> For the complete documentation index, see [llms.txt](https://docs.balkan.id/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.balkan.id/iam-risk-analyzer/segregation-of-duties-iam-risk-analyzer/iam-risk-analysis-entraid.md). # IAM Risk Analysis - EntraID ### Overview This section outlines how Segregation of Duties (SoD) policies across Microsoft Entra ID (Azure Active Directory) are implemented, configured, validated, and operationalized within BalkanID IAM Risk Analyzer. The objective is to transition organizations from periodic privileged access reviews and static identity audits to a continuous governance program where identity risks are automatically detected, analyzed, and remediated throughout the identity lifecycle. Microsoft Entra ID functions as the central identity control plane for enterprise cloud access. Authorization is governed through: * Directory roles and privileged roles * Group-based access assignments * Conditional Access policies * Privileged Identity Management (PIM) * Application and service principal permissions While this model enables flexible identity administration, it can also introduce segregation conflicts, privilege escalation paths, and identity lifecycle risks when roles and permissions are assigned without centralized governance. BalkanID IAM Risk Analyzer continuously evaluates Entra ID identity relationships to detect: * Segregation of Duties conflicts * Privileged access governance violations * MFA enforcement gaps * Identity lifecycle failures * Excessive application permissions The result is a centralized risk view that allows organizations to enforce least privilege, strong authentication controls, and effective identity governance. ### Implementation **Phase 1:** Policy Definition & Baseline Establishment Objective: Define and validate SoD policy scope across Microsoft Entra ID administrative roles, authentication controls, and identity lifecycle processes. Activities include: Identify identity governance areas in scope: * Directory Roles & Privileged Roles * User and Group Administration * Authentication and MFA Policies * Conditional Access Policies * Privileged Identity Management (PIM) * Application & Service Principal Access * External and Guest Identities Define baseline toxic role combinations aligned to identity governance best practices. Categorize SoD rules by risk severity. Validate rule logic against: * Directory roles * Administrative privileges * PIM assignments * Conditional Access policies * Application permissions Outcome A formally approved Entra ID SoD policy library ready for configuration within BalkanID IAM Risk Analyzer. **Phase 2:** Rule Configuration in BalkanID IAM Risk Analyzer - Finding Rule for SoD detection \ \ User-Generated Insights can be used for writing SoD Rules and can be aggregated into a finding for actionable risk alerts. Findings provide a broader risk context and are used to trigger automated workflows.
Example: ***Use Case 1*****:** Privileged Role Administrator vs User Administrator Microsoft Entra ID allows administrators to manage both user lifecycle operations and privileged role assignments. When a single identity holds both Privileged Role Administrator and User Administrator, that user can create accounts and assign privileged roles without independent oversight. Risk Impact * Unauthorized privilege escalation * Bypass of approval controls * Elevated insider threat risk
### Baseline SoD Rule Library | **Rules** | **Category** | | ----------------------------------------- | --------------------------------------------------------------------------- | | SoD - Privileged Role Admin vs User Admin |

| | SoD - Application Admin vs Security Admin |

| | SoD- User Admin vs Security Admin |

| ### Control Mapping | Framework | Control ID | Control Title | | -------------- | ---------- | --------------------------------- | | SOC 2 | CC6 | Logical Access Controls | | ISO 27001 | A.9 | Access Control | | ISO 27001 | A.6 | Segregation of Duties | | ISO/IEC 27001 | A.5.18 | Access Rights | | NIST SP 800-53 | AC-5 | Separation of Duties | | NIST SP 800-53 | AC-2 | Account Management | | NIST SP 800-53 | IA-2 | Identification and Authentication | ## Conclusion Microsoft Entra ID serves as the primary identity control plane for cloud and SaaS access. Effective governance of administrative roles, authentication enforcement, and identity lifecycle management is critical to maintaining a secure identity infrastructure. The findings identified highlight areas where identity controls may not be sufficiently designed or operating effectively, particularly in areas related to privileged access governance, MFA enforcement, and lifecycle management. Implementing continuous identity risk monitoring through BalkanID IAM Risk Analyzer enables organizations to detect and remediate these risks, strengthening identity governance and reducing audit and security exposure. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.balkan.id/iam-risk-analyzer/segregation-of-duties-iam-risk-analyzer/iam-risk-analysis-entraid.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.