メインコンテンツへスキップ

Identify on-premises groups needed to manage access per app and resource inventory

Implementation Effort: High – IT and identity teams must collaborate with application and resource owners to map access requirements to existing or new on-premises groups, and configure synchronization and governance policies accordingly.

User Impact: Low – This task is administrative in nature and does not require direct user involvement or communication.

Overview

Identifying on-premises Active Directory (AD) groups required for managing access to applications and resources is a foundational step in establishing effective identity governance within a hybrid environment. This process involves cataloging applications and resources, determining their access requirements, and mapping these requirements to specific AD groups. For applications that rely on group-based access control, it's essential to identity the appropriate AD groups are in place and accurately reflect the intended access policies.

In hybrid scenarios, where organizations utilize both on-premises and cloud resources, Microsoft Entra ID can be integrated with on-premises AD to manage and govern access across the environment. By synchronizing AD groups to Microsoft Entra ID using tools like Microsoft Entra Connect or Microsoft Entra Cloud Sync, organizations can leverage cloud-based identity governance features such as access reviews, and entitlement management

This approach aligns with the Zero Trust principles by enforcing "Verify explicitly" through continuous validation of group memberships and access rights, and "Use least privilege access" by ensuring users have only the access necessary for their roles. Failure to properly identify and manage these groups can result in over-provisioned access, security vulnerabilities, and compliance risks.

Reference