Microsoft Entra ID · Identity Governance

Identity Governance Administrator

Can manage access using Microsoft Entra ID for identity governance scenarios including access packages, access reviews, catalogs, and entitlement management.

Scope: Full Entitlement Management, Access Reviews, and Identity Governance administration

Permissions

  • App Access Reviews - Manage app access reviews
  • Entitlement Reviews - Manage entitlement access reviews
  • Group Access Reviews - Manage group access reviews
  • All Reviews - Manage all access reviews
  • Entitlement Management - Full entitlement management
  • Group Membership - Update group members for access packages
  • App Roles - Update app role assignments
  • Access Packages - Create and manage access packages with resources
  • Catalogs - Create and manage catalogs for access governance
  • Connected Orgs - Configure connected organizations for B2B governance
  • Package Policies - Manage access package policies and approval workflows
  • Terms of Use - Configure terms of use requirements
  • Lifecycle Workflows - Set up lifecycle workflows for access automation
  • Review Schedules - Configure access review schedules and settings
  • Custom Extensions - Manage custom extension callouts for workflows

Common use cases

  • Designing access package architecture for the organization
  • Creating catalogs aligned with business units
  • Configuring connected organizations for partner access
  • Setting up self-service access request workflows
  • Implementing access lifecycle policies (time-bound access)
  • Creating access reviews for periodic recertification
  • Configuring automatic removal for non-response in reviews
  • Implementing separation of duties through incompatible packages
  • Setting up terms of use for compliance
  • Configuring lifecycle workflows for joiner/mover/leaver
  • Managing guest access governance
  • Implementing project-based access with expiration

Best practices

  • Use catalogs to organize access packages by business unit
  • Delegate catalog management to business owners
  • Require approval for access to sensitive resources
  • Configure lifecycle policies for automatic expiration
  • Set up access reviews quarterly for sensitive access
  • Use auto-apply in reviews for non-responsive reviewers
  • Configure guest access governance separately
  • Implement incompatible access packages for SoD
  • Use connected organizations for partner governance
  • Monitor access package assignments regularly
  • Document access package purposes and resources
  • Train catalog owners on their responsibilities
  • Use lifecycle workflows for automation
  • Review orphaned access assignments
  • Implement naming conventions for packages and catalogs

Security considerations

  • Can grant access to resources through access packages
  • Can configure policies that bypass normal approval
  • Access reviews can automatically remove access if misconfigured
  • Connected organizations can grant external partner access
  • Lifecycle policies can remove access unexpectedly
  • Monitor for access package abuse or over-provisioning
  • Review catalog owner assignments regularly
  • Audit access package policy changes
  • Consider separation of duties for sensitive package approval
  • Guest access through packages needs careful governance
  • Time-bound access helps limit exposure window

Official Microsoft Learn documentation →

Open the interactive RBACMap →