Governance & Lifecycle Governance & Lifecycle
Referenz für Access Reviews, Entitlement Management, Lifecycle Workflows, Terms of Use und Administrative Units. Reference for access reviews, entitlement management, lifecycle workflows, terms of use, and administrative units.
Access Reviews bestätigen regelmäßig, ob Gruppen-, App- oder Rollenrechte noch erforderlich sind. Access reviews regularly confirm whether group, app, or role access is still required.
Entitlement Management standardisiert Zugriffspakete, Richtlinien und Genehmigungen. Entitlement management standardizes access packages, policies, and approvals.
Lifecycle Workflows verknüpfen HR- oder Attributereignisse mit Onboarding- und Offboarding-Aufgaben. Lifecycle workflows connect HR or attribute events with onboarding and offboarding tasks.
Administrative Units begrenzen Verwaltung auf Regionen, Marken oder Geschäftsbereiche. Administrative units scope administration to regions, brands, or business units.
Governance & Lifecycle Überblick Governance & lifecycle overview
Identity Governance in Entra bündelt Recertification, Zugriffsanfrage, Lifecycle-Automatisierung und administrative Delegation. Ziel ist nicht nur Compliance, sondern auch bessere Datenqualität und schnellere Prozesse. Identity governance in Entra combines recertification, access requests, lifecycle automation, and administrative delegation. The goal is not only compliance, but also better data quality and faster processes.
Ein guter Governance-Ansatz reduziert direkte Einzelzuweisungen, standardisiert Zugriff über Pakete oder Gruppen und erzwingt regelmäßige Überprüfung. A strong governance model reduces direct one-off assignments, standardizes access through packages or groups, and enforces periodic review.
Access Reviews Access reviews
Access Reviews können für Gruppen, Enterprise Apps, App-Rollen, PIM-Rollen und Zugriffspakete erstellt werden. Reviewer können Besitzer, Manager, ausgewählte Benutzer oder die Betroffenen selbst sein. Access reviews can be created for groups, enterprise apps, app roles, PIM roles, and access packages. Reviewers may be owners, managers, selected users, or the users themselves.
| Zieltyp Target type | Reviewer Reviewer | Typischer Zweck Typical purpose |
|---|---|---|
| Gruppe Group | Group Owner Group owner | Rezertifizierung von Team- oder Projektzugriff Recertify team or project access |
| Enterprise App Enterprise app | App Owner App owner | SaaS-Nutzung bereinigen Clean up SaaS access |
| Rolle Role | Privileged Role Administrator Privileged Role Administrator | Privilegierte Rechte überprüfen Review privileged access |
| Access Package Access package | Sponsor oder Approver Sponsor or approver | Externe und interne Anfragen rezertifizieren Recertify internal and external requests |
- Auto-apply entfernt nach Abschluss nicht bestätigten Zugriff automatisch. Auto-apply automatically removes unconfirmed access after completion.
- Recommendations basieren auf letzter Anmelde- oder Zugriffsaktivität. Recommendations are based on last sign-in or access activity.
- Fallback-Reviewer sind wichtig, wenn Eigentümer fehlen oder deaktiviert sind. Fallback reviewers are important when owners are missing or disabled.
$body = @{
displayName = "Quarterly Review - HR App"
scope = @{
query = "/groups/<group-id>/transitiveMembers"
queryType = "MicrosoftGraph"
}
reviewers = @(
@{
query = "/users/<reviewer-id>"
queryType = "MicrosoftGraph"
}
)
settings = @{
autoApplyDecisionsEnabled = $true
defaultDecisionEnabled = $false
instanceDurationInDays = 14
recurrence = @{
pattern = @{ type = "absoluteMonthly"; interval = 3 }
range = @{ type = "noEnd"; startDate = "2026-01-01" }
}
}
} | ConvertTo-Json -Depth 10
Invoke-MgGraphRequest -Method POST `
-Uri "https://graph.microsoft.com/beta/identityGovernance/accessReviews/definitions" `
-Body $body `
-ContentType "application/json"
Entitlement Management Entitlement management
Entitlement Management strukturiert Ressourcen in Kataloge und Zugriffspakete. Richtlinien steuern, wer anfragen darf, ob eine Genehmigung nötig ist, wie lange der Zugriff gilt und welche Reviews greifen. Entitlement management organizes resources into catalogs and access packages. Policies control who may request access, whether approval is needed, how long access lasts, and which reviews apply.
| Baustein Building block | Beschreibung Description | Beispiel Example |
|---|---|---|
| Catalog Catalog | Sammlung verwalteter Ressourcen Collection of managed resources | Externes Projektportfolio External project portfolio |
| Resource Resource | Gruppe, App, Site oder SharePoint-Ressource Group, app, site, or SharePoint resource | M365 Group für Projektteam M365 group for project team |
| Access Package Access package | Bündel aus Ressourcen Bundle of resources | Projektzugang inkl. Team, Site und App Project access incl. team, site, and app |
| Policy Policy | Wer darf anfragen und wie lange Who can request and for how long | Interne Mitarbeiter 180 Tage, Gäste 30 Tage Internal users 180 days, guests 30 days |
| Connected Organization Connected organization | Partnerorganisation für externe Anfragen Partner organization for external requests | Fabrikam GmbH Fabrikam GmbH |
| Assignment Assignment | Tatsächlich erteilter Zugriff Actual granted access | Benutzer in Access Package aufgenommen User added to access package |
- Nutze Access Packages statt einzelner Einladungen für wiederkehrende Partnerprozesse. Use access packages instead of one-off invitations for recurring partner processes.
- Auto-assignment eignet sich für definierte Populationen über Attribute oder Gruppen. Auto-assignment works well for defined populations through attributes or groups.
- Kataloge sollten einem klaren Owner und Governance-Prozess zugeordnet sein. Catalogs should be tied to a clear owner and governance process.
Lifecycle Workflows Lifecycle workflows
Lifecycle Workflows automatisieren joiner, mover und leaver Prozesse. Auslöser können z. B. Eintrittsdatum, Austrittsdatum, Managerwechsel oder Gruppenregeln sein. Lifecycle workflows automate joiner, mover, and leaver processes. Triggers can include hire date, termination date, manager change, or group-based conditions.
| Task Task | Joiner Joiner | Mover Mover | Leaver Leaver |
|---|---|---|---|
| Generate Temporary Access Pass Generate Temporary Access Pass | Ja Yes | Optional Optional | Nein No |
| Assign license Assign license | Ja Yes | Optional Optional | Nein No |
| Add to group Add to group | Ja Yes | Ja Yes | Nein No |
| Notify manager Notify manager | Ja Yes | Ja Yes | Ja Yes |
| Remove from groups Remove from groups | Nein No | Optional Optional | Ja Yes |
| Disable sign-in Disable sign-in | Nein No | Nein No | Ja Yes |
| Revoke sessions Revoke sessions | Nein No | Nein No | Ja Yes |
| Delete or archive account Delete or archive account | Nein No | Nein No | Optional Optional |
| Access package assignment Access package assignment | Ja Yes | Ja Yes | Nein No |
| Teams welcome message Teams welcome message | Ja Yes | Optional Optional | Nein No |
| Manager transfer review Manager transfer review | Nein No | Ja Yes | Nein No |
| Sponsor notification for guests Sponsor notification for guests | Optional Optional | Optional Optional | Ja Yes |
Invoke-MgGraphRequest -Method GET `
-Uri "https://graph.microsoft.com/beta/identityGovernance/lifecycleWorkflows/workflows"
Terms of Use Terms of use
Terms of Use dokumentieren die Akzeptanz von Richtlinien, NDAs oder Datenschutztexten. Die Erzwingung erfolgt typischerweise über Conditional Access, sodass Benutzer bei erstem Zugriff zustimmen müssen. Terms of use document acceptance of policies, NDAs, or privacy statements. Enforcement typically happens through Conditional Access, requiring users to accept on first access.
Lade PDF oder Link hoch und definiere Sprache sowie Ablauf. Upload a PDF or link and define language and expiration.
Weise die Terms of Use Benutzern, Gruppen oder Gästen zu. Assign the terms of use to users, groups, or guests.
Fordere Terms of Use in einer Conditional-Access-Policy an. Require terms of use in a Conditional Access policy.
Aktualisiere Dokumente bei rechtlichen Änderungen und lasse Benutzer erneut akzeptieren. Update documents when legal text changes and require re-acceptance.
Administrative Units Administrative units
Administrative Units begrenzen die Verwaltungsreichweite von Rollen. Sie sind hilfreich für regionale Support-Teams, getrennte Marken oder Bildungseinrichtungen mit föderierter Administration. Administrative units limit the management scope of roles. They are useful for regional support teams, separate brands, or education environments with delegated administration.
| Szenario Scenario | Nutzen Benefit | Hinweis Note |
|---|---|---|
| Region Region | Helpdesk verwaltet nur Benutzer einer Region Helpdesk manages only users in one region | Mit dynamischer Mitgliedschaft kombinierbar Can be combined with dynamic membership |
| Geschäftsbereich Business unit | Lokale Admins sehen nur ihre Organisation Local admins only see their organization | Minimiert versehentliche Eingriffe Minimizes accidental changes |
| Restricted management AU Restricted management AU | Schützt besonders sensible Objekte Protects especially sensitive objects | Nur ausgewählte Rollen erhalten Zugriff Only selected roles get access |
# Administrative Unit anlegen
$body = @{
displayName = "AU - Germany"
description = "Scoped administration for Germany"
} | ConvertTo-Json
Invoke-MgGraphRequest -Method POST `
-Uri "https://graph.microsoft.com/v1.0/directory/administrativeUnits" `
-Body $body `
-ContentType "application/json"
PowerShell + Graph PowerShell + Graph
# Access Review Definitionen lesen
Invoke-MgGraphRequest -Method GET `
-Uri "https://graph.microsoft.com/beta/identityGovernance/accessReviews/definitions"
# Access Packages inventarisieren
Invoke-MgGraphRequest -Method GET `
-Uri "https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackages"
# Administrative Units anzeigen
Invoke-MgGraphRequest -Method GET `
-Uri "https://graph.microsoft.com/v1.0/directory/administrativeUnits"
Lifecycle Workflows Deep DiveLifecycle Workflows deep dive
Lifecycle Workflows automatisieren Joiner-, Mover- und Leaver-Prozesse rund um Benutzerkonten. Wertvoll wird das Feature erst dann, wenn Trigger, Scope, Genehmigungen und Built-in Tasks sauber kombiniert werden.Lifecycle Workflows automate joiner, mover, and leaver processes around user accounts. The feature becomes truly valuable only when triggers, scope, approvals, and built-in tasks are combined cleanly.
| Workflow-TypWorkflow type | Beispiel-Built-in TasksExample built-in tasks | Typische TriggerTypical triggers |
|---|---|---|
| JoinerJoiner | Generate TAP, add to groups, send manager email, enable Teams welcome task, assign access package extensionGenerate TAP, add to groups, send manager email, enable Teams welcome task, assign access package extension | employeeHireDate, Attributwechsel, manuelle AuslösungemployeeHireDate, attribute change, manual trigger |
| MoverMover | Remove old group memberships, add new groups, notify manager, start access review, update AU/department mappingsRemove old group memberships, add new groups, notify manager, start access review, update AU/department mappings | department, jobTitle, manager oder location ändern sichdepartment, jobTitle, manager, or location changes |
| LeaverLeaver | Disable account, revoke sessions, remove groups, remove licenses, notify owner, schedule deletionDisable account, revoke sessions, remove groups, remove licenses, notify owner, schedule deletion | employeeLeaveDateTime, HR-Systemsignal, manuelle BeendigungemployeeLeaveDateTime, HR signal, manual termination |
Built-in Tasks im ÜberblickBuilt-in tasks overview
| TaskTask | KategorieCategory | HinweisNote |
|---|---|---|
| Generate Temporary Access PassGenerate Temporary Access Pass | JoinerJoiner | Hilfreich für Day-0-Start und Passwortlos-Einstieg.Useful for day-0 start and passwordless onboarding. |
| Add user to groupAdd user to group | Joiner / MoverJoiner / mover | Gruppenbasiertes Lizenzmodell direkt mitdenken.Factor in group-based licensing immediately. |
| Remove user from groupRemove user from group | Mover / LeaverMover / leaver | Alte Berechtigungen systematisch abbauen.Systematically remove old permissions. |
| Send email to managerSend email to manager | AlleAll | Gut für Nachkontrolle und manuelle Schritte.Good for follow-up and manual tasks. |
| Send email to userSend email to user | JoinerJoiner | Begrüßung, TAP oder To-dos kommunizieren.Communicate welcome, TAP, or to-dos. |
| Enable accountEnable account | JoinerJoiner | Erst nach Baseline-Gruppen und MFA-Plan ausführen.Run only after baseline groups and MFA planning. |
| Disable accountDisable account | LeaverLeaver | Kritischer Sofortschritt beim Offboarding.Critical immediate offboarding step. |
| Remove all group membershipsRemove all group memberships | LeaverLeaver | Mit Ausnahmegruppen und Break-Glass sauber abgleichen.Carefully exclude exception groups and break-glass paths. |
| Revoke sign-in sessionsRevoke sign-in sessions | LeaverLeaver | Wichtig für schnelle Risikoreduktion.Important for rapid risk reduction. |
| Remove licensesRemove licenses | LeaverLeaver | Mit Retention- und Mailbox-Plan abstimmen.Align with retention and mailbox planning. |
| Schedule account deletionSchedule account deletion | LeaverLeaver | Löschfenster nach Legal Hold festlegen.Set deletion timing based on legal hold. |
| Run custom task extensionRun custom task extension | AlleAll | Verbindet ITSM, HR oder Dritttools.Connects ITSM, HR, or third-party tools. |
Trigger, Bedingungen und ScopeTriggers, conditions, and scope
| AspektAspect | BeschreibungDescription | PraxisempfehlungRecommendation |
|---|---|---|
| Trigger-TypenTrigger types | Zeitbasiert, attributbasiert, HR-getrieben oder manuell.Time-based, attribute-based, HR-driven, or manual. | Pilot mit manuellen Auslösungen beginnen.Start the pilot with manual triggers. |
| Execution ConditionsExecution conditions | Zusatzfilter auf Department, Country, EmployeeType, Manager oder Gruppen.Additional filters on department, country, employee type, manager, or group. | Bedingungen möglichst deterministisch halten.Keep conditions as deterministic as possible. |
| ScopeScope | Alle Benutzer, bestimmte Gruppen, Administrative Units oder HR-Segmente.All users, specific groups, administrative units, or HR segments. | Lieber mehrere kleine Workflows als ein Monster-Workflow.Prefer several small workflows over one monster workflow. |
Entitlement Management Deep DiveEntitlement Management deep dive
Entitlement Management bündelt Ressourcen in Katalogen, verteilt sie über Access Packages und ergänzt den Lebenszyklus durch Freigabe, Ablauf und Review. Richtig eingesetzt ist es das Bindeglied zwischen Self-Service und Governance.Entitlement Management bundles resources into catalogs, distributes them through access packages, and extends the lifecycle with approval, expiration, and review. Used correctly, it becomes the bridge between self-service and governance.
| BausteinBuilding block | BeschreibungDescription | PraxisPractice |
|---|---|---|
| KatalogeCatalogs | Sammlung aus Gruppen, Apps, SharePoint Sites und Rollen.Collection of groups, apps, SharePoint sites, and roles. | Nach Fachdomäne oder Datenklassifikation trennen.Separate by business domain or data classification. |
| RessourcenResources | Technische Zielobjekte, die über Access Packages gebündelt werden.Technical target objects bundled through access packages. | Nur kuratierte Ressourcen in Self-Service freigeben.Expose only curated resources in self-service. |
| Access PackagesAccess packages | Geschäftlich verständliche Bündel für Benutzer oder Gäste.Business-friendly bundles for users or guests. | Pakete nach Persona statt nach Technik benennen.Name packages by persona rather than technology. |
Policy-Design mit Genehmigung und EskalationPolicy design with approval and escalation
| ElementElement | EmpfehlungRecommendation | WarumWhy |
|---|---|---|
| Approval StagesApproval stages | Stage 1 fachlich, Stage 2 optional Security/Identity.Stage 1 business, stage 2 optional security/identity. | Trennt Ownership und Risikoentscheidung.Separates ownership and risk decisions. |
| EscalationEscalation | Eskalationspfad bei Nichtreaktion definieren.Define an escalation path for no response. | Verhindert steckenbleibende Anträge.Prevents requests from getting stuck. |
| ExpirationExpiration | Gastzugriffe und temporäre Rollen standardmäßig befristen.Expire guest access and temporary roles by default. | Hält Zugriff klein und überprüfbar.Keeps access small and reviewable. |
| Access ReviewsAccess reviews | Wiederkehrende Rezertifizierung einplanen.Plan recurring recertification. | Verhindert Permission Creep.Prevents permission creep. |
Connected Organizations, Auto-Assignment und ErweiterungenConnected organizations, auto-assignment, and extensions
| ThemaTopic | BeschreibungDescription | HinweisNote |
|---|---|---|
| Connected OrganizationsConnected organizations | Definiert bekannte Partnerorganisationen für B2B- und Approval-Szenarien.Defines known partner organizations for B2B and approval scenarios. | Mit Cross-Tenant Policies abstimmen.Align with cross-tenant policies. |
| Auto-assignmentAuto-assignment | Interne Benutzer erhalten Pakete automatisiert auf Basis von Regeln.Internal users receive packages automatically based on rules. | Gut für Standardrollen pro Persona.Good for standard role bundles per persona. |
| Separation of DutiesSeparation of duties | Kritische Pakete gegeneinander absichern.Protect critical packages against each other. | Vor allem bei Finance, Admin und Prod-Access.Especially for finance, admin, and production access. |
| Custom ExtensionsCustom extensions | Vor- oder Nachverarbeitung per Logic App, Azure Function oder Webhook.Pre- or post-processing through Logic App, Azure Function, or webhook. | Für CMDB, Ticketing und Fachsysteme nützlich.Useful for CMDB, ticketing, and business systems. |
Connect-MgGraph -Scopes "EntitlementManagement.Read.All"
Invoke-MgGraphRequest -Method GET `
-Uri "https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackages?$top=50"
Invoke-MgGraphRequest -Method GET `
-Uri "https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/catalogs?$top=50"