Navigating User Access Review: Microsoft Entra vs. SailPoint IdentityNow

User Access Review (UAR) stands as a pivotal control mechanism in organizational security, ensuring access privileges are finely tuned to users' roles and duties. While it serves as a cornerstone for regulatory compliance such as NIST, ISO 27001, and more, UAR's essence lies in fortifying defenses against unauthorized access and averting the perils of data breaches and insider threats.

In this blog, we explore the UAR capabilities of Microsoft Entra and SailPoint IdentityNow, elucidating how these platforms can be leveraged to conduct UAR effectively.

What you can review

The primary objective of UAR is to ensure that every individual within the organization possesses appropriate permissions across all systems. This concept is closely intertwined with the entitlements and data model within the platform, as discussed in my previous blog post. At a high level, Microsoft's approach to UAR is user-centric, specifically distinguishing between guest and member users; whereas SailPoint encompasses various aspects of objects within the system and offers query-based resource scope.

Who can review

When it comes to the reviewer, both platforms provide flexibility in specifying reviewers and allow delegation in the reviewer's absence. An interesting contrast arises with the concept of "Self-review": While Microsoft Entra offers this feature, SailPoint IdentityNow incorporates built-in processes to prevent individuals from reviewing and approving their own access or requests.

How you review

Now that you've defined the scope and identified the reviewers, it's time to engage stakeholders and initiate a User Access Review (UAR) campaign for access hygiene exercises. A typical UAR campaign encompasses the following stages, as illustrated in the diagram below, and is typically scheduled at regular intervals:

1. Campaign Kick-Off: This phase involves initiating the certification campaign. The duration of this stage depends largely on the complexity of the certification.
2. Campaign Generation/Preview: This is an administrative window where stakeholders can preview the certification campaign before it is officially launched.
3. Campaign Start: Reviewers can access the certification on their Launchpad and make decisions. This stage continues until the certification is either signed off or the Administrator closes the campaign.
4. Campaign End: Upon completion, the certification is either signed off or closed by the Certification Admin. Remediation will be initiated according to the review decision accordingly.

Both Microsoft Entra and SailPoint IdentityNow support the full lifecycle of UAR, including built-in email notifications. In the absence of a reviewer, Microsoft Entra allows for specifying a fallback reviewer, while SailPoint IdentityNow enables work item reassignment.

Practical Use Cases

Let's delve into how both platforms can be optimally utilized for a comprehensive access review.

1. Guest User Self-Review: If you're concerned about uncontrolled stale access granted to external users and facing challenges in identifying reviewers, Microsoft Entra offers an effective solution. Initiate a self-review campaign for these guest users using Microsoft Entra, empowering you to revoke their access based on their activities or non-response.
2. Manager Review of All Reporter's Database Access: Suppose you need to regularly review the access of your database team to meet compliance requirements. SailPoint IdentityNow features a manager-based view, enabling you to generate assessments targeting all database systems. This functionality ensures efficient and compliant access management within your organization.