Describe the identity protection and governance capabilities of Microsoft Entra

Microsoft Entra provides identity protection and governance capabilities. Learn about these capabilities, the use cases, and benefits.

Microsoft Entra ID Governance

an identity governance solution that enables organizations to improve productivity, strengthen security, and more easily meet compliance and regulatory requirements. It leverages AI-driven insights to help organizations automatically ensure that the right people have the right access to the right resources. This is achieved through identity and access process automation, delegation to business groups, and increased visibility

ID Governance helps organizations address these four key questions

• Which identities should have access to which resources?

• What are those identities doing with that access?

• Are there organizational controls in place for managing access?

• Can auditors verify that the controls are working effectively?

In Microsoft Entra ID Governance, you can automate the identity lifecycle of users using:

• Inbound provisioning from your organization's HR sources, to automatically maintain user identities in both Microsoft Entra ID and Active Directory.

• Lifecycle workflows to automate workflow tasks that run at certain key events, such as before a new employee is scheduled to start work at the organization, as they change status during their time in the organization, and as they leave the organization.

• Automatic assignment policies in entitlement management to add and remove a user's group memberships, application roles, and SharePoint site roles, based on changes to the user's attributes. Information on entitlement management is covered in a subsequent unit.

• User provisioning to create, update, and remove user accounts in other applications, with connectors to hundreds of cloud and on-premises applications.

Access lifecycle

the process of managing access throughout the user's organizational life.

Entitlement management

enables organizations to define how users request access across packages of group and team memberships, app roles, and SharePoint Online roles, and enforce separation of duties checks on access requests.

Microsoft Entra Privileged Identity Management (PIM)

provides extra controls tailored to securing access rights. PIM helps you minimize the number of people who have access to resources across Microsoft Entra, Azure, and other Microsoft online services. PIM provides a comprehensive set of governance controls to help secure your company's resources.

What is a requirement for an agent identity?

a human sponsor accountable for the agent's purpose, lifecycle decisions, and access reviews. If a sponsor leaves the organization, sponsorship automatically transfers to their manager, ensuring continuous human oversight

access reviews

enable organizations to efficiently manage group memberships, access to enterprise applications, and role assignments. Regular access reviews ensure that only the right people have access to resources.

Multi stage access reviews

up to three stages

multiple types of reviewers engage in determining who still needs access to company resources.

It also helps you design more efficient reviews for your resource owners and auditors by reducing the number of decisions each reviewer is accountable for.

Entitlement management

an identity governance feature that enables organizations to manage the identity and access lifecycle at scale. It automates access request workflows, access assignments, reviews, and expiration.

Microsoft Entra terms of use

allow information to be presented to users, before they access data or an application. Terms of use ensure users read relevant disclaimers for legal or compliance requirements.

What can you do with PIM?

• Microsoft Entra roles—Sometimes referred to as directory roles, Microsoft Entra roles include built-in, and custom roles to manage Microsoft Entra ID and other Microsoft 365 online services.

• Azure roles—The role-based access control (RBAC) roles in Azure that grant access to management groups, subscriptions, resource groups, and resources.

• PIM for Groups—Provide just-in-time membership in the group and just-in-time ownership of the group. PIM for Groups can be used to govern access to various scenarios that include Microsoft Entra roles, Azure roles, and Azure SQL, Azure Key Vault, Intune, other application roles, and non-Microsoft applications.

General workflow of PIM

Assign—The assignment process starts by assigning roles to members. To grant access to a resource, the administrator assigns roles to users, groups, service principals, or managed identities.

Activate—If users have been made eligible for a role, then they must activate the role assignment before using the role. To activate the role, users select specific activation duration within the maximum (configured by administrators), and the reason for the activation request.

Approve or deny—Delegated approvers receive email notifications when a role request is pending their approval. Approvers can view, approve, or deny these pending requests in PIM. After the request has been approved, the member can start using the role.

Extend and renew—When a role assignment nears expiration, the user can use PIM to request an extension for the role assignment. When a role assignment has already expired, the user can use Privileged Identity Management to request a renewal for the role assignment.

Privileged Identity Management (PIM) audit history

to see all role assignments and activations within the past 30 days for all privileged roles.

Microsoft Entra ID Protection

helps organizations detect, investigate, and remediate identity-based risks. This includes user identities and workload identities.

Sign-in risk

represents the probability that a given authentication request isn't authorized by the identity owner. Examples include a sign-in from an anonymous IP address, atypical travel (two sign-ins originating from geographically distant locations), unfamiliar sign-in properties, and more

User risk

A user risk represents the probability that a given identity or account is compromised. Examples include leaked credentials, user reported suspicious activity, suspicious sending patterns, and more.

Identity Protection only generates risk detections when

correct credentials are used in the authentication request. If a user uses incorrect credentials, it isn't flagged by Identity Protection since there isn't a risk of credential compromise unless a bad actor uses the correct credentials.

Identity Protection provides three key reports for administrators to investigate risks and take action:

• Risk detections: Each risk detected is reported as a risk detection.

• Risky sign-ins: A risky sign-in is reported when there are one or more risk detections reported for that sign-in.

• Risky users: A Risky user is reported when either or both of the following are true:

  • The user has one or more risky sign-ins.

  • One or more risk detections are reported.

How are risks remediated in Microsoft Entra ID Protection?

• Automated remediation: Risk-based Conditional Access policies enforce strong authentication, MFA, or secure password reset. If successful, the risk is automatically remediated.

• Manual remediation: When automation isn’t enabled, admins review risks in reports, APIs, or Microsoft Defender XDR. They can dismiss, confirm safe, or confirm compromise.

What is Microsoft Entra Verified ID?

A managed verifiable credentials service based on open standards that automates identity verification and enables privacy-protected interactions between organizations and users.

Why do we need verifiable credentials?

They provide secure, privacy-compliant, machine-readable digital identity claims, giving individuals control over how their identity data is used and shared.

Who are the three main parties in a verifiable credential interaction?

• Issuer: Grants digitally signed credentials (e.g., government, employer, university).

• User: Stores credentials in a digital wallet and presents them.

• Verifier: Requests and validates proof (e.g., employer, airline, mortgage company).

What is the role of the verifiable data registry?

It records metadata (like public keys) used to verify credentials, acting as a trust system. Verified ID uses the did:web trust system linked to an organization’s domain

How does Verified ID support account recovery?

It re-establishes trust when all authentication methods are lost by verifying government-issued IDs via a trusted provider, issuing a credential in Microsoft Authenticator, and using Face Check with Azure AI to confirm identity.

How does Verified ID help against AI-driven fraud?

It ensures interactions involve real, verified individuals, mitigating risks from deepfakes and identity impersonation.

How does Microsoft Entra Verified ID support account recovery?

• Used when all authentication methods are lost.

• Verifies government-issued ID through a trusted provider.

• Issues a credential in Microsoft Authenticator.

• Uses Face Check with Azure AI to confirm identity.

• Restores secure access by re-establishing trust.

What is Microsoft Security Copilot?

A generative AI-powered security solution that combines AI and human expertise to help administrators respond to attacks faster and more effectively.

How does Microsoft Entra integrate with Security Copilot?

Through the Entra plugin, Copilot can investigate and resolve identity risks, assess identities and access with AI-driven intelligence, and provide contextualized insights and recommendations.

What are the two types of Security Copilot experiences in Microsoft Entra?

• Standalone experience: Use natural language prompts in the Security Copilot portal.

• Embedded experience: Copilot capabilities are built directly into Entra admin center workflows (e.g., risky users report).

product areas and the types of tasks you can accomplish using Security Copilot in Microsoft Entra.

• Entra ID: Manage users, groups, domains, licenses, and investigate logs.

• ID Protection: Summarize risk levels, investigate detections, and recommend remediation.

• ID Governance: Analyze access reviews, manage entitlement packages, monitor privileged access.

• Internet & Private Access: Investigate secure access logs and network traffic.

What are Microsoft Entra agents?

AI-powered tools that automate identity and access management tasks, apply best practices, and take automated actions to improve security posture and efficiency.

Name two Microsoft Entra agents and their functions.

• Conditional Access Optimization Agent: Analyzes policies, identifies gaps, and recommends improvements.

• Identity Risk Management Agent (Preview): Investigates risks in Entra ID Protection and helps protect critical assets.

Your organization implemented important changes in their customer facing web-based applications. You want to ensure that any user who wishes to access these applications agrees to the legal disclaimers. Which Microsoft Entra feature should you implement?

Microsoft Entra terms of use.

An organization recently conducted a security audit and found that four people who left the organization were still active and assigned global admin roles. The users are now deleted but the IT organization needs to recommend a solution to prevent a similar security lapse happening in future. Which solution should they recommend?

Privileged Identity Management.

Your IT organization recently discovered that several user accounts in the finance department are compromised. The CTO wants a solution to reduce the impact of compromised user accounts. Which Microsoft Entra feature should they recommend?

Microsoft Entra ID Protection.

An organization is project-oriented with employees often working on more than one project at a time. Each project requires access to different sets of applications and resources. Which Microsoft Entra feature is best suited to managing user access in this scenario?

Entitlement management.