Microsoft Entra ID Governance: Identity Lifecycle Management for Small Businesses in Berlin

What Is Microsoft Entra ID Governance?

Microsoft Entra ID Governance is the identity lifecycle management layer of the Microsoft Entra platform. Where Entra ID handles authentication and Conditional Access handles access control, ID Governance addresses the operational question that sits below both: ensuring the right people have the right access, for the right duration, and that access is removed or recertified when circumstances change.

For small businesses in Berlin, the practical relevance is direct. Employees join, move between departments, go on extended leave, and eventually depart. Partners and contractors are onboarded for specific projects and need access that should expire when the engagement ends. Without a governed identity lifecycle, access accumulates over time, creating the standing privilege exposure that attackers exploit and that GDPR’s accountability principle requires organisations to manage.

Entra ID Governance bundles three capabilities that address this lifecycle: Entitlement Management for structured access provisioning, Access Reviews for periodic recertification, and Lifecycle Workflows for automating joiner-mover-leaver processes.

Entitlement Management: Structured Access Provisioning

Entitlement Management replaces ad-hoc access requests — typically handled through email, ticketing systems, or informal conversations — with a structured catalogue of access packages. An access package bundles the resources a person needs for a specific role or project: Microsoft 365 groups, SharePoint sites, Teams channels, Azure resource groups, and Entra roles can all be included in a single package.

Access Package Catalogue

Access packages are organised into catalogues, each with designated owners responsible for the resources within. A Berlin small business might create a catalogue for client project access, another for finance team resources, and a third for IT administration tools. Each catalogue can be managed by its domain owner without requiring global administrator involvement in every access decision.

Policies: Who Can Request, Who Approves, How Long

Each access package carries a policy that defines who is eligible to request it (specific users, groups, or all organisational members), who must approve requests (one or two stages of designated approvers), whether the requester must provide a justification, and how long the assignment lasts before it expires or requires renewal. Assignment durations can be fixed (for example, 90 days for a project engagement) or indefinite with periodic review requirements.

Self-Service Access Requests via MyAccess

Eligible requesters access their catalogue through myaccess.microsoft.com — a self-service portal where they can browse available packages, submit requests with justifications, check approval status, and view their current access assignments. For Berlin businesses that want to empower employees to request appropriate access without involving IT in every decision, this portal replaces informal access request processes with a documented, auditable workflow.

Access Reviews: Periodic Recertification

Access Reviews provide a structured mechanism for periodically confirming that existing access assignments remain appropriate. Reviews can be configured for group memberships, application access, Entra role assignments, and access package assignments. Reviewers — typically the resource owner or the user’s manager — receive email notifications listing the assignments they need to certify. They confirm or deny each assignment; unreviewed assignments can be automatically removed if configured to do so.

For Berlin businesses with GDPR obligations or ISO 27001 compliance requirements, Access Reviews provide documented evidence of access recertification at configurable intervals. A quarterly review of privileged group memberships, an annual review of all Microsoft 365 application access, or a 30-day review of contractor assignments are common configurations that produce ready-made audit evidence without requiring manual effort to compile the access data.

Lifecycle Workflows: Automating Joiner-Mover-Leaver

Lifecycle Workflows automate the identity actions that should happen at predictable lifecycle transitions. Rather than relying on HR notifications triggering manual IT steps, workflows execute automatically based on user attribute changes in Entra ID.

Joiner Workflows

When a new employee’s account is created with a defined start date, joiner workflows can automatically send a welcome email with temporary access credentials, generate a temporary access pass for passwordless onboarding, assign the user to the appropriate groups, and trigger a manager notification. The new employee arrives with their access provisioned and their onboarding communications sent without IT manually processing each new hire.

Mover Workflows

When a user’s department, job title, or manager attribute changes in Entra ID or HR, mover workflows can add the user to their new team’s groups, remove access to their previous team’s resources, and notify relevant stakeholders. Access follows the employee automatically rather than persisting from previous roles.

Leaver Workflows

When an employee’s departure date is set, leaver workflows can revoke access packages, remove group memberships, disable the account on the last working day, and delete or archive the account after a configured retention period. For Berlin businesses with contractual or GDPR obligations to revoke access promptly on termination, automated leaver workflows provide the technical control that manual off-boarding processes cannot reliably deliver.

GDPR and Data Minimisation

GDPR’s principle of data minimisation (Article 5(1)(c)) applies to access rights: individuals should not have access to personal data beyond what is necessary for their specific processing purpose. Entitlement Management’s time-limited access packages and automatic expiry directly implement this principle technically. Access Reviews provide the documented recertification that demonstrates ongoing proportionality. Lifecycle Workflows provide the automated revocation that ensures departed employees cannot retain access to personal data after their relationship with the organisation ends. Together these three capabilities convert GDPR’s accountability requirement from an aspirational policy into a documented, enforceable technical control.

Integration with Entra PIM and ID Protection

ID Governance integrates with PIM for privileged role management within the same Entra admin centre, creating a unified identity governance posture. Access Reviews in ID Governance can cover PIM eligible and active role assignments alongside standard group memberships, enabling a single review campaign to certify all access categories. ID Protection’s risk signals can feed into Conditional Access policies that gate access to Entitlement Management resources, ensuring that high-risk user states trigger access suspension pending remediation.

Licensing

Entra ID Governance requires Microsoft Entra ID Governance licensing, available as a standalone add-on or included in Microsoft Entra Suite. The Entitlement Management and Lifecycle Workflows capabilities require the Governance SKU on top of Entra ID P1 or P2. Access Reviews are included in Entra ID P2, which is available in Microsoft 365 Business Premium. For Berlin small businesses already on Business Premium, Access Reviews are available at no additional cost; full Entitlement Management and Lifecycle Workflows require the Governance add-on.