4.4 Identity Governance, Entitlement Management, and Lifecycle Governance
Key Takeaways
- Microsoft Entra ID Governance answers four questions: which users have access, what they can do with it, whether the access is appropriate, and whether controls are effective.
- Entitlement management uses access packages that bundle resources (groups, apps, SharePoint sites) into requestable items with approval and expiration policies.
- Lifecycle workflows automate the joiner, mover, and leaver stages so access is provisioned on day one and revoked at offboarding.
- Entra ID Governance is a paid add-on (P1/P2 plus the Governance SKU) and complements, rather than replaces, Conditional Access.
- Governance is about keeping access appropriate over time, not just granting it once.
Governance: the right access over time
Microsoft Entra ID Governance is the identity governance and administration (IGA) layer of Entra. Microsoft frames it around four questions an organization should always be able to answer:
- Which users have access to which resources?
- What are those users doing with that access?
- Is there effective organizational control over that access?
- Can auditors verify the controls are working?
Initial access assignment is only the beginning. People change roles, projects end, partners come and go, and privileged access drifts. Governance is the discipline of making sure access stays appropriate across the entire identity lifecycle, not just at the first grant.
Governance is a paid add-on: the Entra ID Governance SKU sits on top of P1 or P2. Its four pillars are entitlement management, access reviews, lifecycle workflows, and Privileged Identity Management. (Access reviews and PIM get their own treatment in Section 4.5.)
Entitlement management and access packages
Entitlement management lets organizations manage access at scale by automating access requests, assignments, reviews, and expiration. Its central object is the access package — a bundle of resources (security/Microsoft 365 groups, enterprise applications, and SharePoint Online sites) packaged together so a user can request the whole set with one request instead of an admin hand-adding them to groups.
An access package is governed by policies that define:
| Policy element | Purpose |
|---|---|
| Who can request | Internal users, specific groups, or external/guest users |
| Approval workflow | Single or multi-stage approvals; or auto-approve |
| Lifecycle/expiration | When access expires and whether it can be extended |
| Access review | Periodic recertification of the assignment |
This is especially powerful for external collaboration: a partner can request an access package through a portal, get approved, receive a bundle of resources, and have that access automatically expire — all without IT manually managing the guest. Catalogs group related packages and resources for delegated administration.
Lifecycle workflows: joiner, mover, leaver
Lifecycle workflows automate the tasks tied to the three identity-lifecycle events:
- Joiner — a new employee automatically receives the right groups, licenses, and a welcome experience on day one (often triggered before their start date).
- Mover — a role or department change triggers access recertification and adjusts entitlements.
- Leaver — termination automatically removes access, disables the account, and revokes tokens at offboarding.
Workflows run on a schedule and can be triggered by attribute changes (for example, the employee's hire date or employeeLeaveDateTime). They execute built-in tasks such as generating a temporary access pass, adding/removing group memberships, sending notifications, and disabling accounts. The exam point is that lifecycle workflows make provisioning and deprovisioning automatic and consistent — closing the common gap where ex-employees keep access for weeks.
- Joiner = automated onboarding/provisioning.
- Mover = recertify and adjust on role change.
- Leaver = automated offboarding/deprovisioning.
Governance versus point-in-time access control
Conditional Access decides access in the moment of a sign-in. Governance asks whether the access should still exist over time and automates that lifecycle. That distinction is the heart of SC-900's governance questions.
| Wording in the scenario | Capability |
|---|---|
| "Users request a bundle of resources for a project, with approval and auto-expiry" | Entitlement management / access packages |
| "Provision access on hire and remove it on termination automatically" | Lifecycle workflows |
| "Periodically confirm users still need their access" | Access reviews |
| "Limit standing admin rights with just-in-time activation" | Privileged Identity Management |
| "Require MFA from untrusted networks" | Conditional Access (not governance) |
If the scenario is less about one sign-in and more about access hygiene over time — onboarding, offboarding, recertification, expiration — you are in Entra ID Governance.
Why governance exists and how the pieces fit together
Cloud access grows quickly and silently. Without governance, users accumulate permissions long after they need them — a problem called privilege creep or access sprawl. A salesperson who moves to marketing keeps the old CRM access; a contractor whose project ended still belongs to ten Teams; a guest invited for one document never leaves. Each lingering grant widens the attack surface and breaks least privilege. Microsoft Entra ID Governance exists to keep access aligned with current need automatically, at a scale humans cannot manage by hand.
The four pillars work as a system. Entitlement management controls how access is requested and granted through self-service access packages with approvals, so the right people get the right bundle without an admin manually managing groups. Lifecycle workflows keep access aligned with employment events — joiner, mover, leaver — so provisioning and deprovisioning are automatic and timely. Access reviews periodically recertify that existing access is still warranted and remove what is not. Privileged Identity Management governs the highest-risk privileged roles with just-in-time activation.
Together they cover the full arc: request, provision, recertify, and elevate.
For answer selection, listen for the verbs and nouns. Request a bundle / access package / approval / expiry points to entitlement management. On hire / on termination / automate onboarding / role change points to lifecycle workflows. Periodically confirm / recertify / still needed points to access reviews. Elevate / activate / standing admin points to PIM. And crucially, governance is licensed separately — the Entra ID Governance add-on on top of P1/P2 — which the exam may use to distinguish it from base Conditional Access.
- Privilege creep is the core problem governance solves.
- Entitlement management = how access is requested/granted.
- Lifecycle workflows = access tied to employment events.
- Access reviews = recurring recertification.
- PIM = privileged-role governance.
An organization wants external partners to request a single bundle of groups, apps, and a SharePoint site, route it through an approval workflow, and have the access expire automatically. Which capability fits?
Which capability automatically provisions access for new hires on day one and removes it automatically at termination?
Which set of questions does Microsoft Entra ID Governance help an organization answer?