IdentitySecurityAzure

Azure Identity Governance: Beyond the Basics

Role assignments, PIM, service principals, credential lifecycle — why identity is the most critical governance domain in Azure.

3 min read

Identity Is the New Perimeter

In a cloud-first world, the network perimeter is gone. Identity is the perimeter. Every Azure resource is accessed through Entra ID (formerly Azure AD), which means identity misconfigurations are the fastest path to a breach.

Yet most organizations treat identity governance as a checkbox exercise — review role assignments once a quarter, check that MFA is enabled, move on. That's not enough.

The Four Pillars of Azure Identity Governance

1. RBAC Analysis

Role-Based Access Control is Azure's authorization model. Every action in Azure — creating a VM, reading a storage blob, deleting a resource group — is controlled by RBAC.

The most common RBAC problems:

  • Over-privileged users: Contributors who should be Readers, Owners who should be Contributors
  • Standing access: Permanent role assignments instead of just-in-time (JIT) via PIM
  • Subscription-level Owners: Broad access when resource-group-level would suffice
  • Orphaned assignments: Role assignments for deleted users or groups

2. PIM Monitoring

Privileged Identity Management (PIM) is Microsoft's answer to standing privileged access. Instead of permanent Owner or Contributor roles, users activate privileges on-demand with approval, justification, and time limits.

But PIM only works if it's used correctly:

  • Are all high-privilege roles covered by PIM?
  • Are there stale eligible assignments (users who never activate)?
  • Are activation durations reasonable (not 24 hours)?
  • Is approval required for critical roles?

3. Service Principal Tracking

Service principals and app registrations are the non-human identities in your tenant. They often have more access than any individual user — and they're harder to audit.

Key risks:

  • Tier-0 permissions: Apps with Directory.ReadWrite.All or Application.ReadWrite.All
  • Expired secrets: Credentials that expired months ago but haven't been rotated
  • Unused applications: App registrations with no sign-in activity
  • Excessive Graph permissions: Apps requesting more API access than they need

4. Credential Lifecycle

Every app registration secret and certificate has an expiration date. When they expire without rotation, things break — deployments fail, integrations stop, pipelines go red.

Credential lifecycle management means:

  • Tracking all secret and certificate expiration dates
  • Alerting before expiry (30 days, 14 days, 7 days)
  • Identifying unused credentials that can be removed
  • Monitoring for credentials that never expire (a security anti-pattern)

Putting It Together

Identity governance isn't a one-time review. It's continuous monitoring across RBAC, PIM, service principals, and credentials — with alerts when something drifts.

When a new Global Admin is assigned outside PIM, you should know immediately. When an app registration secret is 7 days from expiry, someone should be notified. When a user has Owner on 12 subscriptions, that should be flagged.

Map your Azure identity landscape in 60 seconds. Try Unsave free at unsave.io.