IAM0.8 Module Summary

What you built in Module 0

Seven subs took you from "identity is managed in this tenant" to a specific, data-backed understanding of where governance exists and where it's absent. Here's what you produced in each.

IAM0.1 — What Identity Governance Actually Is. You ran a governance attribute coverage audit against your tenant and found the percentages of member accounts missing department, manager, and employeeHireDate. You traced a single identity's group memberships and identified ownerless groups, undescribed groups, and residual access from completed projects. You queried stale member accounts (90+ days no sign-in) and stale guest accounts (never signed in or dormant). You established the three diagnostic questions — why does this identity have this access, when was it last reviewed, who is accountable — that you'll apply to every governance decision for the rest of the course. Artifacts: Identity census output. Group membership trace. Stale identity report. Three diagnostic questions. Reusable diagnostic script.

IAM0.2 — The Identity Lifecycle in Your Tenant. You traced the five-stage lifecycle through your Graph API data. Stage 1 (creation): provisioning source analysis showing HR-driven vs manual creation and the attribute gaps manual provisioning produces. Stage 2 (assignment): group landscape audit — total groups, ownerless percentage, undescribed percentage, dynamic vs static. Stage 3 (governance): access review state check — whether reviews exist and what the deny rate reveals about review quality. Stage 4 (monitoring): sign-in distribution across active, inactive, stale, dormant, and never-signed-in categories. Stage 5 (removal): disabled accounts still holding group memberships. Artifacts: Lifecycle stage map (automated / manual / partial / absent per stage). Reusable lifecycle diagnostic script.

IAM0.3 — Access Governance Principles. You measured permission creep by correlating group membership count with account tenure and saw the monotonic growth pattern — access accumulating year over year with no removal mechanism. You queried identities holding multiple directory roles (separation of duties). You examined access review deny rates and identified the "Approve All" pattern. You worked through the CISO scenario — applying all four governance principles to your own findings. Artifacts: Permission creep analysis. Multiple-role-holder report. Review quality assessment. Reusable permission creep diagnostic script.

IAM0.4 — Non-Human Identity. You ran a non-human identity census — app registrations with credential counts, service principals split by first-party/organizational/third-party, credential health analysis with expired/critical/warning classification, and a high-risk Graph API permission audit identifying apps with tenant-wide read/write access. You calculated the non-human to human identity ratio. Artifacts: App registration census. Service principal census. Credential health report. High-risk permission audit. Reusable non-human identity census script.

IAM0.5 — The NE Scenario. You learned the Northgate Engineering environment — infrastructure, 6 personas, identity composition, and 8 governance gaps mapped to the modules that fix them. NE is the worked example that runs alongside your own tenant work throughout the course.

IAM0.6 — Lab Setup. You built the NE lab environment in your developer tenant — 15 persona accounts with deliberate attribute gaps, 13 groups with varying governance states, 7 app registrations, 5 guest accounts, and admin role assignments that reproduce the separation of duties gap. You activated the Entra ID Governance trial and modeled licensing costs for production deployment.

IAM0.7 — Your IAM Program Package. You set up the five-component package structure — ADRs, governance cadences, risk register, compliance evidence, and executive summary — and learned what each module contributes to the capstone deliverable.

What you have now

After Module 0, you have:

• A governance baseline for your own tenant — specific numbers for attribute coverage, lifecycle stage coverage, permission creep, and non-human identity inventory
• The three diagnostic questions you'll apply to every governance decision
• The lifecycle stage map showing where automation exists and where it doesn't
• The NE lab environment with 15 personas, groups, apps, and guests
• The program package folder structure ready to receive artifacts from Module 1 onward
• Six reusable diagnostic scripts covering identity census, lifecycle stages, permission creep, review quality, and non-human identity

What Module 1 requires

Module 1 — The Entra ID Identity Ecosystem — takes you from orientation to ecosystem assessment. You'll examine identity types as governance objects, the data model that drives lifecycle automation, data quality as a governance prerequisite, group architecture, administrative units, licensing, and produce a full governance state assessment with the first ADRs and risk register entries.

Before starting Module 1, confirm:

• Your developer tenant is set up and you can connect to Microsoft Graph PowerShell
• The Entra ID Governance trial is active (lifecycle workflows, entitlement management, and access reviews accessible in the Entra admin center)
• The 15 NE persona accounts exist with the attribute gaps from IAM0.6
• The 13 NE groups exist with the ownership and description gaps from IAM0.6
• Your program package folder structure is created

If any of these aren't ready, return to IAM0.6 and complete the setup. Module 1 uses the NE environment extensively — the persona accounts and groups are the data the diagnostic queries evaluate.

Module 1 produces your first ADRs (IAM1-001 through IAM1-003), your first risk register entries, and the governance state assessment that becomes the baseline every subsequent module improves. The transition from "I know where the gaps are" to "I've documented the gaps and started building the program" happens in Module 1.