On this page

2.1) Identity Lifecycle

1. Source of Authority (SoA) & Synchronization

The Golden Rule of Hybrid: In a directory-synchronized environment Active Directory (On-Premises) is the Source of Authority.
- You cannot edit synced attributes (Name, Manager, Department, ProxyAddresses) directly in Entra ID or the M365 Admin Center. You must modify them on-premises and wait for the sync (or force it).
Sync Engines:
- Entra Connect Sync (formerly AAD Connect): The legacy/standard engine. Syncs every 30 minutes. Requires an on-premises server.
- Entra Cloud Sync: The modern, lightweight agent. Syncs every 2 minutes. Used for disconnected forests or simpler topologies.
Hard vs. Soft Match: When resolving duplicate accounts, understand how Entra ID matches on-premises AD users to cloud users.
- Soft Match: Matches based on UserPrincipalName or Primary SMTP Address.
- Hard Match: Matches based on SourceAnchor (usually the on-premises ObjectGUID converted to a Base64 string called ImmutableID in Entra).

Joiners (Onboarding):
- Flow: HR System -> Active Directory -> Entra ID -> Licensing Group -> Mailbox/OneDrive Provisioned.
- Licensing: Never assign licenses directly to the user. Add the user to an Entra ID Security Group configured for Group-Based Licensing.
- Pre-Provisioning: M365 services (like Exchange and OneDrive) do not fully provision until the user is licensed and the backend service registers the license. Do not panic if a mailbox isn’t instantly available after sync.
Movers (Transitions):
- Access Accumulation: The biggest security risk. When users change departments, they often retain their old access.
- Mitigation: Rely on Dynamic Security Groups based on the Department or Title attribute so access is automatically revoked when HR updates the title.
Leavers (Offboarding):
- Standard Enterprise Workflow:
  1. Reset password / scramble on-premises.
  2. Block Sign-in (Entra ID).
  3. Revoke active refresh tokens (Force Sign-out).
  4. Wipe corporate data from personal devices (Intune App Protection) or wipe corporate devices.
  5. Convert to Shared Mailbox and remove M365 license (to free up the license pool while retaining data).
  6. Move user to a disabled OU on-premises (which either syncs as disabled or drops them from sync, depending on scoping rules).

Access Packages: Used to bundle resources (SharePoint sites, Teams, Entra Groups, Enterprise Apps) into a single requestable package.
Access Reviews: Automated campaigns asking managers or resource owners to attest to whether users still need access to a specific group or application. Crucial for auditing privileged access.
Privileged Identity Management (PIM):
- Standard users should have zero standing access to admin roles (e.g., Global Admin, Exchange Admin).
- PIM requires admins to “elevate” their access just-in-time (JIT) for a set duration (e.g., 4 hours), requiring MFA and a ticket number for auditing.

Rule Syntax: Used heavily for automated licensing and app deployment.
- Example: (user.department -eq "Sales") -and (user.accountEnabled -eq true)
Processing Delay: Dynamic group membership is not instant. In a large tenant, it can take anywhere from a few minutes to several hours to recalculate after an attribute change.

Connection: Connect-MgGraph -Scopes "User.ReadWrite.All", "Directory.ReadWrite.All"
Troubleshooting Sync/Attributes:
- Get-MgUser -UserId user@domain.com -Property OnPremisesSyncEnabled, OnPremisesImmutableId, UserPrincipalName
Offboarding Actions:
- Update-MgUser -UserId user@domain.com -AccountEnabled:$false (Block Sign-in)
- Revoke-MgUserSignInSession -UserId user@domain.com (Kills active sessions across all devices/apps)
Group Management:
- Get-MgGroup -Filter "groupTypes/any(c:c eq 'DynamicMembership')" (Lists all dynamic groups)

The 7 Practices

2.2) Conditional Access