Purpose
Auditing tracks and reports who did what, when, and where in your identity systems.
It:
Detects and investigates attacks.
Ensures compliance and accountability.
Helps developers debug access errors.
Auditing Sources
Log Type Description
Sign-In Logs Track user login attempts and MFA details.
Audit Logs Record changes to configurations or directory objects.
Provisioning Logs Monitor identity creation or deletion events.
Entra Activity Logs Summarize operations and events across the identity environment.
Tools for Analysis:
Azure Monitor, Microsoft Sentinel, Log Analytics.
Governance Overview
Definition: Ongoing oversight ensuring your identity solution operates securely and
eƯiciently.
Example Scenario (Juan again):
Juan leaves the company, but his account stays active. Without governance, this forgotten
identity becomes an attack entry point.
Proper governance would:
Reconcile accounts with HR records.
Flag unused or over-privileged accounts.
Enforce password changes or MFA.
Identity Lifecycle Management
Governance begins with automating the identity lifecycle —creating, updating, and
removing identities accurately.
Typical Steps
1. Identify systems of record (for example, HR database).
2. Synchronize data with directories (for example, Entra ID).
3. Automate handling of visitors, contractors, or students .
Join-Move-Leave Model
Stage Description Example
Join Create identity when a person joins
the organization. New employee account automatically
provisioned in Entra ID.
Move Adjust access when user changes
roles or departments. Sales rep moving to Marketing loses Sales
access and gains Marketing rights.
Leave Remove access when user exits
organization. Account disabled and retained only for audit.
Automation of these processes prevents privilege creep and orphaned accounts.
Monitoring Tools and Zero Trust Mindset
Always operate under Verify Explicitly – Use Least Privilege – Assume Breach .
Monitoring Services
Azure Monitor – collects metrics and logs.
Application Insights – tracks app performance and failures.
Azure Service Health / Resource Health – monitors service availability.
Azure Policy and Resource Manager – enforce compliance across resources.
Example:
Azure Monitor detects repeated failed sign-ins from a new location. Sentinel correlates it as
a probable credential- stuƯing attempt and triggers an alert.
Summary of Units 10 – 14
Microsoft provides several identity providers for hybrid and cloud needs.
Licensing determines which premium or external identity features you can use.
Authentication verifies identity; Authorization defines permitted actions.
Auditing and Governance ensure visibility, compliance, and continuous
improvement.
Lifecycle Management and Zero Trust principles keep identities accurate and
secure from creation to deletion.
SC-300 Module 1 Summary: Introduction to Identity