Identity Governance: Entitlements and Access Reviews
Managing the identity lifecycle — who gets access, how long they keep it, and what happens when they leave. Entitlement management, access reviews, and terms of use.
What is identity governance?
It is like managing gym memberships — sign people up, check they still use it, and cancel when they leave.
When someone joins your company, they need access to apps, files, and groups. When they move teams, their access should change. When they leave, ALL access should be revoked immediately.
Without governance, access piles up. People keep permissions from old teams. Former employees still have active accounts. Contractors who finished six months ago can still log in.
Identity governance automates this lifecycle: join, move, leave. Grant access when needed, verify it is still needed, and remove it the moment it is not.
Why does stale access matter?
| Risk | What Happens | Real Example |
|---|---|---|
| Former employees | An account with active permissions remains after someone leaves | A departed contractor can still access the finance SharePoint site |
| Role changes | A user who moved teams keeps their old permissions plus new ones | A person who moved from HR to Marketing still has access to salary data |
| Over-provisioned accounts | Users accumulate access over time without any being removed | After 5 years, a user has access to 40 apps but only uses 6 |
| Compliance violations | Auditors find users with access they should not have | An external auditor flags that interns can access production databases |
Key exam concept: Stale access is one of the biggest security risks in any organisation. Identity governance exists to solve it systematically, not one user at a time.
Entitlement management
Entitlement management lets you create access packages — bundles of resources and policies that users can request through a self-service portal.
| Concept | What It Is | Example |
|---|---|---|
| Access package | A bundle of group memberships, app access, and SharePoint sites | ”Marketing Team Package” includes the Marketing M365 group, the Brand Assets SharePoint site, and the Canva enterprise app |
| Catalogue | A container that groups related access packages | ”Faculty Resources” catalogue at Lakewood |
| Policy | Rules for who can request, who approves, and when access expires | Requests require manager approval. Access expires after 180 days. |
| Request | A user asks for access through the self-service portal | A new marketing hire requests the Marketing Team Package |
| Assignment | The approved access grant — can be time-limited | The user gets the package for 180 days, then it expires automatically |
Scenario: Raj sets up access packages at Lakewood
Every September, hundreds of new staff and teaching assistants join Lakewood. Each faculty needs different apps, groups, and SharePoint sites. Raj used to set up each person manually — it took weeks.
Now he creates access packages:
- “Engineering Faculty Staff” — includes the Engineering M365 group, lab booking app, and faculty SharePoint
- “Teaching Assistant” — includes the TA group, grading portal, and student records (read-only)
New staff go to the self-service portal, request their package, and their faculty head approves. Access is granted automatically. Teaching assistant access expires at the end of the academic year.
“I went from manually adding hundreds of people to approving a few clicks,” says Professor Chen, who now handles her own faculty approvals.
Access reviews
Access reviews are periodic checks where a reviewer verifies that users still need their current access. Think of it as a regular clean-up.
| Question | Answer |
|---|---|
| What gets reviewed? | Group memberships, app assignments, role assignments, access package assignments |
| Who creates reviews? | Administrators or access package owners |
| Who reviews? | Managers, resource owners, self-review by users, or specific reviewers |
| How often? | Weekly, monthly, quarterly, or annually — admin decides |
| What happens to denied access? | Access is removed automatically (or flagged for manual removal, depending on settings) |
How access reviews work
- An admin creates an access review (e.g., “Quarterly review of Finance group membership”)
- Reviewers receive an email or notification
- Each reviewer checks their list: “Does this person still need access?”
- For each user, the reviewer approves (keep access) or denies (remove access)
- When the review period ends, denied access is automatically removed
| Feature | Without Access Reviews | With Access Reviews |
|---|---|---|
| Who checks? | Nobody — permissions accumulate forever | Designated reviewers check every quarter |
| Stale access | Grows silently until an audit or breach | Caught and removed at each review cycle |
| Audit readiness | Scramble to pull access reports when auditors arrive | Review history is logged — ready for any audit |
| Effort | Massive cleanup every few years | Small, regular effort each cycle |
Scenario: Alex runs quarterly access reviews at SecureBank
Director Reyes (CISO at SecureBank) requires quarterly access reviews for all privileged groups.
Alex, the security analyst, sets up a review for the “Trading Platform Admins” group:
- Reviewers: The trading platform team lead
- Frequency: Every 90 days
- If no response: Access is automatically removed (secure default)
In the first review, the team lead discovers three former contractors still in the group. Their access is removed immediately.
“We had three people who could modify trading configurations and nobody knew,” Alex reports to Director Reyes. “Now we catch this every quarter.”
Terms of use
Terms of use policies require users to accept specific terms before accessing an application or resource. They are presented during sign-in and enforced through Conditional Access.
| Feature | What It Does |
|---|---|
| Custom documents | Upload a PDF with your terms — legal, acceptable use, privacy policy |
| Per-app terms | Different terms for different applications |
| Expiring acceptance | Require users to re-accept terms on a schedule (e.g., annually) |
| Tracking | Full audit trail of who accepted, when, and which version |
| Conditional Access integration | Enforce terms as a grant control — no acceptance, no access |
Key exam concept: Terms of use are enforced through Conditional Access. They appear during sign-in when a CA policy requires them.
The identity lifecycle
Everything in governance maps to three stages:
| Stage | What Happens | Governance Tool |
|---|---|---|
| Join | New employee or guest needs access | Entitlement management — user requests an access package, gets approved, receives resources |
| Move | Employee changes teams or roles | Access reviews catch stale permissions from the old role. New access package requested for the new role. |
| Leave | Employee or contractor departs | Access packages expire. Access reviews remove lingering access. Accounts are disabled or deleted. |
🎬 Video walkthrough
🎬 Video coming soon
Identity Governance — SC-900 Module 7
Identity Governance — SC-900 Module 7
~10 minFlashcards
Knowledge Check
Raj discovers that three former contractors still have access to Lakewood's student records system — they left six months ago. Which governance capability would have prevented this?
New staff at Lakewood need different sets of apps, groups, and SharePoint sites depending on their faculty. Raj wants to streamline onboarding so staff can request the right access themselves. Which feature should he use?
SecureBank's quarterly access review for the 'Trading Platform Admins' group is configured with the setting: 'If reviewers do not respond, remove access.' Why is this the recommended default?