:: CLOUD_SECURITY // ARCHITECTURE

Identity Governance Automation.

A production-ready reference implementation of Identity Governance operations in Microsoft Azure. Demonstrating Infrastructure as Code (IaC), Privileged Identity Management (PIM), and Access Reviews.

Microsoft Entra ID Azure PIM Azure Bicep Azure Monitor

VIEW_REPOSITORY

📖 Executive Summary

This project demonstrates an automated, secure Identity Governance lifecycle adhering to the principles of Least Privilege and Zero Trust.

Unlike manual role assignments, this implementation focuses on dynamic governance, utilizing Azure AD Privileged Identity Management (PIM) for temporal eligibility, enforcing compliance via Access Reviews, and monitoring for privilege escalations through Azure Monitor Activity Log Alerts.

🏗️ Architecture

>> Read: Deep Dive into Automated Identity Governance

🛠️ Technology Stack

Infrastructure as Code: Azure Bicep (Modularized design)
Identity & Governance:
- Microsoft Entra ID (Azure AD)
- Privileged Identity Management (PIM)
- Access Reviews
Monitoring & SecOps:
- Azure Monitor (Activity Log Alerts)
- Azure Action Groups (Email Notifications)

🚀 Key Features

1. Privileged Identity Management (PIM)

Temporary Elevation: Standard, permanent role assignments (like Contributor) are shifted to "Eligible" assignments requiring deliberate, time-bound activation.
Least Privilege Enforcement: By default, the eligibility lasts for 1 year and allows the user to assume the role only when needed.

2. Automated Access Reviews

Attestation: Initiates a recurring Azure AD Access Review Schedule (Quarterly).
Justification Requirements: Demands justification from assignees regarding why they still need elevated access to prevent privilege creep.

3. Privilege Escalation Alerts

Continuous Monitoring: Hooks into the Microsoft.Authorization/roleAssignments/write API event within Azure Monitor.
Instant Notifications: An Action Group dispatches administrative email alerts detailing any persistent or newly created role assignments that bypass PIM.

📂 Repository Structure

/
├── modules/                 # Reusable Bicep modules
│   ├── rbac-pim.bicep       # Sets up Contributor eligibility via PIM
│   ├── access-reviews.bicep # Creates quarterly attestation reviews
│   └── alerts.bicep         # Provisions privilege escalation alerts
├── main.bicep               # Orchestrator for subscription deployment
└── README.md                # System documentation

💻 Getting Started

Prerequisites

Azure Subscription
Azure CLI (az login)
Owner or Role Based Access Control Administrator permissions over the Subscription
Microsoft Entra ID P2 License (Required for PIM and Access Reviews functionality)

Deployment Instructions

# Clone the repository
git clone https://github.com/sammyonyekwere/Identity-Governance-Automation.git

# Navigate to the directory
cd Identity-Governance-Automation

# Set the variables for the deployment
PRINCIPAL_ID=""
ALERT_EMAIL=""
LOCATION="eastus"

# Deploy the Bicep template
az deployment sub create \
  --name "IdentityGovernanceDeployment" \
  --location "$LOCATION" \
  --template-file main.bicep \
  --parameters principalId="$PRINCIPAL_ID" alertEmailAddress="$ALERT_EMAIL"

Roadmap

Integration with Azure Policy to automatically block permanent role assignments entirely. Add Terraform alternative for multi-cloud platform deployments. Implement multi-stage approval flows for PIM role activation.