1
00:00:00,000 --> 00:00:08,880
Welcome to the Talking Security Podcast.

2
00:00:08,880 --> 00:00:21,280
We will talk about items related to Microsoft Security.

3
00:00:21,280 --> 00:00:27,100
So there are we again, welcome back listening to a new episode of the Talking Security Podcast.

4
00:00:27,100 --> 00:00:32,440
My name is Frans Oudendorp and in this recording I will talk to some guys about Microsoft Entra

5
00:00:32,440 --> 00:00:35,020
and especially Identity Governance.

6
00:00:35,020 --> 00:00:37,360
Today we are at ExpertsLive in the Netherlands.

7
00:00:37,360 --> 00:00:44,120
On the venue we have a special podcast room so we can record stuff, we and others also.

8
00:00:44,120 --> 00:00:49,080
Because of this I have invited Pim Jacobs and Jan Bakker to talk about Identity Governance.

9
00:00:49,080 --> 00:00:54,880
There's new stuff coming up and they will talk about it later on on ExpertsLive.

10
00:00:54,880 --> 00:00:59,160
But first guys do we have a little introduction, who do I have on the table Jan?

11
00:00:59,160 --> 00:01:02,300
Hi Frans, thanks for having us.

12
00:01:02,300 --> 00:01:07,640
My name is Jan Bakker, I'm based in the Netherlands and I'm a Microsoft 365 consultant and a Microsoft

13
00:01:07,640 --> 00:01:11,880
MVP and I'm focused on identity and access management and security.

14
00:01:11,880 --> 00:01:16,760
So I guide my clients to get the best out of those products and how to implement them

15
00:01:16,760 --> 00:01:17,760
properly.

16
00:01:17,760 --> 00:01:24,000
And maybe the security staff who will hit some stuff later on.

17
00:01:24,000 --> 00:01:29,720
And on the other side of the table we have Pim, who are you?

18
00:01:29,720 --> 00:01:35,520
Pim Jacobs, Principal Consultant at InSpark, Microsoft MVP, focusing on the full Entra portfolio

19
00:01:35,520 --> 00:01:42,840
so from Azure AD, permission management, a little bit verified ID and with that of course

20
00:01:42,840 --> 00:01:45,320
Identity Governance as well.

21
00:01:45,320 --> 00:01:50,520
And I help my clients guiding them into the right direction and properly implementing

22
00:01:50,520 --> 00:01:52,600
those products as well.

23
00:01:52,600 --> 00:01:57,800
We add today the topic is Microsoft Entra, especially Identity Governance.

24
00:01:57,800 --> 00:02:01,440
Identity Governance, what is it and what can we do with it?

25
00:02:01,440 --> 00:02:02,440
The short story.

26
00:02:02,440 --> 00:02:08,280
Okay, the short story and we will show that in the presentation which we have this afternoon

27
00:02:08,280 --> 00:02:12,780
as well is that it exists of five different pillars.

28
00:02:12,780 --> 00:02:19,160
So lifecycle management with lifecycle workflows, which is brand new and which has been released

29
00:02:19,160 --> 00:02:25,560
four weeks ago, provisioning to users to third party apps and deprovisioning them.

30
00:02:25,560 --> 00:02:29,080
That's a little bit attached to lifecycle management of the accounts.

31
00:02:29,080 --> 00:02:34,400
We got access packages and access reviews, which is there within the interface today,

32
00:02:34,400 --> 00:02:37,320
privilege identity management and terms of use.

33
00:02:37,320 --> 00:02:38,560
This is the short story.

34
00:02:38,560 --> 00:02:46,360
So, yeah, maybe we will dive in on the specific topic in the next few minutes because access

35
00:02:46,360 --> 00:02:52,180
packages and access reviews, I think that is the common things that we can use within

36
00:02:52,180 --> 00:02:53,880
Identity Governance, Jan?

37
00:02:53,880 --> 00:02:55,120
Yeah, correct.

38
00:02:55,120 --> 00:03:00,080
And today we're also going to take a look to that because access packages is really

39
00:03:00,080 --> 00:03:02,080
important in the mover phase.

40
00:03:02,080 --> 00:03:08,280
If we look at the joiner, mover, lever process, access packages, that's where they come in

41
00:03:08,280 --> 00:03:15,460
in the mover phase because you want when folks get promotion or change department, their

42
00:03:15,460 --> 00:03:19,800
access changes and you want to guide that, you want to govern that especially.

43
00:03:19,800 --> 00:03:20,800
Yeah.

44
00:03:20,800 --> 00:03:26,200
And if we look at access packages, access reviews, then we have an application or a

45
00:03:26,200 --> 00:03:33,360
group where we can get access to on the short term on a yearly basis or monthly basis.

46
00:03:33,360 --> 00:03:38,320
You can do an access review to see if someone needs still access that specific group or

47
00:03:38,320 --> 00:03:40,480
application.

48
00:03:40,480 --> 00:03:46,200
If we look at lifecycle management, identity life cycles, is that related to this?

49
00:03:46,200 --> 00:03:48,200
Yeah, I think so.

50
00:03:48,200 --> 00:03:53,120
And it's funny that you say that you need to review the access, but there is a brand

51
00:03:53,120 --> 00:03:59,280
new feature where you can automatically assign policies based on attributes.

52
00:03:59,280 --> 00:04:04,460
So you can hand out those packages dynamically.

53
00:04:04,460 --> 00:04:09,340
So that there's no longer a case to review them because you manage them yourself.

54
00:04:09,340 --> 00:04:14,600
So if a user changes department, they will automatically get off boarded from one package

55
00:04:14,600 --> 00:04:16,600
and onboarded to the next one.

56
00:04:16,600 --> 00:04:18,840
Okay, nice.

57
00:04:18,840 --> 00:04:27,000
Are there any other enhancements within lifecycle workflow, Pim?

58
00:04:27,000 --> 00:04:31,440
Well lifecycle workflow is a total new feature within identity governance.

59
00:04:31,440 --> 00:04:35,120
And today that's working for the joiner and the lever scenario.

60
00:04:35,120 --> 00:04:38,240
Is that not related to identity life cycles?

61
00:04:38,240 --> 00:04:40,840
It is related to identity life cycles.

62
00:04:40,840 --> 00:04:47,360
You go account lifecycle management, which is actually why you need to work closely with

63
00:04:47,360 --> 00:04:53,320
HR and why you connect your HR as the source of your identity and let that provision to

64
00:04:53,320 --> 00:04:59,600
your AD or Azure AD, which can today from the Azure AD portal be natively done with

65
00:04:59,600 --> 00:05:02,480
SAP success factors and workday.

66
00:05:02,480 --> 00:05:03,680
That's actually the first part.

67
00:05:03,680 --> 00:05:08,840
But if you don't have those products, you could use different tools as well.

68
00:05:08,840 --> 00:05:15,240
And I'm not going to name them because that's a little bit of my allergy, to be honest.

69
00:05:15,240 --> 00:05:19,960
But there are different ways to get those accounts provisioned.

70
00:05:19,960 --> 00:05:27,760
What is really important, however, is of course that those credentials, the access, the birth

71
00:05:27,760 --> 00:05:32,120
access rights of an account are configured correctly.

72
00:05:32,120 --> 00:05:37,440
And that's something we can today do with lifecycle workflows in the joiner scenario.

73
00:05:37,440 --> 00:05:42,440
And if we look at the access packages and access reviews and that sort of thing, is

74
00:05:42,440 --> 00:05:47,480
that related to this stuff?

75
00:05:47,480 --> 00:05:50,160
Not particularly to lifecycle workflows.

76
00:05:50,160 --> 00:05:53,840
But as Jan just mentioned, it's more related to the mover process.

77
00:05:53,840 --> 00:05:59,120
So lifecycle workflows is something you can use in your joiner process.

78
00:05:59,120 --> 00:06:03,440
And you can define based on the employee hire date.

79
00:06:03,440 --> 00:06:09,640
And if the user is working in department sales, those are the tasks I'm going to execute on

80
00:06:09,640 --> 00:06:15,360
the day you start your job at the company, like adding them to the sales group, sending

81
00:06:15,360 --> 00:06:22,720
the temporary access pass to the manager of the user and doing XYZ.

82
00:06:22,720 --> 00:06:26,720
And Jan's famous topic is in the logic apps.

83
00:06:26,720 --> 00:06:33,600
So I will leave that to him to name an example.

84
00:06:33,600 --> 00:06:34,600
That's the joiner thing.

85
00:06:34,600 --> 00:06:38,880
And you can have 50 workflows per tenant.

86
00:06:38,880 --> 00:06:41,600
And each workflow can have 25 tasks.

87
00:06:41,600 --> 00:06:43,920
That's the maximum today.

88
00:06:43,920 --> 00:06:45,200
Those run each three hours.

89
00:06:45,200 --> 00:06:52,040
And when we look at the lever scenario, we can of course off board the user correctly

90
00:06:52,040 --> 00:06:58,560
in removing the licenses of the user, removing the user from all the groups, all the teams

91
00:06:58,560 --> 00:06:59,760
where it's a member of.

92
00:06:59,760 --> 00:07:04,080
And we do that based on the employee leave date time.

93
00:07:04,080 --> 00:07:08,960
So it's automatically triggered in a smart way.

94
00:07:08,960 --> 00:07:13,240
And so you don't need to do those things yourself anymore as an IT admin.

95
00:07:13,240 --> 00:07:15,000
It's managed for you.

96
00:07:15,000 --> 00:07:16,400
But it's configured by you.

97
00:07:16,400 --> 00:07:23,440
Yeah, so the workload from an IT admin perspective is lower because we can automate stuff.

98
00:07:23,440 --> 00:07:27,400
But automate, Pim already mentioned, Power Apps.

99
00:07:27,400 --> 00:07:30,800
How does it integrate, Jan, with Power Apps and that sort of stuff?

100
00:07:30,800 --> 00:07:35,200
Yeah, that's a great bridge to my favorite topic.

101
00:07:35,200 --> 00:07:38,280
It extends actually to logic apps.

102
00:07:38,280 --> 00:07:43,280
We all know that Power Automate is the little brother or the little sister from logic apps.

103
00:07:43,280 --> 00:07:51,720
But yeah, you can create extensions, for example, to do tasks that are not in the default task

104
00:07:51,720 --> 00:07:52,720
settings.

105
00:07:52,720 --> 00:07:57,680
So you can do stuff like, hey, add this user to this team or remove from this team, enable

106
00:07:57,680 --> 00:07:58,680
account.

107
00:07:58,680 --> 00:07:59,680
Those are the basic tasks.

108
00:07:59,680 --> 00:08:02,520
But you can also do extensive tasks.

109
00:08:02,520 --> 00:08:07,080
For example, you want to create a temporary access pass and not send it to the manager,

110
00:08:07,080 --> 00:08:09,320
but directly to the end user, for example.

111
00:08:09,320 --> 00:08:11,680
That's not in the default template, but you can do it.

112
00:08:11,680 --> 00:08:13,400
So the sky is the limit there.

113
00:08:13,400 --> 00:08:15,800
You can do whatever you want.

114
00:08:15,800 --> 00:08:20,680
So you can even talk to third-party applications.

115
00:08:20,680 --> 00:08:25,520
Maybe what's important to mention as well is that specifically in this case for the

116
00:08:25,520 --> 00:08:30,640
joiner scenario, because for Lever, the employee leave date time cannot be synchronized yet.

117
00:08:30,640 --> 00:08:36,160
But for the joiner scenario, you could also execute actions in the on-prem AD by using

118
00:08:36,160 --> 00:08:41,600
logic apps and Azure Automation with hybrid workers so that you can execute those scripts

119
00:08:41,600 --> 00:08:47,400
in your on-prem AD to, for example, add the user to a group, whatever you would like to

120
00:08:47,400 --> 00:08:48,400
do there.

121
00:08:48,400 --> 00:08:51,160
So we have access packages, access reviews.

122
00:08:51,160 --> 00:08:56,760
That's the old stuff that is still many years in identity governance already.

123
00:08:56,760 --> 00:08:59,360
And that is not completely your way.

124
00:08:59,360 --> 00:09:00,720
And we still need that.

125
00:09:00,720 --> 00:09:08,520
But new functionality has been added to identity governance, like identity lifecycle and lifecycle

126
00:09:08,520 --> 00:09:09,520
workflows.

127
00:09:09,520 --> 00:09:15,040
And with that, we can use access packages, for example, to automate stuff and do things

128
00:09:15,040 --> 00:09:16,040
automatically.

129
00:09:16,040 --> 00:09:17,040
Exactly.

130
00:09:17,040 --> 00:09:18,520
Automating is the key word there.

131
00:09:18,520 --> 00:09:24,020
So as Ben mentioned, joiner and Lever can be processed with lifecycle workflows.

132
00:09:24,020 --> 00:09:28,000
And we've got the gap in the middle there, the mover part, and that we can do with access

133
00:09:28,000 --> 00:09:31,780
reviews, but with the addition that we can do dynamically now.

134
00:09:31,780 --> 00:09:36,000
So a user does not have to go into the portal and request those access packages, but they

135
00:09:36,000 --> 00:09:39,380
are dynamically assigned to the user based on their attributes.

136
00:09:39,380 --> 00:09:41,640
So also automating that part now.

137
00:09:41,640 --> 00:09:42,640
Yeah.

138
00:09:42,640 --> 00:09:46,760
And that is good for, I think, 50, 75% of the groups.

139
00:09:46,760 --> 00:09:51,400
But there are still probably groups in an organization where you need to get access

140
00:09:51,400 --> 00:09:53,200
based on requests.

141
00:09:53,200 --> 00:09:57,160
So access packages can still be used afterwards.

142
00:09:57,160 --> 00:09:58,160
Correctly.

143
00:09:58,160 --> 00:10:06,200
So if there is any approval needed or a multi-stage improvement or auditing features or whatsoever,

144
00:10:06,200 --> 00:10:11,080
you can also use access packages the way it's supposed to work with also an access review

145
00:10:11,080 --> 00:10:12,960
because it's still really important.

146
00:10:12,960 --> 00:10:18,560
But for the mover part, you can do a lot of automation these days.

147
00:10:18,560 --> 00:10:19,560
Yeah.

148
00:10:19,560 --> 00:10:22,560
Temporary access parts, you already mentioned, Pim.

149
00:10:22,560 --> 00:10:28,640
But also, privilege identity management is part of identity governance.

150
00:10:28,640 --> 00:10:35,300
Is privilege identity management also part of the workflows and the lifecycle things

151
00:10:35,300 --> 00:10:38,040
that we have spoken about?

152
00:10:38,040 --> 00:10:40,480
Is that a relation with that?

153
00:10:40,480 --> 00:10:42,340
Not by default.

154
00:10:42,340 --> 00:10:48,600
Because with lifecycle workflows, you cannot, for example, add a role assignable group,

155
00:10:48,600 --> 00:10:50,280
a privilege access group.

156
00:10:50,280 --> 00:10:51,940
That's grayed out.

157
00:10:51,940 --> 00:10:54,560
But if you want so, use logic apps.

158
00:10:54,560 --> 00:10:58,480
So the sky is literally the limit here.

159
00:10:58,480 --> 00:11:04,880
So once we, I'm in this preview already for a long, long, long, long time.

160
00:11:04,880 --> 00:11:10,440
And we tried something internally because we have a labs tenant where we test stuff.

161
00:11:10,440 --> 00:11:14,960
And the problem we have is deep provisioning and deep provisioning on that end as well.

162
00:11:14,960 --> 00:11:20,600
So what we are using right now is literally a logic app, which is triggering via a web

163
00:11:20,600 --> 00:11:22,560
book, a workbook in another tenant.

164
00:11:22,560 --> 00:11:29,260
So to provision the account because you receive those account details from the lifecycle workflow.

165
00:11:29,260 --> 00:11:35,840
So literally, that's whatever you would like, you can call an API from a particular app

166
00:11:35,840 --> 00:11:40,000
to provision accounts with a logic app.

167
00:11:40,000 --> 00:11:45,360
How far your imagination goes and can go, that's what you can do right now.

168
00:11:45,360 --> 00:11:51,600
Everything can happen with the use of logic apps, a power automate and that sort of thing.

169
00:11:51,600 --> 00:11:52,600
Correct.

170
00:11:52,600 --> 00:11:58,240
So we talked about in the beginning, you mentioned security.

171
00:11:58,240 --> 00:12:04,040
What does this identity governance stuff, what does that make sense in relation to security?

172
00:12:04,040 --> 00:12:07,400
What does me as an organization, what does it help?

173
00:12:07,400 --> 00:12:09,280
Well, that's a good question.

174
00:12:09,280 --> 00:12:15,120
The typical thing that we see in organizations is that when a user goes through the period

175
00:12:15,120 --> 00:12:21,440
of working for a company, they build up privileges, access to applications, roles that they need

176
00:12:21,440 --> 00:12:22,920
for their jobs.

177
00:12:22,920 --> 00:12:29,240
But as they never get reviewed, let's say over 10 years, you get a bunch of stuff that

178
00:12:29,240 --> 00:12:31,440
shouldn't be attached to your account anymore.

179
00:12:31,440 --> 00:12:35,120
And then you're going to leave the company and your replacement comes in.

180
00:12:35,120 --> 00:12:37,840
And what's the typical thing that they say?

181
00:12:37,840 --> 00:12:42,240
Just copy his account or her account and give him all the stuff so he or she can do her

182
00:12:42,240 --> 00:12:43,240
job.

183
00:12:43,240 --> 00:12:46,400
And that's not good for security because we want lease privilege.

184
00:12:46,400 --> 00:12:51,120
So it can be that they also copied the administrator roles over.

185
00:12:51,120 --> 00:12:57,620
So, okay, you are a privileged identity administrator and the next one is also be that person.

186
00:12:57,620 --> 00:13:00,880
So that's related to security, something that you don't want.

187
00:13:00,880 --> 00:13:09,320
You want to evaluate constantly and even better, get those access dynamically and constantly

188
00:13:09,320 --> 00:13:10,320
reviewed.

189
00:13:10,320 --> 00:13:14,480
So, yeah, based on the function, based on the role that you have, you have a specific

190
00:13:14,480 --> 00:13:20,040
function role where access is given based on the role and not on a person.

191
00:13:20,040 --> 00:13:28,600
And if you look at identity governance based on security, we have also insider risk within

192
00:13:28,600 --> 00:13:32,480
Microsoft 365, for example.

193
00:13:32,480 --> 00:13:37,560
The case that you are describing is more related to insider risks because it is more or less

194
00:13:37,560 --> 00:13:38,560
an insider risk.

195
00:13:38,560 --> 00:13:45,720
So insider risk management and identity governance, they are they are strengthen each other.

196
00:13:45,720 --> 00:13:48,120
Yeah, I think that's correct.

197
00:13:48,120 --> 00:13:54,040
Insider risk is really good at stuff like, hey, this person resigned from his company

198
00:13:54,040 --> 00:13:57,760
and is doing stuff four weeks before his resumption.

199
00:13:57,760 --> 00:14:00,240
So that's really what we can do as well.

200
00:14:00,240 --> 00:14:05,240
Or we can just say, okay, this is the employee leave time.

201
00:14:05,240 --> 00:14:10,040
We're going to do some tasks so that you cannot do that stuff.

202
00:14:10,040 --> 00:14:12,840
So you're going to get read only rights or something like that.

203
00:14:12,840 --> 00:14:15,440
So you can do anything to prevent that.

204
00:14:15,440 --> 00:14:16,720
But it really fits together.

205
00:14:16,720 --> 00:14:21,880
Yeah, and if I have we talked about identity governance, lifecycle management and that

206
00:14:21,880 --> 00:14:23,080
sort of stuff.

207
00:14:23,080 --> 00:14:27,880
What is needed for me if I if I am a company and I want to start with identity governance,

208
00:14:27,880 --> 00:14:28,880
what should I do?

209
00:14:28,880 --> 00:14:37,380
I always I always advise customers to to get their the source of truth correct.

210
00:14:37,380 --> 00:14:41,060
So what is in HR is the source of truth.

211
00:14:41,060 --> 00:14:48,520
If someone changes his name, changes his is resigning is coming into the company.

212
00:14:48,520 --> 00:14:50,400
HR is the first to know.

213
00:14:50,400 --> 00:14:56,680
So get those and get that connected to your AD or your Azure AD, depending on where your

214
00:14:56,680 --> 00:14:58,900
source of authority is.

215
00:14:58,900 --> 00:15:01,400
So that that will be always my first step to advise.

216
00:15:01,400 --> 00:15:08,240
And that could be a simple thing where you receive data from HR, let a PowerShell script

217
00:15:08,240 --> 00:15:10,600
run and update and create accounts.

218
00:15:10,600 --> 00:15:15,640
It doesn't need to be complex and fully automated as long as you do it.

219
00:15:15,640 --> 00:15:21,720
And with that being said, make sure that employee hire date.

220
00:15:21,720 --> 00:15:27,800
And if you're you're today working cloud only also employee leave date time are configured.

221
00:15:27,800 --> 00:15:30,640
And then you can start with lifecycle workflows and configure.

222
00:15:30,640 --> 00:15:32,880
Yeah, well, we just mentioned sky is the limit.

223
00:15:32,880 --> 00:15:33,880
Yeah.

224
00:15:33,880 --> 00:15:42,040
So it's a process in between use access packages and access reviews and my tip would be don't

225
00:15:42,040 --> 00:15:46,280
put an access review in anything because otherwise people get literally.

226
00:15:46,280 --> 00:15:47,960
Yeah, it will.

227
00:15:47,960 --> 00:15:52,640
In the end, you will see that people are going to create a rule, move it to this folder because

228
00:15:52,640 --> 00:15:54,680
I don't care and then they lose access.

229
00:15:54,680 --> 00:15:55,680
So do it.

230
00:15:55,680 --> 00:16:01,160
You need to configure it on the things you really want to be reviewed and which cost

231
00:16:01,160 --> 00:16:06,960
money or are containing highly sensitive data.

232
00:16:06,960 --> 00:16:08,440
So that's important.

233
00:16:08,440 --> 00:16:16,040
Use auto auto dynamic access packages as well based, for example, on department.

234
00:16:16,040 --> 00:16:21,480
And then once a user leaves the company, make make the offboarding flows within lifecycle

235
00:16:21,480 --> 00:16:22,480
workflows.

236
00:16:22,480 --> 00:16:27,520
So that is important, important for me and user perspective and an idea perspective.

237
00:16:27,520 --> 00:16:32,400
And on the other end, I think, and that's what I'm mentioning today as well.

238
00:16:32,400 --> 00:16:36,240
Payment is important and the basic security stuff.

239
00:16:36,240 --> 00:16:37,720
So don't do this.

240
00:16:37,720 --> 00:16:43,240
Don't start doing this once you don't have MFA.

241
00:16:43,240 --> 00:16:51,280
Literally secure first and then make it advanced step by step in a in a logical way, because

242
00:16:51,280 --> 00:16:54,220
we can provision accounts to up to the max.

243
00:16:54,220 --> 00:16:58,320
But if they don't have MFA applied, that's a bigger risk.

244
00:16:58,320 --> 00:17:04,320
So from that angle, if you need to make an order, that's the most important thing to

245
00:17:04,320 --> 00:17:05,320
do first.

246
00:17:05,320 --> 00:17:07,200
And this would then be your next step.

247
00:17:07,200 --> 00:17:13,920
Think of defense and depth and do it on all places and not just on one.

248
00:17:13,920 --> 00:17:18,100
In addition to that, I would say if you're going to start and you got your base right,

249
00:17:18,100 --> 00:17:22,960
so the source of truth is configured and you're going to start with identity governance, start

250
00:17:22,960 --> 00:17:28,360
small and don't build castles that you can support.

251
00:17:28,360 --> 00:17:33,180
Because for example, you can start with small access packets having licenses, for example.

252
00:17:33,180 --> 00:17:39,680
So Power BI Pro, start with that or teams with sensitive data in it, you know, start

253
00:17:39,680 --> 00:17:42,200
small with less impact.

254
00:17:42,200 --> 00:17:50,060
So if someone, if it gets not good, that not everyone is infected on the things that you

255
00:17:50,060 --> 00:17:51,060
have configured.

256
00:17:51,060 --> 00:17:54,760
Exactly, and it's also good to experiment with it.

257
00:17:54,760 --> 00:17:58,000
So how does the organization react to access reviews?

258
00:17:58,000 --> 00:18:00,120
What is the big note from the field?

259
00:18:00,120 --> 00:18:09,200
One of the topics in the slide in the session you're given, what is the big fail when companies

260
00:18:09,200 --> 00:18:13,040
start with identity governance, for example, from your end, Jan?

261
00:18:13,040 --> 00:18:18,780
Well, what we already mentioned, organizations need to prioritize stuff.

262
00:18:18,780 --> 00:18:22,440
So they need to focus on the stuff that matters first.

263
00:18:22,440 --> 00:18:28,020
So you can go into identity governance and not have your MFA in order.

264
00:18:28,020 --> 00:18:29,560
So that's one big thing.

265
00:18:29,560 --> 00:18:34,960
And what I already told, they start and they want to do everything at once.

266
00:18:34,960 --> 00:18:38,000
So basically that's the…

267
00:18:38,000 --> 00:18:39,000
Start small.

268
00:18:39,000 --> 00:18:40,000
Yeah, start small.

269
00:18:40,000 --> 00:18:46,920
And maybe, and this is funny, in the preparation we discussed the things like self-review access.

270
00:18:46,920 --> 00:18:49,160
Yeah, yeah, yeah, yeah.

271
00:18:49,160 --> 00:18:52,960
And the group owner access reviews.

272
00:18:52,960 --> 00:19:01,080
In practice, you will see that if you do self-review, either the organization is not responding

273
00:19:01,080 --> 00:19:05,960
at all or everyone is responding and is keeping their access rights.

274
00:19:05,960 --> 00:19:10,680
So my personal feeling with that, and I think that differs from Jan's experience, but it

275
00:19:10,680 --> 00:19:18,080
doesn't really mind, is that I would most likely use the group owners because they are

276
00:19:18,080 --> 00:19:22,880
the owner of the group and need to determine who is in there, yes or no.

277
00:19:22,880 --> 00:19:25,200
Yeah, but how is that related to guest accounts?

278
00:19:25,200 --> 00:19:33,360
Because I've set up guest account review within my organization and on guest accounts, we

279
00:19:33,360 --> 00:19:36,840
have implemented self-review and that works quite well.

280
00:19:36,840 --> 00:19:38,560
For guest accounts, yes.

281
00:19:38,560 --> 00:19:44,640
If we're talking for guests, if we're talking for end user accounts, it's going to differ

282
00:19:44,640 --> 00:19:48,080
because nobody wants to lose their access.

283
00:19:48,080 --> 00:19:50,440
I don't have experience with that, but…

284
00:19:50,440 --> 00:19:51,980
Well, it depends.

285
00:19:51,980 --> 00:19:57,800
If your manager are fully aware of the task, that they are the guiders of their data and

286
00:19:57,800 --> 00:20:01,820
they're fully on board and have some adoption, it's fine.

287
00:20:01,820 --> 00:20:07,040
But what I see is we underestimate the power of self-service in any way.

288
00:20:07,040 --> 00:20:15,600
Yeah, absolutely, but everything stands with communication, adoption, be aware and know

289
00:20:15,600 --> 00:20:18,600
what you're doing and why you are doing stuff.

290
00:20:18,600 --> 00:20:22,960
And that's where display names and descriptions are really important because if you're going

291
00:20:22,960 --> 00:20:29,440
to get an access review, hey, we want you to review access on this group and it has

292
00:20:29,440 --> 00:20:35,920
a prefix and a suffix and some IT stuff in it, they're going to say, okay, I approve

293
00:20:35,920 --> 00:20:38,960
because I don't know what it is, but I don't want to lose access.

294
00:20:38,960 --> 00:20:44,640
I agree with Pim on that, but there's a lot of elements that come in that makes it user

295
00:20:44,640 --> 00:20:47,680
friendly that we as IT folks not always see.

296
00:20:47,680 --> 00:20:48,680
Yeah.

297
00:20:48,680 --> 00:20:52,880
Thanks guys for having you both in this recording.

298
00:20:52,880 --> 00:20:59,600
To finish up, is there one last thing about Entra or identity governance in particular

299
00:20:59,600 --> 00:21:05,600
what you want to share with the audience?

300
00:21:05,600 --> 00:21:10,920
Go to the Azure AD portal, click on identity governance and go to lifecycle workflows.

301
00:21:10,920 --> 00:21:16,600
If you don't see that there's a trial button where you can activate your P2 trial.

302
00:21:16,600 --> 00:21:18,560
And then start with identity governance.

303
00:21:18,560 --> 00:21:19,560
Of course.

304
00:21:19,560 --> 00:21:20,560
So thank you guys.

305
00:21:20,560 --> 00:21:24,480
And for now, thank you for listening to this episode.

306
00:21:24,480 --> 00:21:29,160
Stay tuned for more new content coming in the next few months.

307
00:21:29,160 --> 00:21:30,160
See you in the next time.

308
00:21:30,160 --> 00:21:31,160
Thank you.

309
00:21:31,160 --> 00:21:50,360
Bye.