What an ID Governance Consultant Wishes You Knew About Entra

In this episode, Sandra Saluti breaks down why identity governance isn’t a after‑thought but the backbone of secure Azure AD and Microsoft Entra environments. She explains that unmanaged user accounts quickly become a liability when access rights pile up across projects, leading to “snowball” permissions that never expire. By automating the entire user lifecycle—onboarding, role changes, re‑hires, and off‑boarding—organizations can enforce policy‑driven access at the right time, reducing manual ticket churn and preventing security gaps.

Saluti highlights practical tools such as directory extensions and custom security attributes to capture nuanced lifecycle states that job title or department alone can’t describe. She walks through building HR‑driven integrations that tag users with attributes indicating pre‑hire, late‑hire, or re‑hire status, then leverages Entra’s lifecycle workflows and access packages to assign licenses and group memberships automatically. This approach eliminates the need for massive code bases while keeping logs transparent for IT staff, making troubleshooting a matter of checking attribute values rather than digging through custom scripts.

The conversation closes with hard‑won best practices: always target immutable object IDs or external IDs in dynamic groups and conditional access policies, never rely on mutable identifiers like UPNs or domain names. Simple group expiry settings won’t handle the myriad exceptions of real‑world projects; instead, map every role transition through detailed flow diagrams and validate each step with monitoring. By marrying business process insight with Entra’s pre‑configured governance features, companies can achieve scalable, auditable identity management without endless manual reviews.