What is Identity and Access Management?

The Problem I Wanted to Solve

A few years ago, I set out to solve a problem that had been bothering me for a long time: managing user identities across multiple systems. I was tired of dealing with the chaos of Active Directory, spreadsheets, and manual processes. I wanted to build something better using Microsoft Entra ID (formerly Azure AD).

Project Goals

I defined three main questions I wanted my project to answer:

1. Who are you? (Identity)

2. How do I know it's really you? (Authentication)

3. What are you allowed to do? (Authorization)

In simpler terms, I wanted to create a system that would "get the right people access to the right resources at the right time—while keeping the wrong people out."

My Implementation Approach

Phase 1: Building the Identity Foundation

I started by consolidating identity sources with these components:

1. Single Source of Truth: I synchronized an on-premises Active Directory with Entra ID using Azure AD Connect.

2. Identity Lifecycle Automation: I built workflows to automatically provision and deprovision accounts based on HR system triggers.

3. Self-Service Portal: I implemented self-service password resets and group management features.

Phase 2: Strengthening Authentication

For the authentication layer, I focused on security and usability:

1. Phased MFA Rollout: I created a gradual MFA deployment using this PowerShell script:

   Copy

   # PowerShell script for phased MFA rollout with Conditional Access
   $conditions = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessConditionSet
   $conditions.Applications = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessApplicationCondition
   $conditions.Applications.IncludeApplications = "Office365"
   
   # Target specific groups in phases
   $conditions.Users = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessUserCondition
   $conditions.Users.IncludeGroups = "pilot-mfa-group-id"
   $conditions.Users.ExcludeGroups = "mfa-exception-group-id"
   
   # Create the policy
   $controls = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessGrantControls
   $controls._Operator = "OR"
   $controls.BuiltInControls = "mfa"
   
   New-AzureADMSConditionalAccessPolicy `
       -DisplayName "MFA Pilot Phase" `
       -State "Enabled" `
       -Conditions $conditions `
       -GrantControls $controls

2. Passwordless Authentication: I implemented:

   • Microsoft Authenticator app push notifications

   • Windows Hello for Business biometrics

   • FIDO2 security keys for privileged accounts

Phase 3: Building Access Control and Governance

For the most complex part of the project, I implemented:

1. Role-Based Access Control (RBAC): I designed this RBAC structure:

   Copy

   // RBAC structure for Microsoft Entra ID
   {
     "accessPackages": [
       {
         "displayName": "Finance Department Access",
         "description": "Standard access for finance team members",
         "accessPackageResources": [
           {
             "resourceDisplayName": "SAP Financial Reporting",
             "resourceRole": "Viewer"
           },
           {
             "resourceDisplayName": "Finance SharePoint",
             "resourceRole": "Member"
           },
           {
             "resourceDisplayName": "Expense Approval System",
             "resourceRole": "Contributor"
           }
         ]
       }
     ]
   }

2. Just-In-Time Privileged Access: I implemented time-limited admin elevation:

   Copy

   # PIM configuration for just-in-time admin access
   
   # Get eligible role assignments
   $roleAssignments = Get-AzureADMSPrivilegedRoleAssignment -ProviderId "AzureResources" -ResourceId "/subscriptions/your-subscription-id"
   
   # Request activation
   $params = @{
       "reason" = "Scheduled maintenance window"
       "ticketNumber" = "INC12345"
       "ticketSystem" = "ServiceNow"
       "startDateTime" = (Get-Date)
       "duration" = "PT3H" # ISO 8601 duration format (3 hours)
   }
   
   Open-AzureADMSPrivilegedRoleAssignmentRequest -ProviderId "AzureResources" -ResourceId "/subscriptions/your-subscription-id" -RoleDefinitionId "Contributor" -SubjectId "your-object-id" -AssignmentRequestId $roleAssignments.Id -Type "UserAdd" -ScheduleInfo $params

3. Access Reviews: I set up quarterly reviews with this script:

   Copy

   # Creating an access review for contractor accounts
   New-AzureADMSAccessReview `
       -DisplayName "Quarterly Contractor Access Review" `
       -StartDateTime "2025-03-01" `
       -EndDateTime "2025-03-15" `
       -ReviewerType "Self" `
       -AccessReviewScope @{
           "Query" = "userType eq 'Guest' and accountEnabled eq true"
       }

Project Results

The most surprising outcome wasn't the security improvements—it was the productivity gain. By implementing Single Sign-On (SSO), users saved about 15 minutes per day in login time and password resets.

Here's an example of how I configured SSO:

// SSO configuration for a SAML application
{
  "entityId": "https://app.example.com",
  "assertionConsumerService": {
    "url": "https://app.example.com/saml/acs",
    "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
  },
  "attributeStatements": [
    {
      "type": "http://schemas.microsoft.com/identity/claims/objectidentifier",
      "attributeName": "user_id"
    },
    {
      "type": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
      "attributeName": "email"
    },
    {
      "type": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
      "attributeName": "first_name"
    },
    {
      "type": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
      "attributeName": "last_name"
    }
  ]
}

Challenges I Faced

My project wasn't without difficulties. Here are three key lessons:

1. Technical Debt Accumulates Quickly: I learned to prioritize identity consolidation immediately during system integrations.

2. Security vs. Usability Balance: Finding the right balance is crucial. Too strict policies can disrupt work, while loose ones create vulnerabilities.

3. Automation Is Essential: I automated everything through Microsoft Graph API after experiencing errors in manual processes.

How You Can Build Something Similar

If you want to create your own identity system with Microsoft Entra ID, here's what I recommend:

1. Start with Identity Secure Score to get actionable recommendations.

2. Implement Dynamic Groups:

   Copy

   # Creating a dynamic group based on department
   New-AzureADMSGroup `
       -DisplayName "Marketing Department" `
       -Description "All marketing department employees" `
       -MailEnabled $False `
       -SecurityEnabled $True `
       -MailNickname "marketing" `
       -GroupTypes "DynamicMembership" `
       -MembershipRule "user.department -eq ""Marketing""" `
       -MembershipRuleProcessingState "On"

3. Use a Tiered Admin Model to separate privileges.

4. Set Up Monitoring and Alerts for suspicious activities:

   Copy

   GET https://graph.microsoft.com/v1.0/identityProtection/riskDetections?$filter=riskState eq 'confirmedCompromised'
   Authorization: Bearer {token}

Future Improvements

For the next version of my project, I'm exploring:

1. Decentralized Identity with verifiable credentials

2. Continuous Access Evaluation during user sessions

3. Complete Passwordless Authentication at scale

I've thoroughly enjoyed building this identity system. It's not just about security—it's about creating a seamless experience while protecting valuable resources. I'm excited to continue evolving it with new Microsoft Entra ID capabilities.

Have you built something similar? I'd love to hear about your projects and exchange ideas!