What is identity governance?
Identity governance (IGA) is the set of policies, processes, and controls that determine who has access to what, how that access is granted and removed, and how you prove to an auditor that your controls are working.
It covers three main areas: identity lifecycle management (onboarding, role changes, offboarding), access governance (reviews, approvals, time-bound access), and compliance reporting (evidence for SOC 2, ISO 27001, NIS2).
Governance is not the same as authentication. Entra ID handles authentication — confirming who someone is. Governance handles authorization — deciding what they should be able to do and ensuring that decision is correct and up to date.
Why identity governance matters in Entra ID environments
Microsoft Entra ID is the identity platform for most organizations running Microsoft 365. It manages users, groups, licenses, and application access across your entire Microsoft environment. That makes it the natural center of any identity governance program.
Without governance, Entra ID becomes a place where access accumulates. Users get added to groups during onboarding and those groups never shrink. Former employees may have accounts disabled but leave behind group memberships and delegated permissions. Compliance auditors ask for evidence of access reviews and the answer is a spreadsheet assembled under pressure.
Good governance turns Entra ID from a place where access accumulates into a system where access is intentional, documented, and regularly validated.
What Microsoft Entra ID provides natively
Entra ID includes several governance-related features, mainly under the P2 license tier. Here is what you get and where each feature fits:
Lifecycle Workflows
Trigger automated tasks when users join, change roles, or leave. Available in the Entra ID free tier with basic capabilities, and more in P2. Useful for simple scenarios; the condition logic is rigid and available actions are limited.
Access Reviews (P2)
Periodic campaigns where managers or owners review who has access to a group or application. The fundamental capability is there; managing multi-department campaigns at scale requires significant manual coordination.
Entitlement Management (P2)
A catalog of access packages that users can request. Groups multiple resources together under a policy. Useful for structured access requests; complex to configure and maintain.
Privileged Identity Management (P2)
Just-in-time activation for privileged roles, with approval workflows and audit trails. Strong capability for privileged access; not a substitute for broader IGA.
Dynamic Groups
Automatically add and remove group members based on user attributes. Powerful concept; the rule syntax is limited, performance on large tenants can be inconsistent, and debugging broken rules requires access to audit logs.
Where native Entra ID governance falls short
Native tools are a reasonable starting point. They become insufficient as your organization grows and governance requirements become more demanding. The most common gaps:
- Lifecycle workflows have rigid conditions — you cannot define nuanced rules for different departments or employee types without workarounds
- Access reviews are functional but running coordinated campaigns across multiple teams requires significant manual overhead
- No HR system integration out of the box — triggering governance events from HRIS data requires custom development
- Compliance evidence requires stitching data from multiple portal blades — no single report for SOC 2 or ISO 27001 controls
- P2 licensing adds approximately €8–9 per user per month — €19,000 per year for a 200-person company, just for governance features
- Dynamic group rules break silently and troubleshooting requires Entra ID expert knowledge
- No structured audit trail across lifecycle events, access requests, and review decisions in a single view
Core IGA capabilities for Entra ID environments
A governance tool built for Entra ID needs to address these areas:
Automated provisioning
Role-based access assignment that runs consistently when users join or change roles. Connected to your HR system or triggered manually.
Automated deprovisioning
Immediate account lockdown on termination. No orphaned accounts, no lingering group memberships, no forgotten licenses.
Access reviews
Structured, recurring campaigns where managers review their team's access. Deadlines, escalation, and audit-ready exports.
Time-bound access
Grant access for a project, a quarter, or a day. Automatic removal when the time is up — no manual cleanup needed.
Access request workflows
Employee self-service for requesting access. Multi-stage approvals with automatic routing. Every decision logged.
Compliance reporting
Pre-built reports for SOC 2, ISO 27001, and NIS2. Pull the evidence your auditor needs without assembling it from scratch.
Compliance frameworks and Entra ID governance
Most compliance frameworks that affect European companies have identity governance requirements. Here is how Entra ID governance maps to the most common ones:
SOC 2
Logical access controls, user access reviews, access provisioning and deprovisioning, privileged access management. Auditors expect automated provisioning evidence, access review records, and termination procedures.
ISO 27001
A.9 Access Control requires access management policies, user registration and deregistration processes, and periodic access rights reviews. Annex A.8 also covers information asset ownership and classification.
NIS2
Identity and access management is a technical measure under Article 21. Organizations must implement policies for access control, privileged access, and regular reviews of user access rights.
How to implement identity governance for Entra ID
Implementation complexity depends heavily on which tool you use. Enterprise IGA platforms take months; purpose-built mid-market tools take days. A practical implementation sequence for Entra ID:
Audit your current state
Document which users have which access. Identify orphaned accounts, groups with no clear owner, and users with access they no longer need. This is the baseline your governance program will build from.
Define your role structure
Map job roles to the Entra ID groups and licenses each role needs. Start with 5–10 common roles: IT, Developer, Finance, HR, Sales. You can add complexity later.
Set up lifecycle automation
Connect to your HR system or define trigger conditions. Test the full joiner-mover-leaver flow with a few sample users before running live.
Run your first access review
Start with one high-risk group or application. The first review surfaces access drift that has accumulated. Use the results to clean up and establish a baseline.
Build your compliance evidence library
Configure report schedules that align with your audit cycle. Know which reports your auditor needs before the audit starts.
Choosing the right IGA tool for Entra ID
The IGA market divides roughly into three tiers. Which tier fits depends on your size, complexity, and budget:
Enterprise platforms
SailPoint, Saviynt, One Identity, Omada. Excellent for organizations with 1,000+ employees across multiple identity sources. Typical first-year cost: €50,000–€250,000+. Implementation: 3–12 months.
Mid-market tools
Purpose-built for 50–1,000 employees on Entra ID and Active Directory. Adcyma fits here. Deploy in days, not months. Priced per user rather than per enterprise contract.
Native Entra ID tools
Reasonable starting point under 50 users with simple needs. Functional limits become apparent as you grow and compliance requirements appear. No additional license cost beyond P2.
For most companies with 50–1,000 employees on Entra ID and Active Directory, a purpose-built mid-market tool gives you everything you need — access reviews, lifecycle automation, compliance reporting — without the enterprise overhead and price tag.
Frequently asked questions
What is identity governance in Microsoft Entra ID?
Identity governance in Entra ID is the set of processes and controls that ensure the right people have the right access to the right resources — and that access is reviewed, documented, and removed when it's no longer needed. It goes beyond basic user management to include access reviews, lifecycle automation, and compliance reporting.
Does Microsoft Entra ID include identity governance tools?
Yes — Entra ID includes some governance features, mainly in the P2 license tier: access reviews, entitlement management, lifecycle workflows, and Privileged Identity Management. These are useful starting points but have real functional limits, especially for companies that need consistent lifecycle automation and compliance reporting across larger teams.
When do you need a dedicated IGA tool for Entra ID?
When you have more than 50 employees and any of the following: inconsistent onboarding, manual offboarding, SOC 2 or ISO 27001 audit requirements, NIS2 compliance obligations, or a compliance team asking for access review evidence. Native Entra ID tools can handle simple cases; a dedicated IGA tool handles governance at scale.
How much does identity governance for Entra ID cost?
Adcyma starts free for up to 25 users. Beyond that, Identity Lifecycle Management is €2 per user per month, and adding Identity Governance is an additional €2. Enterprise IGA platforms that support Entra ID typically start at €50,000+ per year.
Can I implement identity governance without consultants?
Yes — that's one of the main design goals for Adcyma. Connect to your Entra ID tenant, define your role structure, and governance runs automatically. No implementation partner, no multi-month project plan.