Which object in Entra entitlement management bundles multiple resource roles into a single requestable unit?

Correct: b. An access package bundles resource roles (group memberships, app roles, SharePoint sites) into one unit that a user requests. The catalog is the container; the lifecycle workflow handles JML tasks; the access review recertifies access.

Why is it important to enable 'auto-apply results' on an access review?

Correct: b. Without auto-apply, an admin must manually apply review decisions after the period closes — easy to forget, which leaves denied access in place. Auto-apply ensures that reviewer decisions are enforced immediately and automatically.

A Conditional Access policy is configured with a terms of use document for a finance app. What happens when a user tries to open the app for the first time?

Correct: c. Terms of use in Conditional Access present the PDF to the user as a gate. The user must scroll through and accept before the policy allows access. Entra logs the acceptance with timestamp, user identity, and IP for audit purposes.

An employee moves from Finance to HR. Which lifecycle workflow stage and task should run automatically?

Correct: c. A department or role change is the Mover stage. The workflow tasks remove the old department's group memberships and add the new ones. Joiner and leaver tasks are for hire and termination events respectively.

You need to prevent any single user from being able to both submit and approve payments in your finance system. The roles are managed via Entra access packages. What is the best approach?

Correct: b. Separation of duties in entitlement management is exactly designed for this: mark 'Payments Submitter' and 'Payments Approver' as incompatible packages. Entra blocks a user who holds one from requesting the other. An override package with a stricter approver chain can handle legitimate exceptions.

What is the most reliable way to prove access was removed within 24 hours of an employee's termination?

Correct: a. The leaver lifecycle workflow history log shows each task (remove groups, revoke sessions, disable account), its success or failure status, and the exact timestamp — giving an unambiguous timestamped audit record. Checking current state only shows the end result, not when it happened.

Microsoft Entra Identity Governance — Access Packages, Reviews & JML (2026)

Q: Which Entra Identity Governance pillar is responsible for automating the removal of all group memberships when an employee is terminated?

Correct: d. Lifecycle workflows handle HR-event-triggered tasks in the joiner-mover-leaver cycle, including removing group memberships and disabling accounts on termination. Access reviews recertify existing access on a schedule; they are not triggered by an HR event.

Q: A user who holds 'Payments Submitter' access tries to request 'Payments Approver'. What Entra feature blocks this?

Correct: b. Entitlement management's separation of duties feature lets you mark two access packages as incompatible. Entra checks existing assignments before granting a new request and blocks it if a conflict exists.

Q: An access review closes with 30% of reviewers having taken no action. Which setting ensures Entra automatically removes those members?

Correct: c. Auto-apply with a 'deny on no response' setting removes members whose reviewers did not act when the review period closes. Without auto-apply, an admin must manually apply results — a common governance gap.

Q: Which lifecycle workflow stage generates a Temporary Access Pass (TAP) for a new hire before their start date?

Correct: c. Joiner workflows run before or on the employeeHireDate. One standard joiner task is to generate a Temporary Access Pass so the new employee can sign in and set up MFA on day one without needing a permanent password.

Most engineers think…

Most people hear 'Identity Governance' and think it is just a compliance checkbox — some auditor's spreadsheet made digital. That mental model costs you in interviews and in production.

Entra Identity Governance is an active enforcement engine: it decides who gets access, automates the request and approval workflow, periodically recertifies that the access is still needed, revokes it when a person leaves, and gates sensitive apps behind a signed terms of use. Understanding the four pillars — entitlement management, access reviews, lifecycle workflows, and terms of use — is what separates a governance engineer from someone who just clicks 'Approve'.

① The four pillars of Entra Identity Governance

Microsoft Entra Identity Governance sits on top of Entra ID (formerly Azure AD) and answers one question at every stage: who should have access, why, and for how long? It does this through four pillars that cover the full identity lifecycle.

Entitlement management handles self-service access requests — users pick an access package, get approved by a policy, and receive the bundled roles automatically. Access reviews periodically ask owners or managers 'does this person still need this access?' and auto-revoke on no response. Lifecycle workflows automate tasks at the joiner, mover, and leaver stages — generating a welcome email on day one or disabling an account within hours of a termination. Terms of use integrate with Conditional Access to require policy acceptance before a user can reach a sensitive app.

Together these pillars let an organisation govern access at scale with auditable records — without relying on manual IT tickets for every role change.

Figure 1 — The governance lifecycle — request, approve, review, revoke

Every access grant in Entra Identity Governance follows the same five-step lifecycle from request to removal.

Quick check · Q1 of 10 · Understand

Which Entra Identity Governance pillar is responsible for automating the removal of all group memberships when an employee is terminated?

a) Access reviewsb) Terms of usec) Entitlement managementd) Lifecycle workflows

Correct: d. Lifecycle workflows handle HR-event-triggered tasks in the joiner-mover-leaver cycle, including removing group memberships and disabling accounts on termination. Access reviews recertify existing access on a schedule; they are not triggered by an HR event.

👉 So far: Four pillars: entitlement management (self-service access), access reviews (recertification), lifecycle workflows (JML automation), terms of use (policy acceptance gate via Conditional Access).

② Entitlement management — catalogs, packages & separation of duties

Entitlement management works through a three-level hierarchy. A catalog is a container of resources (groups, apps, SharePoint sites) and the access packages built from them. An access package bundles one or more resource roles into a single requestable unit — for example, 'Finance Analyst Access' might include a security group, a SharePoint site, and an app role. A policy on the package defines who can request it, who approves, how long the access lasts, and whether it must be reviewed.

Separation of duties

Separation of duties (SoD) is enforced at the access-package level: you can mark two packages as incompatible, so a user who holds 'Payments Approver' access is blocked from also requesting 'Payments Submitter'. Entra checks existing assignments before granting a new request and returns an error if a conflict is found. An override package can be created for legitimate exceptions — with a separate, stricter approval chain.

Requests flow through a configurable approval workflow (up to two sequential approvers, or none for auto-approve), with email notifications and a self-service My Access portal. Access expires on a set date or after a configurable duration and can be renewed by another review cycle.

Figure 2 — Access package — resources bundled in one request

One access package can bundle groups, app roles, and SharePoint sites under a single requestable unit with one policy.

📦

Access Package

tap to flip

A bundle of resource roles (group, app role, SharePoint site) that a user requests as one unit. Governed by a policy that sets approvers, duration, and review cadence.

🗂️

Catalog

tap to flip

A container of resources and access packages. Delegation: a catalog owner can manage their packages without being a global admin, enabling self-service governance at department level.

🔁

Access Review

tap to flip

A scheduled recertification cycle. A reviewer (owner, manager, or self) confirms or denies continued access. With auto-apply on, Entra removes denied access automatically when the period closes.

⚖️

Separation of Duties

tap to flip

A policy rule that blocks a user from holding two incompatible access packages simultaneously — e.g. cannot be both Payments Submitter and Payments Approver. Prevents internal control violations.

Think in three levels: catalog > package > policy

In any interview question about entitlement management, anchor your answer in the three-level hierarchy. A catalog holds resources; an access package bundles those resources into something requestable; a policy on the package controls who can request it, who approves, and how long it lasts. Delegation flows down this hierarchy — a catalog owner manages their packages without needing a global admin role.

Quick check · Q2 of 10 · Apply

A user who holds 'Payments Submitter' access tries to request 'Payments Approver'. What Entra feature blocks this?

a) Conditional Access block policyb) Separation of duties check on the access packagec) A group nesting restrictiond) A Privileged Identity Management role limit

Correct: b. Entitlement management's separation of duties feature lets you mark two access packages as incompatible. Entra checks existing assignments before granting a new request and blocks it if a conflict exists.

👉 So far: Catalog > access package > policy. SoD blocks incompatible package combinations. Requests flow through an approval workflow; access expires automatically.

③ Access reviews & terms of use — recurring attestation and policy gates

Access reviews are scheduled recertification cycles that ask a reviewer — a group owner, a manager, or the user themselves — 'does this person still need this access?'. Reviews can target security group members, app role assignments, or Microsoft Entra ID role members. You set the frequency (weekly, monthly, quarterly, annually), choose whether to send smart recommendations (last sign-in date, activity), and decide what happens on reviewer inaction: auto-approve, auto-deny, or take no action.

The auto-apply setting is the critical production choice: when enabled, Entra immediately removes or confirms access as soon as the review period closes, without a manual step. Without it, an administrator must apply the results — easy to forget, which defeats the governance goal.

Terms of use

Terms of use are PDF documents uploaded to Entra and attached to a Conditional Access policy. When a user tries to reach an app, the policy checks whether they have accepted the current version of the terms. If not, they must read and accept before access is granted. Acceptance is logged with timestamp and IP for audit. Terms can require re-acceptance on a schedule (e.g. annually) and support per-language versions.

Figure 3 — Access reviews vs lifecycle workflows — when to use which

Reviews recertify existing access on a schedule; lifecycle workflows automate provisioning at HR-event triggers.

Leaving auto-apply off defeats the review

The single most common access review mistake: the review closes, reviewers have denied dozens of users, but access is not removed because auto-apply results was never turned on. An admin must then manually apply results — and often forgets. Always enable auto-apply in production reviews so Entra enforces decisions automatically.

▶ Watch an access request flow from click to revocation

Follow a self-service access request end to end — approval, grant, review, and removal. Press Play for the healthy path, then Break it to see the classic failure.

① RequestPriya logs into the My Access portal and requests 'Finance Analyst' — an access package bundling an M365 group and a SharePoint site.

▼

② ApproveThe package policy routes the request to her manager for approval. The manager clicks Approve in the email notification.

▼

③ GrantEntra automatically adds Priya to the M365 group and assigns the SharePoint site role. A 90-day expiry is set by the policy.

▼

④ Review & revokeAt day 90 the access review fires. The manager marks 'Deny' — auto-apply removes Priya from both resources within minutes.

Press Play to step through the healthy request-to-revoke path. Then press Break it.

Quick check · Q3 of 10 · Analyze

An access review closes with 30% of reviewers having taken no action. Which setting ensures Entra automatically removes those members?

a) Set reviewer type to 'manager'b) Enable smart recommendations onlyc) Turn on auto-apply results with 'deny access' for non-responsed) Increase review frequency to weekly

Correct: c. Auto-apply with a 'deny on no response' setting removes members whose reviewers did not act when the review period closes. Without auto-apply, an admin must manually apply results — a common governance gap.

👉 So far: Access reviews: scheduled, reviewer-driven, auto-apply removes stale access. Terms of use: PDF in Conditional Access; accepted before app access is granted; logged per user per version.

④ Lifecycle workflows — automating the joiner, mover & leaver cycle

Lifecycle workflows automate identity tasks tied to HR-driven events in the joiner-mover-leaver (JML) cycle. A workflow is a sequence of tasks — send welcome email, add to group, generate temporary access pass, remove group memberships, disable account, delete account — triggered by a trigger condition based on user attributes (e.g. employeeHireDate, employeeLeaveDateTime) or run on demand.

Joiner workflows run before or on the user's start date: create an account in a connected HR system (via inbound provisioning), add the user to the correct groups, and send a manager the temporary access pass. Mover workflows react when an employee changes department or role — revoking old group memberships and granting new ones. Leaver workflows fire on termination: remove from all groups, revoke sessions, disable the account, and after a grace period, delete it from the directory.

Each workflow run produces an auditable workflow history log — which user, which tasks, which succeeded or failed — so you can prove to an auditor that access was removed on the correct day.

Figure 4 — Lifecycle workflow trigger stack — joiner, mover, leaver

Each JML stage maps to a set of workflow tasks that run automatically when the trigger attribute changes.

Priya at a Mumbai fintech faces this

After six months of rapid hiring, the security team finds that dozens of former contractors still have active group memberships and app role assignments, and no one knows when they left.

Likely cause

Offboarding was done manually via IT tickets. Some tickets were closed without actually removing all access, and no leaver lifecycle workflow or access review was configured.

Diagnosis

Pull the Entra audit log and sign-in log — many accounts show no sign-in in over 90 days but still have active group assignments. The entitlement management dashboard shows packages with no expiry date.

Entra Admin Centre ▸ Identity Governance ▸ Access Reviews + Lifecycle Workflows ▸ Leaver category

Fix

Create a leaver lifecycle workflow triggered on employeeLeaveDateTime: tasks = remove all group memberships, revoke refresh tokens, disable account. Then run a one-time access review on all apps to clean up the backlog, with auto-apply and 'deny on no response'.

Verify

Re-check after 30 days: all leavers show disabled accounts, the access review report shows removed memberships, and the audit log proves exactly when each removal occurred.

Check workflow history, not just account status

When auditing a leaver scenario, never rely only on checking whether an account is disabled. Pull the lifecycle workflow history log for that user: it shows each task, its status (succeeded/failed), and the exact timestamp. That single record answers most audit questions and spots tasks that failed silently — like a group removal that errored due to a permissions issue.

Quick check · Q4 of 10 · Remember

Which lifecycle workflow stage generates a Temporary Access Pass (TAP) for a new hire before their start date?

a) Leaverb) Moverc) Joinerd) Reviewer

Correct: c. Joiner workflows run before or on the employeeHireDate. One standard joiner task is to generate a Temporary Access Pass so the new employee can sign in and set up MFA on day one without needing a permanent password.

👉 So far: Lifecycle workflows trigger on HR attributes (employeeHireDate, employeeLeaveDateTime). Tasks run automatically — add/remove groups, generate TAP, disable account, delete. Workflow history is the audit trail.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

🧠 In your own words

Type one line: what is the difference between an access review and a lifecycle workflow in Entra Identity Governance? Then compare with the expert version.

Expert version: An access review is a scheduled, reviewer-driven recertification — it periodically asks a human (owner, manager, or self) whether existing access should continue, and auto-apply removes it on denial. A lifecycle workflow is an HR-event-driven automation — it runs tasks (add/remove groups, disable account, generate TAP) automatically when a trigger attribute changes, with no reviewer needed. Reviews govern existing access over time; lifecycle workflows govern access at identity lifecycle transitions (joiner, mover, leaver).

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📩 Quiz me on this in 7 days. Opt in and we'll email 3 micro-questions on Microsoft Entra ID at Day 1, Day 7 and Day 30 — spaced repetition is how this sticks. Un-tick any time.

📖 Glossary

Entitlement management: An Entra ID Governance feature that automates access request workflows, approvals, assignments, reviews, and expiration for groups, apps, and SharePoint sites.
Access package: A bundle of resource roles (group memberships, app roles, SharePoint sites) that a user requests as a single unit, governed by a policy defining approvers, duration, and reviews.
Catalog: A container of resources and access packages in entitlement management. Enables delegation: a catalog owner manages their packages without needing a global admin role.
Separation of duties (SoD): An entitlement management rule that marks two access packages as incompatible, blocking a user from holding both simultaneously to prevent internal control violations.
Access review: A scheduled recertification cycle where a reviewer (owner, manager, or self) confirms or denies continued access to a group, app role, or Entra ID role. Auto-apply enforces decisions automatically.
Lifecycle workflow: An Entra ID Governance automation that runs tasks (add/remove groups, disable account, generate TAP) triggered by HR attributes for the joiner, mover, and leaver (JML) cycle.
Joiner-Mover-Leaver (JML): The three key identity lifecycle events: Joiner (new hire provisioning), Mover (role or department change), and Leaver (termination and deprovisioning).
Terms of use: A PDF policy document attached to a Conditional Access policy. Users must accept the current version before accessing the targeted app; acceptance is logged with timestamp and IP.
Temporary Access Pass (TAP): A time-limited passcode generated for a new user (joiner task) to enable first sign-in and MFA registration without a permanent password.
Auto-apply results: An access review setting that automatically enforces reviewer decisions — removing or confirming access — when the review period closes, without a manual admin step.

📚 Sources

Microsoft Learn — What is Microsoft Entra Identity Governance?. learn.microsoft.com/en-us/entra/id-governance/identity-governance-overview
Microsoft Learn — What is entitlement management? — access packages, catalogs, policies, SoD. learn.microsoft.com/en-us/entra/id-governance/entitlement-management-overview
Microsoft Learn — What are access reviews? — scheduling, reviewer types, auto-apply. learn.microsoft.com/en-us/entra/id-governance/access-reviews-overview
Microsoft Learn — Understanding lifecycle workflows — JML triggers, tasks, workflow history. learn.microsoft.com/en-us/entra/id-governance/understanding-lifecycle-workflows
Microsoft Learn — Plan a lifecycle workflow deployment — joiner, mover, leaver task catalog. learn.microsoft.com/en-us/entra/id-governance/lifecycle-workflows-deployment
Microsoft Learn — Microsoft Entra ID Governance licensing fundamentals — P2 vs Governance add-on. learn.microsoft.com/en-us/entra/id-governance/licensing-fundamentals

What's next?

Got Governance? Next, go deep on Privileged Identity Management (PIM) — how just-in-time role activation, approval workflows, and access reviews combine to shrink your privileged attack surface.

Next · All interview lessons → Practice on exam.techclick.in →

Microsoft Entra Identity Governance — Entitlement, Reviews & Lifecycle Workflows

🎯 By the end you will be able to

Pick where you want to start

The four pillars

Entitlement management

Access reviews & ToU

Lifecycle workflows

① The four pillars of Entra Identity Governance

② Entitlement management — catalogs, packages & separation of duties

Separation of duties

③ Access reviews & terms of use — recurring attestation and policy gates

Terms of use

▶ Watch an access request flow from click to revocation

④ Lifecycle workflows — automating the joiner, mover & leaver cycle

🤖 Ask the AI Tutor

📝 Wrap-up assessment — six more

🧠 In your own words

🗣 Teach a friend

📖 Glossary

📚 Sources

What's next?