Employees come and go, and so do their identities within their organizations. On the surface, it seems a linear lifecycle, starting with onboarding and ending with offboarding, with a whole lot of access to resources in between. But it’s the “in between” where things are more complex – whether related to migration from one business unit to the next or integrating an acquisition. In addition, offboarding is often set aside for other priorities, resulting in standing privileges, which we will discuss in greater depth.
Privileged access must be granted at the right time and for the necessary duration. It is often applied in environments where users may change roles and require new and Just-In-Time privileges, or where non-human entities such as APIs or bots require access.
As roles and privileges change, there may be orphaned resources with exposed data in Microsoft 365, overprivileged and unchecked identities in Entra ID, unused delegated permissions or unnecessary authorizations in AD. These identity platform phenomena are central to modern business, but often businesses don’t have full visibility, resulting in attack surface gaps that put Zero Trust least privilege principles at risk. In some cases, they don’t have the resources to decommission privileged accounts or validate that each identity or object has access to what it should for as long as it should, resulting in standing privilege. These are the reasons Active Directory is often the primary target for threat actors.
This is where the identity lifecycle framework becomes critical. It provides the foundation for organizations to manage the identities of their users, entities and devices – from creation and usage to modification and deletion – to reduce risk, increase efficiency and security, and streamline identity management moving forward.
Businesses may use a manual framework to mitigate the risk. This takes up valuable time and diverts resources away from other tasks and is subject to human error. What’s more, today’s hybrid environments and multiple identity platforms make it a challenge to manage as a single ecosystem. Distributed, disparate identity platforms can result in inconsistency of policy enforcement or worse – increased risk through challenges with visibility. When an identity lifecycle framework is implemented and executed in a comprehensive manner with visibility and accuracy, businesses can gain a competitive and sustainable advantage across areas including:
- Security: Users have specific permissions and fine-grained privileges that last only as long as is needed, supporting Zero Trust least privilege principals.
- Control: Least Privileged Delegation safeguards data and ensures privileges are accessed appropriately, allowing actions and modifications to be recorded and reviewed.
- Risk: Access stays visible and traceable, with anomalies or potentially malicious behaviors identified and acted on, either with automation or manual intervention. Abnormal account configuration can be identified, admins notified and remediation automated.
- Agility: Access can be granted or denied to users without delay, boosting productivity without waiting for manual approvals that add workloads to IT teams.
- Integrity: Continuous monitoring of environments allows any unauthorized access or changes to settings to be identified quickly.
These are advantages that benefit multiple departments, and underline why organizations need an identity lifecycle framework to bolster security throughout the business.
Six critical criteria for an identity lifecycle framework
The identity world is moving fast to implement hybrid environments using multiple platforms and tools. At the same time, complexity within architectures is rising. Organizations face challenges to maintain visibility, address expansive ecosystems, onboard non-human identities, manage movement to other roles, update in relation to mergers and acquisitions, and adapt to partnership relationships.
Developing a framework that helps secure such a diverse ecosystem is a major challenge. An identity lifecycle framework can help restore order and security to identity management if these six critical criteria are taken into consideration:
1. Access templates
For enterprise-scale efficiency, access templates can be used to delegate least-privileged access to end users over objects they need to manage. These allow organizations to save time and be more agile by automatically defining permissions based on roles, attributes and policies – or whatever the most suitable access control method might be. The template approach also keeps things consistent at scale and reduces the need for manual access processes.
Example use cases include:
- HR staff being granted limited CRUD permissions for users
- Support for managing IT group membership permissions
- Group Owners being given self-service access to manage their own groups
2. Managed Units
Managed Units (MUs) are collections of objects created for distributing administration, enforcing business rules and managing complex network environments. The MUs allow directory objects to be grouped into administrative views wherever they’re located in Microsoft Entra ID.
This adds a layer of protection by restricting the scope of role permissions to any defined area of the business under Entra ID’s administrative units function. For example, applying regional access controls based on a role’s geolocation.
Groups can also be added and managed within the administrative unit. It’s also possible to assign access templates to these managed units as part of an LPA security scenario. A best practice is to abstract the directory structure from delegated users.
3. Provisioning policies
Using Active Roles, enterprises can harness policy-based automated provisioning for tasks on directory objects. These become guard rails for best practices when creating and updating Entra ID objects, without errors or inconsistencies that can arise with manual approaches.
Attributes are validated based on rules, automatically hardening security by only allowing access after policy conditions have been satisfied. A fine-grained permissioning model may include the following:
- Least privileged access: Proxy firewall for AD, zero standing privileges, fine-grained permissions, delegation
- Audit, remediate, report: Centralized management, change history and user activity tracking, focus on remediation
- Data integrity: Policy enforcement for data standards, clean up and maintenance for object hierarchies, attributions for data
- Security automation: Full lifecycle processing – from onboarding to transfers to offboarding – plus data synchronization
It’s also useful for creating entitlements around mailboxes, home share access and distributed environments. For example, automated administration and account provisioning while enforcing corporate policies.
4. Dynamic Groups and Group Families
Dynamic Groups take the advantages and capabilities of MUs and extend them to Group memberships. These are highly configurable.
Group Families allow automatic group creation and membership assignments. These are ideal for bulk-based tasks, where there are frequent changes such as assigning Distribution Groups to managers and running on schedules. Although the batch-based nature means they are slower to process.
Group management also makes it possible to manage access and permissions for multiple users instead of assigning permissions to each individual. This type of scalable segmentation supports Zero Trust, limiting permission to applications containing sensitive data and allowing permissions to be provisioned or deprovisioned for an entire group as needed. This is particularly convenient when moving a team to a different business unit, decommissioning an application or restricting access to any application.
5. Change workflows
Workflows change, that is a given. Being able to automate workflows and change them as needed can be invaluable in boosting efficiency and eliminating the risk of human error. Want to detect and respond to any change that happens in the Active Roles Console? Set a user’s Creation Container (OU) before creating the user in AD. Actions can then be processed before and after any changes. You just need to remember that Active Roles and OUs can only be moved with the same domain.
This can save time for use cases such as:
- Requesting Group Owner approval before updating memberships
- Moving a user to a new OU after their department is updated
- Notifying the manager when a new team member comes
6. Deprovisioning policies
Managing access to resources is a dynamic process that must consider where the identity is along their lifecycle. Provisioning is only half the battle – making sure access is removed when a user departs an organization or changes roles is critical to minimizing standing privileges and reducing the attack surface.
One-click automation for secure lifecycle management allows for removing users or group objects using granular controls. This ensures identities have authentication and authorization rights throughout the identity lifecycle but no longer. It becomes an automated way to revoke rights, secure the business and free up storage space. Deprovisioning policies can include:
- Deactivating dormant and orphaned accounts, revoking user access or changing the attributes required for access
- Removing group memberships, or including optional exceptions, after determining what changes are needed in relation to security groups or mail-enabled groups
- Re-assigning access to home share and Exchange resources
- Scheduling permanent deletions after specified time periods
- Sending notifications to downstream parties
- Extending with custom scripting if required. These can be applied at various points, in PowerShell, C# or Visual Basic .NET, with any errors automatically logged for debugging and further testing
Balancing access and agility with identity and security
To move forward with a comprehensive identity lifecycle framework that increases efficiency and is agile enough to support the dynamic nature of business today requires visibility and control across the identity ecosystem. A single pane of glass can achieve this. Visibility across the environment from a single console allows teams to remove the inefficiencies that come from trying to enforce and manage policies across multiple systems, databases, even mainframes. This also serves to mitigate the security risks and policy inconsistencies that come from not knowing who has access to what resources at any one time.
Visibility across an identity landscape from a single console also opens the door to adding rules and revocations for granting or denying privileges on the fly. Centralizing policy creation and enforcement further streamlines identity management administrators.
This includes authorization for applications, databases, files and servers – based on AD groups. After all, when evaluating the levels of complexity in an environment, AD can be seen as having the biggest influence on the overall cybersecurity posture and environment complexity. This means that applying authorization and delegation controls here will have the biggest impact and potential return.
Identity framework maturity leads to identity management resiliency and security
Get the balance right between authorization and delegation, and the result is a robust security profile - one that also covers accountability, a core part of identity management and the identity lifecycle framework. Of course, this also relies on gaining and maintaining the necessary data hygiene levels within AD.
What comes first: Authorization or delegation?
The identity lifecycle stands at the intersection where delegation meets and complements authorization. To manage both dynamically, you need controls for a world where identities often change at short notice.
Although there is a form of hierarchy between the two. Whoever is authorized must perform the delegation. That’s because delegation comes after authorization. And without authorization there can be no delegation.
Delegating is a form of redistributing authority, which benefits the business in multiple ways. Delegation helps to speed up processes by automatically calling for others to take on duties. This allows those delegated to upskill and feel empowered. Naturally, this allows the team to grow, both at the leadership level and among those now responsible for providing solutions. Delegation is also a critical component to any authentication, authorization and accounting best practices, as entities are granted permissions such as authenticating users and services or integrating user databases. Delegation helps to distribute responsibility and accountability to those who need it. However, those permissions must be managed closely as projects end and roles change.
To discover more about designing the perfect lifecycle process that brings all these advantages together, check out the new webinar: The relationship between authorization and delegation in the identity world. You’ll hear from experts who explore the symbiotic relationship and dynamics involved, and discuss different models to create a balanced, flexible and secure identity lifecycle framework.
