APR 13, 2026 #IDENTITY_GOVERNANCE #BICEP

Automating Azure
Identity Governance.

A deep dive into replacing permanent administrative access with Zero Trust automation using Bicep and Entra ID PIM.

As cloud environments scale, one of the biggest vulnerabilities isn't network misconfiguration, but over-privileged identities. Permanent role assignments (like "Contributor" or "Owner") inherently break the principles of Least Privilege. If an attacker compromises an active admin account, they immediately gain full control.

To address this, we need to shift from static access provisioning to dynamic governance using Azure AD Privileged Identity Management (PIM), Access Reviews, and proactive monitoring. By codifying these governance rules via Infrastructure as Code (Bicep), we ensure that our security posture remains immutable and compliant.

Here is a breakdown of the architecture developed in the Identity Governance Automation project.

1. The Architecture

The goal is to automate the access lifecycle. Instead of users retaining privileges indefinitely, they are assigned "Eligible" rights. They must justify their need when required, and the access automatically expires after a predefined period.

graph TD subgraph "Azure Tenant / Entra ID" User((User)) Admin((Admin)) PIM[Privileged Identity Management] Review[Access Reviews] end subgraph "Azure Subscription" RBAC[Subscription RBAC] ActivityLog[Activity Log Events] end subgraph "SecOps" AlertRule[Azure Monitor Alert] ActionGroup[Action Group: Email Notifier] end User -->|Requests Elevation| PIM PIM -->|Grants Temporarily| RBAC Review -->|Audits/Revokes| RBAC Admin -->|Manual Bypass/Write| RBAC RBAC -.->|Triggers| ActivityLog ActivityLog -.->|Evaluates| AlertRule AlertRule -->|Notifies| ActionGroup

Core Components

2. Implementing Zero Standing Privileges

Why PIM?
Without PIM, users hold their privileges 24/7. With PIM, they "activate" privileges only for the hours they are actually performing administrative work.

By defining PIM eligibility directly in our Bicep modules, we can securely assign roles to object IDs dynamically. 

// Bicep: Creating PIM Eligibility for Contributor
resource roleEligibilityScheduleRequest 'Microsoft.Authorization/roleEligibilityScheduleRequests@2022-04-01-preview' = {
  name: guid(uniqueString(principalId, roleDefinitionId))
  properties: {
    principalId: principalId
    roleDefinitionId: roleDefinitionId
    requestType: 'AdminAssign'
    scheduleInfo: {
      startDateTime: utcNow()
      expiration: {
        type: 'AfterDuration'
        duration: 'P365D' // Eligible for 1 year
      }
    }
  }
}

This module sets a user as an eligible Contributor for 365 days. The user still has to go through Entra ID PIM to activate the role and specify a justification or ticketing system reference.

3. Automating Attestation (Access Reviews)

Over time, team compositions change. Access creep occurs when people retain permissions they no longer need. Using Azure Access Reviews, we automate the governance loop by requesting the assignees themselves (or their managers) to validate their current access need every quarter.

If a user fails to respond, we can configure the system to automatically revoke access, enforcing the principle of Least Privilege programmatically.

4. Detecting Privilege Escalations

What happens if another malicious administrator manually assigns a permanent role, bypassing PIM entirely? We need observability built directly into our infrastructure to alert SecOps.

We achieve this by deploying an Activity Log Alert targeting the Microsoft.Authorization/roleAssignments/write operation. 

// Bicep: Privilege Escalation Alerting
resource alertRule 'Microsoft.Insights/activityLogAlerts@2020-10-01' = {
  name: 'Alert-RoleAssignment-Created'
  location: 'Global'
  properties: {
    scopes: [ subscription().id ]
    condition: {
      allOf: [
        {
          field: 'category'
          equals: 'Administrative'
        }
        {
          field: 'operationName'
          equals: 'Microsoft.Authorization/roleAssignments/write'
        }
      ]
    }
    actions: {
      actionGroups: [ { actionGroupId: actionGroup.id } ]
    }
  }
}

This rule ensures any new role assignment instantly triggers an alert (e.g., via Email, SMS, or Logic App playbook integration) so that unauthorized privilege escalation is caught in real-time.

Conclusion

Governance is not a one-time checklist; it is an ongoing process. By automating your entitlement lifecycle and access reviews, you lower your operational overhead while substantially improving your security posture against internal and external threats.

<< Return to Project Overview