Microsoft Entra ID · Identity Governance

Identity Governance Administrator

Can manage access using Microsoft Entra ID for identity governance scenarios including access packages, access reviews, catalogs, and entitlement management.

Scope: Full Entitlement Management, Access Reviews, and Identity Governance administration

Permissions

  • App Access Reviews - Manage app access reviews
  • Entitlement Reviews - Manage entitlement access reviews
  • Group Access Reviews - Manage group access reviews
  • All Reviews - Manage all access reviews
  • Entitlement Management - Full entitlement management
  • Group Membership - Update group members for access packages
  • App Roles - Update app role assignments
  • Access Packages - Create and manage access packages with resources
  • Catalogs - Create and manage catalogs for access governance
  • Connected Orgs - Configure connected organizations for B2B governance
  • Package Policies - Manage access package policies and approval workflows
  • Terms of Use - Configure terms of use requirements
  • Lifecycle Workflows - Set up lifecycle workflows for access automation
  • Review Schedules - Configure access review schedules and settings
  • Custom Extensions - Manage custom extension callouts for workflows

Common use cases

  • Designing access package architecture for the organization
  • Creating catalogs aligned with business units
  • Configuring connected organizations for partner access
  • Setting up self-service access request workflows
  • Implementing access lifecycle policies (time-bound access)
  • Creating access reviews for periodic recertification
  • Configuring automatic removal for non-response in reviews
  • Implementing separation of duties through incompatible packages
  • Setting up terms of use for compliance
  • Configuring lifecycle workflows for joiner/mover/leaver
  • Managing guest access governance
  • Implementing project-based access with expiration

Best practices

  • Use catalogs to organize access packages by business unit
  • Delegate catalog management to business owners
  • Require approval for access to sensitive resources
  • Configure lifecycle policies for automatic expiration
  • Set up access reviews quarterly for sensitive access
  • Use auto-apply in reviews for non-responsive reviewers
  • Configure guest access governance separately
  • Implement incompatible access packages for SoD
  • Use connected organizations for partner governance
  • Monitor access package assignments regularly
  • Document access package purposes and resources
  • Train catalog owners on their responsibilities
  • Use lifecycle workflows for automation
  • Review orphaned access assignments
  • Implement naming conventions for packages and catalogs

Security considerations

  • Can grant access to resources through access packages
  • Can configure policies that bypass normal approval
  • Access reviews can automatically remove access if misconfigured
  • Connected organizations can grant external partner access
  • Lifecycle policies can remove access unexpectedly
  • Monitor for access package abuse or over-provisioning
  • Review catalog owner assignments regularly
  • Audit access package policy changes
  • Consider separation of duties for sensitive package approval
  • Guest access through packages needs careful governance
  • Time-bound access helps limit exposure window

Common questions

When should I assign the Identity Governance Administrator role?

Assign Identity Governance Administrator when you need to: Designing access package architecture for the organization; Creating catalogs aligned with business units; Configuring connected organizations for partner access; Setting up self-service access request workflows; and Implementing access lifecycle policies (time-bound access). It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Identity Governance Administrator role do?

The Identity Governance Administrator role grants permissions including: App Access Reviews - Manage app access reviews; Entitlement Reviews - Manage entitlement access reviews; Group Access Reviews - Manage group access reviews; All Reviews - Manage all access reviews; Entitlement Management - Full entitlement management; and Group Membership - Update group members for access packages. See the Permissions section above for the full list.

What are the security risks of the Identity Governance Administrator role?

Key considerations when assigning Identity Governance Administrator: Can grant access to resources through access packages; Can configure policies that bypass normal approval; Access reviews can automatically remove access if misconfigured; and Connected organizations can grant external partner access. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →