Azure AD identity governance — Part 2— Govern identity lifecycle

The blog series

Current planning, subject to change.

Part 1 — The basics

Part 2 — Govern identity lifecycle

Part 3 — Govern resource lifecycle

Part 4 — Govern access lifecycle

Part 5 — Why a identity lifecycle for B2B users is not absolutely necessary

Part 6 — Privileged access lifecycle

Part 7 — Business justification

Part 8 — Govern access lifecycle, beyond the basics

Part 9 — Govern identity lifecycle, beyond the basics

Part 10 — Automated RBAC based on HCM data in Azure AD

Govern identity lifecycle

Now that we have a basic understanding of the identities involved, we’ll quickly realize that we can’t cover all areas with standard Azure AD features. In this blog article I would like to focus on the Azure AD standard features and concepts, in a following blog article of the series we will deal with custom solutions.

Azure AD Workday inbound provisioning

When a company uses Workday as its HCM system, Azure AD out of the box offers inbound provisioning for the identity lifecycle. Unfortunately, this only covers a part of the companies, furthermore, the out of the box integration may not cover all required use cases. For this I have already published a blog.

The UserType and guest user limitations

You might think that a B2B user is always a guest user [UserType = Guest]. However, this is not the case, even a B2B user can be regarded as an internal user [UserType = Member]. A detailed explanation can be found at Microsoft Docs.

Furthermore, the restrictions for guest users can also be removed.

External collaboration settings

With the Azure AD external collaboration settings you can define who is allowed to invite B2B users. For example, a blacklist or whitelist can be created based on domains.

  • Turn off invitations
  • Only admins and users in the Guest Inviter role can invite
  • Admins, the Guest Inviter role, and members can invite
  • All users, including guests, can invite
  • Restrictions based on domain

Further restrictions

Azure AD B2B offers settings which type of B2B users may be present in the tenant. Here there are the settings worth mentioning:

Azure AD also offers a self service signup feature

John Craddock has published excellent blogs on these two topics.

Access Reviews

You might expect to hear about Access Reviews in “Part 4 — Govern access lifecycle”, but with a little trick the Access Review feature can be used to create an identity life cycle for guests. This can be implemented with the following steps.

  1. Create a manual security group and add all Guests to it. Name the group “Contoso Guests”. Adding the group members should be automated with a script, we do not want this to be a dynamic group.
  2. Create a access review for the created group [Members of a group, Reviewers: Member (self), Auto apply results to the resource, No response — remove access]
  3. After completion of the access review, some of the guests were removed from the group. Now the delta of guests [between the “Contoso Guests” group and the tenant] can be removed from the tenant, but be careful here, because in the meantime new guests may have joined the tenant who are also in the delta.

This is only a small trick, but in most cases it is not necessary to implement an Identity Lifecycle for B2B users, so stay tuned for “Part 5- Why an identity lifecycle for B2B users is not absolutely necessary”.

Beyond the basics

All further details to the identity lifecycle follow in a dedicated blog article.