{"id":7891,"date":"2022-03-03T08:01:37","date_gmt":"2022-03-03T16:01:37","guid":{"rendered":"https:\/\/www.microsoft.com\/insidetrack\/blog\/?p=7891"},"modified":"2026-04-07T06:42:34","modified_gmt":"2026-04-07T13:42:34","slug":"using-microsoft-azure-ad-entitlement-management-to-empower-microsoft-employees-and-protect-the-company","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/insidetrack\/blog\/using-microsoft-azure-ad-entitlement-management-to-empower-microsoft-employees-and-protect-the-company\/","title":{"rendered":"Using Microsoft Azure AD entitlement management to empower Microsoft employees and protect the company"},"content":{"rendered":"

\"MicrosoftWe periodically update our stories, but we can\u2019t verify that they represent the full picture of our current situation at Microsoft. We leave them on the site so you can see what our thinking and experience was at the time.<\/em><\/p>\n

Microsoft is leveraging identity governance capabilities in Microsoft Azure AD entitlement management (EM) service to give its employees access to the files and resources they need to do their jobs while preventing them from accessing information they shouldn\u2019t see.<\/p>\n

Until recently, those kinds of protections had to be implemented by hand for each individual work project, which resulted in a patchwork experience for employees and managers alike and was a primary driver for support tickets.<\/p>\n

Today, this capability is enabled by Microsoft Azure Active Directory (Azure AD) EM, a transition that has centralized access provisioning and governance and has freed up resources for teams across the company.<\/p>\n

\u201cBy centralizing this functionality into an easy-to-use service, provisioning for a whole ecosystem can be linked to a single, role-based package,\u201d says Lionel Godolphin, a senior software engineer with the Microsoft Federal team in Microsoft Cloud and AI. \u201cBoth onboarding\u2014and equally importantly, offboarding\u2014are managed via a single policy with built-in approval processes.\u201d<\/p>\n

Integration and the implementation of seamless onboarding and offboarding experiences are challenges for every large and small organization. The way some of these integration services have been envisioned created unnatural barriers, which then require additional provisioning, access, and management. Enterprise organizations face a range of challenges when trying to implement and manage employee access, but Microsoft Azure AD entitlement management can be used to address these challenges.<\/p>\n

It\u2019s all about helping everyone involved in a project feel more confident in the work they\u2019re doing.<\/p>\n

\u201cIt\u2019s important for us to give our employees the freedom they need to do their job while also making sure they don\u2019t get into things that they shouldn\u2019t,\u201d Godolphin says. \u201cThis protects them, and it protects the company.\u201d<\/p>\n

Imagine you\u2019re new at Microsoft. You\u2019ve got your team, and not only do you have to get access to the sales systems, but you need access to all the sub-systems. They are not only disparate, but there may be different prerequisites\u2014it is not just one provisioning. Jumping through all those hoops to get set up as a new employee is a terrible experience for anyone.<\/p>\n

\u2014Lionel Godolphin, senior software engineer, Microsoft Federal<\/p>\n<\/blockquote>\n

The Microsoft Federal engineering team worked to build out auto-provision access to resources employees on the larger Microsoft Federal team need to do their confidential work supporting government agencies. The solution they built helps the team streamline onboarding and offboarding of employees, transforming what was a manual process into a compliant, one-click experience.<\/p>\n

Getting up to speed, but without all the tickets<\/h2>\n

When a new team member joins Microsoft Federal, the organization that engineers solutions to empower governments, access must be granted to the user for each system in the environment they need to do their job.<\/p>\n

\u201cImagine you\u2019re new at Microsoft,\u201d Godolphin says. \u201cYou\u2019ve got your team, and not only do you have to get access to the sales systems, but you need access to all the sub-systems. They are not only disparate, but there may be different prerequisites\u2014it is not just one provisioning. Jumping through all those hoops to get set up as a new employee is a terrible experience for anyone.\u201d<\/p>\n

Ensuring employees are enrolled in the right systems (and unenrolling them at the right time) can be tedious, especially if manual steps must be taken and system access is controlled by multiple teams. Each system might require its own onboarding request, which generates a lot of tickets and can introduce delays. Delays are a problem given the nature of Microsoft Federal\u2019s sensitive tented work.<\/p>\n

Microsoft Federal\u2019s sales team, for example, uses a system that required multiple integration points and tools as part of the overall sales processes. From several roles in Microsoft Dynamics 365, to reporting systems, to downstream services, each employee on the sales team requires a complimentary set of permissions.<\/p>\n

To solve this challenge, the Microsoft Federal engineering team developed a solution that leveraged Microsoft Azure AD entitlement management to streamline user access provisioning to make it a seamless, secure, and compliant experience. Additionally, with a little effort, Godolphin and his team were able to leverage Microsoft PowerApps to connect EM to the company human resources system. Thanks to auto-provisioning based on their human resources profile, an automated provision solution build on top of the Microsoft Azure AD EM service, now that same new employee shows up and has access to the entire sales ecosystem automatically.<\/p>\n

Launched in November 2019, Microsoft Azure AD entitlement management is an identity governance feature<\/a>\u00a0that enables organizations to manage identity and access lifecycle at scale, by automating access request workflows, access assignments, reviews, and expiration.<\/p>\n

Employees in organizations need access to various groups, applications, and sites to perform their job. Managing this access is challenging. As requirements change and new applications are added, users need additional access rights. Similarly, rights need to be added or taken away when new employees join or leave the company. This scenario gets more complicated when you collaborate with outside organizations, you may not know who in the other organization needs access to your organization’s resources and they won’t know what applications, groups, or sites your organization is using.<\/p>\n

We are the voice of the internal customers, we work with internal customers to understand their access provision pain points, scenarios and bring requirements, gap analysis to the Azure AD Identity Governance product team and co-develop with them to enable critical Microsoft internal scenarios.<\/p>\n

\u2014Jennifer Jiao, principal PM manager, Microsoft<\/p>\n<\/blockquote>\n

Microsoft Azure AD entitlement management can help you efficiently manage access to groups, applications, and Microsoft SharePoint Online sites for internal users, and for users outside your organization who need access to those resources.<\/p>\n

When it comes to federal services, ensuring a lifecycle policy is in place automatically removes users after a set period that has been predetermined and established. In addition, you can comply with Cybersecurity Maturity Model Certification (CMMC) federal guidelines.<\/p>\n

\u201cWe are the voice of the internal customers, we work with internal customers to understand their access provision pain points, scenarios and bring requirements, gap analysis to the Azure AD Identity Governance product team and co-develop with them to enable critical Microsoft internal scenarios,\u201d says Jennifer Jiao, principal PM manager working on the project.<\/p>\n

An improved experience for everyone<\/h2>\n

The Microsoft Federal Sales team has a commitment to create an air-gapped and separate space to manage all the sales for the federal government. The impetus for the initiative is to keep and maintain secure data, which builds confidence with government entities while supporting a secure space for discussion and planning for government requirements, with Government Community Cloud (GCC) high security.\u00a0GCC is a Microsoft cloud computing environment provisioned in Microsoft\u2019s multi-tenant data centers for exclusive use by or for governments and enrolled affiliates.<\/p>\n

\"Key<\/p>\n