| title | description | author | manager | ms.service | ms.topic | ms.date | ms.author |
|---|---|---|---|---|---|---|---|
Microsoft Entra ID Governance deployment guide to govern guest and partner access |
Learn how to govern guest and partner access to resources in Microsoft Entra ID Governance. |
gargi-sinha |
martinco |
entra-id-governance |
concept-article |
03/25/2025 |
gasinh |
Deployment scenarios are guidance on how to combine and test Microsoft Security products and services. You can discover how capabilities work together to improve productivity, strengthen security, also help you meet compliance and regulatory requirements.
The following products and services appear in this guide:
- Microsoft Entra ID Governance
- Microsoft Entra ID
- Microsoft Entra
- Entitlement management
- Azure Logic Apps
- Privileged Identity Management (PIM) for Groups
- Identity Governance dashboard
Use this scenario to help determine the need for Microsoft Entra ID Governance to create and grant access for your organization. Learn how to manage guest users in your environment.
Timelines show approximate delivery stage duration and are based on scenario complexity. Times are estimations and vary depending on the environment.
- Onboarding and discovery - 2 hours
- Auto assign resources - 1 hour
- Custom workflows - 2 hours
- Convert external users - 1 hour
- Access review - 1 hour
To enable the scenario, ensure the following requirements are met:
- Microsoft Entra ID P1 or P2 license
- Microsoft Entra ID Governance SKU
- Microsoft Logic Apps and auto assignment policies
- Two tenants, target and source
- A cloud user account on the target tenant to approve and access
- A cloud user on the source tenant to request access
- An account on the target tenant:
- User Administrator,
- Identity Governance Administrator,
- Privileged Role Administrator, or
- Global Administrator
To collaborate with guest users, you can let them use their preferred identity to sign in to your app or other enterprise apps: SaaS, custom-developed, and more. Typically, B2B collaboration users are in your directory as guest users.
Learn more in the overview, B2B collaboration with external guests for your workforce.
Users can use Microsoft Entra entitlement management self-service features to sign up for access. Learn about self-service sign-up, and how to manage external access with entitlement management.
Use the following table to ease decision making.
| Entitlement management | Both | Self-service signup |
|---|---|---|
| - Requested with My Access portal or link - Access packages - Built-in approval workflows - Scope requests by organization - Lifecycle automation - Supports Security Assertion Markup Language (SAML) and Web Service Federation (WS-Fed) identities |
- Request triggered by end user - Collect other attributes - Trigger custom logic apps and APIs - Available to anyone - Supports: Microsoft Entra ID, email one-time pass (OTP) |
- Branded onboarding sign-in page - Users create accounts at the app - Language options - Supports: Google, Microsoft Account (MSA), Facebook |
With the Microsoft Identity Governance dashboard, discover usage information about identity features configured in your tenant. See the current state of your environment, determine response actions, and find links to documentation.
Over time, external user accounts are created in the Microsoft Entra tenant. When external users, or guests, stop accessing the tenant, the external user account becomes stale.
You can monitor and clean up stale guest access accounts using access reviews.
Approvers allow or deny requests for access packages. To help Approvers make access decisions about onboarding external users, you can include custom questions in an access request flow. Store Requestor information for apps or other processes.
Decentralized identity solutions enable individuals to control their digital identities and manage identity data without reliance on a centralized authority or intermediary. Reduce the need for new employees or business partners to perform self-attestation. Simplify approval processes and simplify your compliance posture. Learn more about Microsoft Verified ID in entitlement management.
When external users request initial access, they're invited to your directory and assigned access. In entitlement management, use access packages to assign access to multiple resources. Ensure access packages are in a container called a catalog, which has resources you can add to access package.
- Govern access for external users in entitlement management
- Create an access package in entitlement management
- View, add, and remove assignments for an access package
- Add connected organization.
- Learn settings for external users.
- Create an access package in entitlement management.
- Change the Hidden setting.
- Create an access package with Verified ID requirements.
- Assign users.
- Share a link to request an access package in entitlement management.
For more detail, see Govern access for external users in entitlement management.
To learn how to assign access, remove it, and more guidance, go to Scenario 2: Assign employee access to resources.
To create and run automated workflows with Azure Logic Apps, learn about custom use cases and more, or go to Scenario 2: Assign employee access to resources.
In entitlement management, external users have three states: governed, ungoverned, and blank. External users invited to your tenant are ungoverned. The ungoverned can lose their last access package assignment yet remain in the tenant indefinitely. To manage the lifecycle, convert the ungoverned to governed while they have access.
Learn to govern access for external users in entitlement management.
- Create an access package in entitlement management
- Create an automatic assignment policy
- Manage guest user lifecycle in the Microsoft Entra admin center
To learn to enable recurring access reviews, go to Scenario 2: Assign employee access to resources.
Learn about multistage reviews that ease reviewer burdens, go to Scenario 2: Assign employee access to resources.
You can conduct inactive user reviews to discern stale accounts. To learn more, go to Scenario 2: Assign employee access to resources.
The User-to-Group Affiliation feature helps you make access decisions based on machine-learning derived recommendations. To learn more, go to Scenario 2: Assign employee access to resources.
Access reviews include new groups with guest users and groups with recently added guests. Review recommendations are based on last sign-in details. As an option, denied guests are blocked from sign-in, then the account is deleted.
Learn more:
- Guest access in Microsoft Teams
- Manage guest access in Microsoft 365 Groups
- Overview of Microsoft 365 Groups for Administrators
- Microsoft 365 guest sharing settings reference
When conducting access reviews, you can review groups that have guest user members. Or you can review apps with assigned guest users. Guests are inactive after 30 days with no sign-in.
The New access review dialog, with the Review type tab, and guest user options highlighted.
To learn more about downloadable review-history reports, see Scenario 2: Assign employee access to resources.
For deployment instructions, go to Scenario 2: Assign employee access to resources.