Modern identity governance must support speed and self-service without sacrificing oversight. Entra enables this by:
- Automating joiner/mover/leaver processes.
- Letting users request access to apps and roles on demand — with full policy enforcement.
- Empowering reviewers with rich context to avoid rubber-stamping reviews.
- Whether it’s SOX, HIPAA, ISO 27001, or internal audit controls, Entra’s built-in access logs, reviewer attestations, and role assignment histories provide the audit trails you need.
- Assign attestation policies per business unit or sensitivity level.
- Automatically remove access when contracts expire, or conditions change.
- Unlike bolt-on IGA tools, Microsoft Entra ID Governance is native to Microsoft Entra, making it a natural and seamless fit for customers already utilizing platforms like Office 365 for collaboration or Azure IaaS/PaaS. This results in a better user experience, faster time-to-value, and alignment with your broader Zero Trust strategy. Customers leveraging legacy identity tools like Active Directory Federation Services or other third-party identity federation platforms benefit by migrating to Microsoft Entra because it reduces dependency on on-premises solutions for authentication. Similarly, customers leveraging Microsoft Identity Manager (MIM) or other third-party on-premises identity lifecycle management tools benefit by migrating to a cloud-based IGA solution.
- Microsoft Entra currently has native capabilities for HR-driven identity use cases with Workday and SAP SuccessFactors. In February of 2024 Microsoft and SAP announced a collaboration to help SAP customers modernize their identity and access management
Getting Started
Here are three practical ways to start using what’s new in Microsoft Entra ID Governance today:
- Pilot Lifecycle Workflows for onboarding and offboarding — include a Logic App to send welcome kits or IT notifications.
- Enable Access Reviews for critical apps and admin roles — start with PIM assignments.
- Define SoD policies to block risky combinations of permissions across your org.
Bonus: Use Access History to train reviewers and reduce overprovisioning.
Final Thoughts
Identity governance is no longer a nice-to-have — it’s foundational to securing hybrid work, reducing insider risk, and satisfying compliance requirements. Microsoft Entra ID Governance has matured into a full-featured solution that brings automation, intelligence, and simplicity to a historically complex domain.
If your organization is still managing access manually or relying on outdated legacy IGA tools, now is the time to re-evaluate. Take the next step toward stronger security and streamlined compliance by modernizing your identity governance with Microsoft Entra ID Governance. Contact us to get started.
