Sharegate >
Glossary
>
Identity governance

What is identity governance?

Identity governance is how you manage who should have access, how that access gets granted, and how it gets removed when it's no longer needed.

Also known as

Identity governance and administration

Definition

Every user in Microsoft 365 has access to something. The question identity governance asks is: should they?

Access that was right when someone joined might not be right six months later when they change teams. A guest invited for a project may still have access long after that project ended. A contractor whose contract expired may still be in your directory.

Identity governance is the discipline of keeping those answers current.

In Microsoft 365, identity governance runs through Microsoft Entra ID. It covers how access gets provisioned when someone joins, how it changes when they move to a new role, and how it gets removed when they leave. It also covers recurring reviews of existing access, automated policies for guest lifecycle, and controls for privileged accounts. The goal isn't just to clean up. It's to build a repeatable process so the environment stays clean.

tip

Start where the risk is highest: high-impact groups, guests, privileged access, and sensitive workspaces.

Why it matters

Access that nobody reviews accumulates. Guests, stale accounts, and excessive permissions build up quietly until something forces a look. Identity governance is what stops that from happening.

  • Governance & security: Every account that shouldn't have access but does is a potential entry point. Identity governance gives you a repeatable process to find and remove it, rather than relying on one-off cleanups.
  • Migration: A migration is a good time to audit who actually needs to move and what access they should have in the target environment. Migrating stale accounts and excessive permissions creates the same problems in a new place.
  • AI readiness: Copilot surfaces content based on what users can access. Accounts and groups with more access than they need make AI outputs less trustworthy. Identity governance is part of what makes AI safe to deploy.

Commonly confused with: Conditional access

Conditional access controls the conditions under which someone can sign in: device compliance, location, risk level. Identity governance controls whether that person should have access at all. Conditional access enforces access conditions. Identity governance manages the access lifecycle.

ShareGate field notes:

What we see out there

Controls exist. Process doesn't.

Organizations have policies on paper. Access reviews are configured. But nobody owns the results. Reviews expire without action. Guests stay because nobody followed up. The tooling is there. The process behind it isn't.

Visibility is scattered across tools.

Permissions are in SharePoint. Guests are in Entra ID. Sharing links are in Purview. Inactive workspaces are in the admin center. IT teams need one consolidated view of what's happening across the tenant, not five separate reports to correlate manually.

Frequently asked questions

What is IGA?

IGA stands for Identity Governance and Administration. It's the broader enterprise term for the policies, tools, and processes that manage who has access to what, how access is granted and reviewed, and how it's removed. In Microsoft 365, the relevant product is Microsoft Entra ID Governance. It covers entitlement management, access reviews, lifecycle workflows, Privileged Identity Management, and terms of use. You'll hear IGA used more often in enterprise security and compliance conversations than in everyday Microsoft 365 admin work.

How do access reviews fit into identity governance?

Access reviews are one of the main tools identity governance uses to stay current. They run on a schedule (weekly, monthly, quarterly, or annually) and ask reviewers to confirm whether existing access is still needed. If a reviewer doesn't respond, you can configure the review to automatically remove access for anyone who wasn't confirmed. Access reviews can target groups, applications, guest users, or privileged roles. They're part of Microsoft Entra ID Governance and require a Microsoft Entra ID P2 or Entra ID Governance license.

What should be automated?

Automate things that repeat. Provisioning access when someone joins and removing it when they leave can be automated through lifecycle workflows connected to your HR system. Guest access reviews can run automatically on a set cadence and remove guests who don't get reconfirmed. Sharing link policies in ShareGate Protect can delete links that match your conditions daily. The goal is to replace manual, ad hoc admin work with repeatable processes that run without IT having to trigger them.

How does identity governance help with Copilot readiness?

Copilot surfaces content based on what users can access. If accounts and groups have more access than they should, Copilot can surface content to people who shouldn't see it. Identity governance reduces that risk by keeping access current: removing stale accounts, tightening group membership, reviewing guest access, and cleaning up permissions that have grown beyond what's needed. The cleaner your identity layer, the more trustworthy your AI outputs.