Microsoft Entra ID Governance: Access Reviews, PIM and Lifecycle Workflows for Small Business Berlin
Knowing who has access to what — and whether that access is still justified — is one of the hardest identity governance challenges for growing organisations. Microsoft Entra ID Governance addresses this with Access Reviews, Entitlement Management, Privileged Identity Management (PIM), and Lifecycle Workflows: structured mechanisms to grant, review, and revoke access automatically based on rules, time limits, and managerial decisions.
For small and mid-sized businesses in Berlin, Entra ID Governance reduces the risk of standing privileged access, helps demonstrate compliance with DSGVO and ISO 27001 access control requirements, and automates the joiner-mover-leaver (JML) lifecycle that IT teams otherwise manage manually. This post explains each component, how they interact, and practical configuration guidance.
Access Reviews
Access Reviews enable periodic, auditable reviews of who holds access to applications, groups, or privileged roles — and automatically removes access when reviewers approve, or when no response is received within the review window. Reviews can be configured for Azure AD group membership, enterprise application assignments, Azure RBAC roles, and Entra ID directory roles.
Access Review Configuration Options
| Setting | Recommended Value | Why |
|---|---|---|
| Review frequency | Quarterly for apps, Monthly for privileged roles | Aligns with ISO 27001 A.9.2.5 review cadence |
| Reviewer type | Manager (for app access); Self-review + Manager for group membership | Managers have business context; self-review flags stale access |
| Upon no response | Remove access | Fail-secure default — inaction = revocation |
| Apply results automatically | Enabled (7-day grace period) | Eliminates manual follow-up; enforces decisions |
| Scope | All users (including guests) | Guest accounts are high-risk if unreviewed |
Access Review results are available in the Entra ID audit log, exportable to Log Analytics, and can be integrated into Microsoft Sentinel for compliance reporting. Every decision — approved, denied, no response — is recorded with timestamp and reviewer identity.
Entitlement Management
Entitlement Management allows you to define access packages — bundles of resources (groups, applications, SharePoint sites) that users can request through a self-service portal, subject to approval workflows and time-limited assignments. This replaces ad-hoc IT ticket processes for access requests with a governed, auditable workflow.
Access Package Components
- Catalog: Container for access packages — typically one per department or project (e.g., “Finance Resources”, “Azure DevOps Projects”)
- Access Package: Named bundle of resources (e.g., “Finance Analyst Access” includes Finance group + SAP application + SharePoint Finance site)
- Policy: Who can request the package (internal users, specific groups, external partners), who approves, and how long access lasts (e.g., 180 days with renewal option)
- Assignment: The live, time-bounded grant of the access package to a user — revoked automatically at expiry unless renewed
Entitlement Management is particularly valuable for external partner access: a Berlin SMB can create an access package for a specific partner organisation, configure approval by an internal sponsor, and set automatic expiry after 90 days. No IT ticket, no standing guest accounts, no manual cleanup.
Privileged Identity Management (PIM)
PIM eliminates standing privileged access by requiring users to activate eligible role assignments just-in-time (JIT). An eligible Global Administrator must explicitly activate the role in Entra PIM, providing a justification and optionally triggering MFA or approval — and the role expires automatically after the configured window (typically 1-8 hours).
PIM applies to both Entra ID directory roles (Global Admin, Security Admin, Exchange Admin) and Azure RBAC roles (Owner, Contributor, User Access Administrator on subscriptions and resource groups). For Entra ID directory roles, PIM also provides role activation alerts — configurable notifications when roles are activated outside business hours, from unfamiliar locations, or with unusual activation patterns.
PIM Configuration Checklist
- Convert all Global Admin assignments from Permanent Active to Eligible — this is the single highest-impact change for privileged access security
- Set maximum activation duration: 1 hour for Global Admin, 4 hours for workload-specific roles
- Require MFA on activation for all privileged roles (even if MFA is already enforced via Conditional Access)
- Configure approval workflow for Global Admin, Privileged Role Admin, and User Access Administrator roles
- Enable PIM Access Reviews for all active privileged role holders — quarterly cadence
- Configure PIM alerts: “Roles are being activated too frequently”, “Roles don’t require MFA”, “There are too many global admins”
Lifecycle Workflows
Lifecycle Workflows automate identity tasks triggered by employment lifecycle events: joiner (new hire), mover (role change), and leaver (offboarding). Workflows are defined as sequences of tasks executed automatically based on Entra ID user attributes — typically employeeHireDate, department, and employeeLeaveDateTime.
Built-in task types include: send welcome email, generate Temporary Access Pass (TAP), add user to groups, send manager notification, disable user account, remove user from all groups, delete user, and revoke sign-in sessions. Custom tasks can call Azure Logic Apps for integration with HR systems, ITSM platforms, or external provisioning workflows.
Joiner Workflow Example
Trigger: user’s employeeHireDate is 7 days in the future. Tasks: (1) Generate Temporary Access Pass and email to manager, (2) Add user to department group, (3) Add user to onboarding Teams channel, (4) Send welcome email with TAP and getting-started link. Result: on Day 1, the new employee can authenticate using the TAP — no IT desk ticket, no shared temporary password.
Leaver Workflow Example
Trigger: user’s employeeLeaveDateTime is today. Tasks: (1) Disable user account, (2) Revoke all sign-in sessions and refresh tokens, (3) Remove from all groups and access packages, (4) Notify manager with offboarding confirmation, (5) Convert mailbox to shared (via Exchange Online task). Result: consistent, auditable offboarding — no standing access from former employees.
Licensing Requirements
Entra ID Governance features require Microsoft Entra ID P2 (included in Microsoft 365 E5 or as an add-on) for users consuming Access Reviews, PIM, and Entitlement Management. Lifecycle Workflows require Microsoft Entra ID Governance licensing (a separate add-on to P2, approximately €7/user/month). For most Berlin SMBs, prioritising PIM and Access Reviews under P2 delivers the majority of governance value before evaluating the full Governance add-on.
Integration with Conditional Access and Entra ID Protection
Entra ID Governance operates within the same identity plane as Conditional Access and Entra ID Protection. Access Reviews can be scoped to users flagged as risky by Entra ID Protection — triggering an immediate review when a user’s risk level elevates. Conditional Access can require users to complete an active access review before granting access to sensitive applications. PIM activation policies can enforce Conditional Access compliance — requiring a compliant device as a condition of role activation.
IT Experts Berlin configures Entra ID Governance for Berlin SMBs — PIM role conversion, Access Review scheduling, Entitlement Management catalogs, and Lifecycle Workflow automation. Contact us to discuss your identity governance requirements.