4.4 Identity Governance Design

Key Takeaways

  • Privileged Identity Management (PIM) provides just-in-time, time-bound privileged access through eligible assignments (require activation, MFA, justification, or approval) versus active assignments (standing access with no activation step)
  • PIM for Groups extends the same eligible/active and approval model to group membership or ownership, letting an architect grant a bundle of role assignments through one time-bound group activation instead of configuring PIM per role per user
  • Access Reviews are recurring or one-time campaigns where a designated reviewer re-certifies that users still need existing access (group membership, application assignment, Entra role, or PIM-eligible assignment), with an option to auto-remove access on denial or non-response
  • Entitlement Management bundles resources (groups, Teams, applications, SharePoint sites, Entra roles) into an access package inside a catalog, and lets external users from connected organizations request access through a defined, time-limited approval policy
  • PIM answers 'make privileged access temporary,' Access Reviews answers 'periodically re-certify access is still needed,' and Entitlement Management answers 'let people self-service request access, including external partners' — the exam expects you to match the scenario to the right one of these three
Last updated: July 2026

Why This Topic Matters

"Recommend a solution for identity governance" is the third and final bullet under Design governance. It is easy to confuse with the authorization bullets from Chapter 3 ("Recommend a solution for authorizing access to Azure resources"), but the distinction is precise: authorization design decides what permissions a role grants and at what scope (RBAC design); identity governance decides how long someone holds a permission, whether it needs periodic re-certification, and how external or bundled access gets requested and approved. AZ-305 scenarios in this area describe time-limited elevated access, periodic access recertification, or structured self-service access requests — and expect you to pick from three distinct Microsoft Entra ID Governance capabilities: Privileged Identity Management (PIM), Access Reviews, and Entitlement Management.

Privileged Identity Management (PIM): Just-in-Time Privileged Access

Privileged Identity Management (PIM) provides time-based and approval-based activation of privileged roles to reduce the risk of standing, unused, or excessive access. PIM covers Microsoft Entra roles, Azure resource RBAC roles, and (via PIM for Groups) group membership and ownership.

Assignment typeBehavior
EligibleThe user is not granted the permission until they perform an activation action — which may require multi-factor authentication (MFA), a justification, a maximum activation duration, and/or approval from a designated approver
ActiveThe user has the permission immediately, with no activation step required — reserved for accounts that genuinely need standing access, such as break-glass emergency accounts

Per-role PIM settings an architect can configure include: maximum activation duration, whether MFA is required at activation, whether a justification or ticket number is required, and whether a specific approver (or set of approvers) must approve each activation request. PIM for Groups applies this same eligible/active model to a group's membership or ownership — instead of configuring PIM separately for every Azure RBAC role a team needs, you configure PIM once on a group, and the group's role assignments (to a subscription, resource group, or resource) are what actually grant the permissions. This scales far better for teams that need the same bundle of roles activated together.

Access Reviews: Periodic Recertification

An access review is a recurring or one-time campaign in which a designated reviewer (the resource owner, the requesting user's manager, or the user via self-review) attests whether a set of users still needs access they currently hold — group membership, an application assignment, an Entra role, or a PIM-eligible role assignment. Access reviews can be configured to:

  • Recur on a schedule (monthly, quarterly, annually) or run once.
  • Auto-apply the reviewer's decision (automatically remove access on a "deny" outcome) rather than requiring a separate manual step.
  • Apply a default decision (commonly, auto-remove access) if the designated reviewer never responds, closing the gap where unresponsive reviewers silently preserve stale access indefinitely.

Access reviews solve a different problem than PIM: PIM makes access temporary and activation-gated from the start; access reviews periodically re-certify access that may have been standing (active) for a long time, including PIM-eligible assignments that reviewers should confirm are still justified.

Entitlement Management: Self-Service, Bundled, and External Access

Entitlement management lets you package multiple resources into a single request-and-approval unit:

ConceptDefinition
Access packageA bundle of resources (groups/Teams, applications, SharePoint sites, or Entra roles) plus an assignment policy (who can request, approval workflow, expiration date)
CatalogA container that groups related resources and access packages for delegated administration; a non-administrator can only add resources to a catalog they own
Resource roleThe specific permission level exposed inside an access package (for example, "Member" versus "Owner" of a group)
Connected organizationAn external Microsoft Entra tenant, or a non-Entra domain, whose users are permitted to request access packages in a catalog — enabling structured business-to-business (B2B) access at scale without inviting every guest individually

Entitlement management is the right answer whenever a scenario needs self-service requests with approval workflows, time-limited/expiring access, or external partner access across multiple organizations to a defined bundle of resources.

Matching Scenarios to the Right Tool

ScenarioCorrect capability
On-call engineers need elevated production-subscription access only while responding to an incident, with MFA and a logged justificationPIM — eligible assignment with activation requirements
A team's shared Azure RBAC roles should activate together for a limited window rather than being configured per-user, per-rolePIM for Groups
Compliance requires quarterly recertification of everyone holding the Owner role on production subscriptionsAccess Reviews
External researchers from a dozen partner institutions need to request the same Teams site and SharePoint access, expiring automatically after 90 days unless renewedEntitlement Management with connected organizations and an access package expiration policy

A Note on Lifecycle Workflows

Microsoft Entra ID Governance also includes Lifecycle Workflows, which automate joiner/mover/leaver identity tasks — for example, automatically disabling an account a set number of days after an employee's recorded termination date. It is a smaller, newer capability worth recognizing by name if a scenario describes automating identity lifecycle events tied to HR data, distinct from the three core capabilities above.

Takeaways for the Exam

  • If the requirement centers on time-bound activation of privileged access, the answer is PIM (or PIM for Groups for bundled role assignments).
  • If the requirement centers on periodically confirming existing access is still needed, the answer is Access Reviews.
  • If the requirement centers on self-service requests, bundled resources, or external/partner access, the answer is Entitlement Management (access packages, catalogs, connected organizations).
  • Keep this distinct from RBAC/authorization design (Chapter 3): identity governance is about time and re-certification, not about which permissions a role itself contains.
Test Your Knowledge

A hospital IT team wants on-call engineers to gain access to production subscriptions only while handling an active incident, requiring multi-factor authentication and a written justification at the moment access is requested. Which Microsoft Entra ID Governance capability directly implements this?

A
B
C
D
Test Your Knowledge

A university needs to let external researchers from 12 partner institutions request access to a shared Teams site and SharePoint library, with access automatically expiring after 90 days unless renewed through an approval workflow. Which Microsoft Entra ID Governance capability fits this requirement?

A
B
C
D
Test Your Knowledge

A company's compliance team requires that every user holding the Owner role on production subscriptions be re-certified by their manager every quarter, with automatic removal of access if the manager denies or does not respond. Which capability should the architect recommend?

A
B
C
D