IAM1.7 The Governance State Assessment

What the governance state assessment is

The governance state assessment is the diagnostic that answers one question: given the current state of your identity ecosystem, what can you govern today, what requires remediation before governance is possible, and what remains as documented risk?

This isn't a compliance audit. It doesn't measure you against a framework checklist. It measures your governance infrastructure against the requirements of the governance mechanisms you'll deploy in Modules 2 through 14. A compliance audit asks "do you have an access review?" The governance state assessment asks "can your access review actually work, given that 25% of identities have no manager to route the review to?"

In this section you'll run a consolidated diagnostic script that pulls every metric from IAM1.1–1.6 into a single output, write three ADRs that document your first governance design decisions, and create risk register entries for the gaps that require remediation before Module 2.

Estimated time: 60 minutes.

The consolidated diagnostic

This script combines the individual diagnostics from IAM1.1 through IAM1.6 into a single governance state assessment. Run it from a connected Graph PowerShell session with the full scope set from the M1 _index prerequisites.

Connect-MgGraph -Scopes "User.Read.All", "Group.Read.All",
  "GroupMember.Read.All", "Application.Read.All", "Directory.Read.All",
  "RoleManagement.Read.Directory", "AuditLog.Read.All",
  "AdministrativeUnit.Read.All", "User-LifeCycleInfo.Read.All",
  "AccessReview.Read.All", "Organization.Read.All"

Write-Host "=============================================="
Write-Host "  IAM GOVERNANCE STATE ASSESSMENT"
Write-Host "  $(Get-Date -Format 'yyyy-MM-dd HH:mm')"
Write-Host "=============================================="

# --- SECTION 1: IDENTITY CENSUS (IAM1.1) ---
$allUsers = Get-MgUser -All -Property id, displayName, userType,
  accountEnabled, department, employeeHireDate, employeeType,
  signInActivity, onPremisesSyncEnabled

$members = $allUsers | Where-Object { $_.UserType -eq "Member" -and $_.AccountEnabled }
$guests = $allUsers | Where-Object { $_.UserType -eq "Guest" }
$disabled = $allUsers | Where-Object { -not $_.AccountEnabled }
$apps = Get-MgApplication -All
$sps = Get-MgServicePrincipal -All -Property id, appOwnerOrganizationId, servicePrincipalType
$nonMsftSPs = $sps | Where-Object {
  $_.AppOwnerOrganizationId -ne "f8cdef31-a31e-4b4a-93e4-5f571e91255a"
}

Write-Host "`n--- 1. IDENTITY CENSUS ---"
Write-Host "Active members:       $($members.Count)"
Write-Host "Guests:               $($guests.Count)"
Write-Host "Disabled accounts:    $($disabled.Count)"
Write-Host "App registrations:    $($apps.Count)"
Write-Host "Service principals:   $($sps.Count) (non-Microsoft: $($nonMsftSPs.Count))"

# --- SECTION 2: DATA QUALITY (IAM1.2–1.3) ---
$total = $members.Count
$deptCov = ($members | Where-Object { $_.Department }).Count
$hireCov = ($members | Where-Object { $_.EmployeeHireDate }).Count
$typeCov = ($members | Where-Object { $_.EmployeeType }).Count

$mgrCov = 0
foreach ($m in $members) {
  if (Get-MgUserManager -UserId $m.Id -ErrorAction SilentlyContinue) { $mgrCov++ }
}

Write-Host "`n--- 2. DATA QUALITY ---"
Write-Host "department:           $deptCov / $total ($([math]::Round($deptCov/$total*100))%)"
Write-Host "employeeHireDate:     $hireCov / $total ($([math]::Round($hireCov/$total*100))%)"
Write-Host "employeeType:         $typeCov / $total ($([math]::Round($typeCov/$total*100))%)"
Write-Host "manager:              $mgrCov / $total ($([math]::Round($mgrCov/$total*100))%)"

$compositeScore = [math]::Round(($deptCov + $hireCov + $typeCov + $mgrCov) / ($total * 4) * 100)
Write-Host "COMPOSITE SCORE:      $compositeScore%"

# --- SECTION 3: GROUP ARCHITECTURE (IAM1.4) ---
$groups = Get-MgGroup -All -Property id, displayName, groupTypes,
  securityEnabled, description, isAssignableToRole

$ownerless = 0; $noDesc = 0; $empty = 0
foreach ($g in $groups) {
  if ((Get-MgGroupOwner -GroupId $g.Id -All -ErrorAction SilentlyContinue).Count -eq 0) { $ownerless++ }
  if (-not $g.Description) { $noDesc++ }
  if ((Get-MgGroupMember -GroupId $g.Id -All -ErrorAction SilentlyContinue).Count -eq 0) { $empty++ }
}
$dynamic = ($groups | Where-Object { $_.GroupTypes -contains "DynamicMembership" }).Count

Write-Host "`n--- 3. GROUP ARCHITECTURE ---"
Write-Host "Total groups:         $($groups.Count)"
Write-Host "Ownerless:            $ownerless ($([math]::Round($ownerless/$groups.Count*100))%)"
Write-Host "No description:       $noDesc ($([math]::Round($noDesc/$groups.Count*100))%)"
Write-Host "Empty:                $empty"
Write-Host "Dynamic:              $dynamic ($([math]::Round($dynamic/$groups.Count*100))%)"

# --- SECTION 4: DELEGATION (IAM1.5) ---
$aus = Get-MgDirectoryAdministrativeUnit -All
$roleAssignments = Get-MgRoleManagementDirectoryRoleAssignment -All
$tenantWide = ($roleAssignments | Where-Object { $_.DirectoryScopeId -eq "/" }).Count
$scoped = ($roleAssignments | Where-Object { $_.DirectoryScopeId -ne "/" }).Count

Write-Host "`n--- 4. DELEGATION ---"
Write-Host "Administrative units: $($aus.Count)"
Write-Host "Role assignments:     $($roleAssignments.Count) (tenant-wide: $tenantWide, scoped: $scoped)"

# --- SECTION 5: LICENSING (IAM1.6) ---
$subscribedSkus = Get-MgSubscribedSku -All
$hasP2 = $false; $hasGov = $false
foreach ($sku in $subscribedSkus) {
  if ($sku.ServicePlans.ServicePlanName -contains "AAD_PREMIUM_P2") { $hasP2 = $true }
  if ($sku.ServicePlans.ServicePlanName -like "*IDENTITY_GOVERNANCE*") { $hasGov = $true }
}

Write-Host "`n--- 5. LICENSING ---"
Write-Host "Entra ID P2:          $(if ($hasP2) { 'YES' } else { 'NO' })"
Write-Host "Governance add-on:    $(if ($hasGov) { 'YES' } else { 'NO (trial may be active)' })"

# --- SECTION 6: STALE IDENTITIES (IAM0.1) ---
$staleMembers = ($members | Where-Object {
  $_.SignInActivity.LastSuccessfulSignInDateTime -and
  $_.SignInActivity.LastSuccessfulSignInDateTime -lt (Get-Date).AddDays(-90)
}).Count
$staleGuests = ($guests | Where-Object {
  -not $_.SignInActivity.LastSuccessfulSignInDateTime -or
  $_.SignInActivity.LastSuccessfulSignInDateTime -lt (Get-Date).AddDays(-90)
}).Count

Write-Host "`n--- 6. STALE IDENTITIES ---"
Write-Host "Members (90d+ stale): $staleMembers"
Write-Host "Guests (stale/never): $staleGuests / $($guests.Count)"

# --- SECTION 7: ACCESS REVIEWS (IAM0.3) ---
$reviews = Get-MgIdentityGovernanceAccessReviewDefinition -All -ErrorAction SilentlyContinue
Write-Host "`n--- 7. ACCESS REVIEWS ---"
if ($reviews) {
  Write-Host "Review definitions:   $($reviews.Count)"
} else {
  Write-Host "Review definitions:   0 (Stage 3 governance: ABSENT)"
}

Write-Host "`n=============================================="
Write-Host "  ASSESSMENT COMPLETE"
Write-Host "=============================================="

Save the assessment output. This is your governance state baseline — the snapshot that every subsequent module measures improvement against. When you run the same script after completing Module 5, the data quality scores should be higher, the group ownership percentage should be higher, AUs should exist, and access reviews should be configured.

Reading the assessment as a coherent picture

The individual metrics tell you about individual gaps. Read together, they tell you about governance readiness — how far your tenant is from deploying the mechanisms that this course teaches.

Data quality × lifecycle workflows: If employeeHireDate is below 70%, Module 2's joiner workflows can't launch at scale. The data quality remediation from IAM1.3 is a prerequisite, not a nice-to-have. Your assessment output tells you exactly how many identities are outside workflow scope and what the remediation timeline needs to be.

Manager coverage × access reviews: If manager is below 80%, Module 5's manager-based access reviews will leave a significant population unreviewed. The assessment tells you whether to configure a fallback reviewer now or whether the remediation plan from IAM1.3 will close the gap before you reach Module 5.

Group ownership × review targeting: If ownerless groups exceed 30%, you can't run owner-based group reviews for nearly a third of your groups. Access reviews for those groups either need fallback reviewers (who lack context) or the groups need owners assigned before the review program launches. The assessment tells you which is faster.

AU count × delegation: If AUs are zero and all role assignments are tenant-wide, the delegation architecture from Module 8 is a full build — not an incremental improvement. The assessment tells you the scope of the delegation project.

Licensing × feature availability: If the Governance add-on isn't licensed (and the trial hasn't been activated), lifecycle workflows, entitlement management, and advanced access reviews are gated. The assessment tells you which modules require the workarounds from IAM1.6 and which work with your current license.

The composite picture determines your build sequence priorities. If data quality is the primary blocker, remediation happens in parallel with Module 2 preparation. If group governance is the primary blocker, Module 3 (group architecture) may need to precede Module 2 (lifecycle workflows) even though the spec orders M2 first. The course is designed to be followed linearly, but the assessment may reveal that certain prerequisites need expedited attention.

Your first three ADRs

The assessment produces findings. ADRs document the decisions you make in response to those findings. Open the 01-ADRs/ folder in your program package and create three ADRs.

ADR IAM1-001: Data Quality Remediation Strategy

Context: The governance state assessment found employeeHireDate at [your %] coverage, employeeType at [your %], and manager at [your %]. Lifecycle workflows (M2) require employeeHireDate ≥ 70%. Access reviews (M5) require manager ≥ 80%. Dynamic group scoping (M3) requires employeeType ≥ 70%. The current coverage levels are below these thresholds for most attributes.

Decision: Implement a two-track remediation: (1) immediate CSV bulk enrichment for employeeType across all existing members using HR's employee classification data, targeting 90% coverage within one week. (2) Process change: add employeeHireDate, employeeType, and manager to the mandatory account creation checklist. Every new account requires all three attributes before provisioning is considered complete. For employeeHireDate on existing accounts, prioritize the 200 most recent hires for manual enrichment, targeting 70% coverage within two weeks.

Alternatives considered: (a) HR system integration — rejected for now because NE's HR system has no API. Planned as the medium-term target (6-month roadmap). (b) Postpone governance until data quality improves organically — rejected because organic improvement doesn't happen without a process change.

Consequences: Enables lifecycle workflow deployment (M2) and access review deployment (M5) within two weeks. Creates a manual enrichment burden on Phil's team for the initial backfill. Residual risk: the 30% of accounts where employeeHireDate is unknown (historical hires where HR can't provide the date) will remain outside lifecycle workflow scope. Compensating control: manual onboarding process as fallback for identities outside workflow scope.

CISO summary (30 seconds): "We can't launch lifecycle automation because 80% of accounts are missing the hire date the automation triggers on. We're fixing the data in two weeks through a bulk enrichment, and adding mandatory attributes to the account creation process so the gap doesn't reopen."

ADR IAM1-002: Group Governance Approach

Context: 214 groups, 67 ownerless (31%), 89 undescribed (42%), 31 empty (14%), 12 dynamic (6%). Groups are the primary access assignment mechanism. Access reviews for groups require owners to route the review to. Entitlement management uses groups as access package resources. Without ownership and documentation, governance mechanisms can't target these groups effectively.

Decision: Phased approach. Phase 1 (immediate): delete the 31 empty groups after confirming no downstream dependencies. Phase 2 (two weeks): assign owners to the 67 ownerless groups, prioritizing groups with application assignments. Phase 3 (Module 3): design and deploy the naming convention, convert eligible manual groups to dynamic, and add descriptions to all remaining groups. Enforce a governance policy: no new group is created without an owner, a description, and a naming-convention-compliant name.

Alternatives considered: (a) Delete all ownerless groups — rejected because they may grant access to resources; deletion without dependency analysis risks breaking access. (b) Assign a single "governance admin" as owner of all ownerless groups — rejected because a single owner for 67 groups can't meaningfully review 67 sets of memberships.

Consequences: Eliminates the empty group noise (31 groups). Creates ownership accountability for the remaining groups. Residual risk: owner assignment doesn't retroactively document the group's purpose — the description gap persists until Module 3. Compensating control: request descriptions from newly assigned owners within 30 days of assignment.

CISO summary: "31% of our groups have no owner — that means 31% of access is governed by nobody. We're assigning owners in two weeks, cleaning up empty groups immediately, and redesigning the group architecture in Module 3."

ADR IAM1-003: Delegation Model

Context: Zero administrative units. All 12 role assignments are tenant-wide. Phil Greaves holds 4 permanent roles including Global Administrator. Every admin with User Administrator can modify every user. No scope boundaries exist.

Decision: Defer AU deployment to Module 8. Immediate action: document the current role assignments as a risk register entry. The full delegation architecture — site-based AUs, restricted AUs for sensitive identities, scoped role assignments replacing tenant-wide — requires the PIM governance work from Module 7 and the delegation design from Module 8. Deploying AUs without the governance framework around them creates empty boundaries without scoped roles to populate them.

Alternatives considered: (a) Deploy AUs immediately — rejected because AU deployment without scoped role migration leaves tenant-wide assignments active alongside empty AUs. The AUs exist but don't constrain anything. (b) Remove Phil's tenant-wide Global Administrator now — rejected because no alternative admin structure exists yet. Removing GA without PIM and AU infrastructure creates an operational gap.

Consequences: The flat directory persists until Module 8. Risk: any admin with tenant-wide scope can modify any identity, including sensitive accounts. Compensating control: enable audit log monitoring for role assignment changes and sensitive account modifications (Module 12 builds the detection rules; interim monitoring through Entra audit logs in the portal).

CISO summary: "We have zero delegation boundaries — every admin has full tenant access. Fixing this requires PIM (Module 7) and administrative units (Module 8). We're documenting the risk now and building the delegation architecture when the prerequisites are in place."

Risk register entries

Open the 03-Risk-Register/ folder and create entries for every finding that can't be resolved in Module 1. You created DQ-series entries in IAM1.3. Add these:

GRP-001: 67 ownerless groups grant access with no accountability. Remediation: owner assignment (2 weeks). Risk: access review coverage gap until owners are assigned.

GRP-002: 89 undescribed groups prevent informed review decisions. Remediation: description population (Module 3). Risk: review quality degradation — reviewers approve without context.

DEL-001: Zero administrative units. All role assignments tenant-wide. Remediation: Module 7 (PIM) + Module 8 (AUs). Risk: any admin can modify any identity including sensitive accounts.

DEL-002: Phil Greaves holds permanent Global Administrator. Remediation: Module 7 (convert to PIM-eligible). Risk: compromised credential provides full tenant control without activation approval.

LIC-001: No Governance add-on license (trial active). Remediation: budget request after Module 5 demonstrates governance value. Risk: trial expiry blocks lifecycle workflows and advanced access reviews.

Each entry has the same format as DQ-001 from IAM1.3 — risk description, likelihood, impact, current control, target control, remediation target, status.

At Northgate Engineering: Rachel Okafor produces the governance state assessment and presents it to the CISO (herself, in this case — she's both the sponsor and the executor). The assessment consolidates: 810 members with 33% composite data quality, 214 groups with 31% ownerless, zero AUs, zero access reviews, P2 licensed with Governance on trial. Three ADRs document the first design decisions: data quality remediation, group governance approach, delegation model deferral. Nine risk register entries document the gaps: DQ-001 through DQ-004 (data quality), GRP-001 and GRP-002 (groups), DEL-001 and DEL-002 (delegation), LIC-001 (licensing). The assessment is the baseline. Module 2 begins the build.

Reusable script — the consolidated governance state assessment:

The complete script from the "consolidated diagnostic" section above serves as the reusable assessment. Save it as governance-state-assessment.ps1 in your program package root. Run it at the start of each module to track improvement against the M1 baseline. The first run establishes the baseline numbers — attribute coverage percentages, group health metrics, delegation state, licensing status, and stale identity counts. Each subsequent run produces a comparison against the baseline, showing which domains improved and which degraded. The quarterly cadence matters: identity governance gaps accumulate silently between assessments, and a 90-day window is long enough for new app registrations, departures without deprovisioning, and group sprawl to create measurable drift. Store the output of each quarterly run in the program package alongside the ADRs and risk register — the assessment history is audit evidence of continuous improvement.

Decision-point simulation

Scenario 1. Your governance state assessment produces a baseline score across 8 domains. Five domains score above 70%. Three score below 40%: non-human identity governance, access review program, and lifecycle automation. Rachel Okafor asks you to present a remediation priority. How do you sequence the three?

Lifecycle automation first. Without automated JML workflows, every new hire, department change, and departure requires manual identity operations — creating the governance gaps that the other two domains would catch. Non-human identity governance second — the 347 app registrations with no ownership model are an unmanaged attack surface. Access review program third — reviews are most valuable when the identities being reviewed are governed (lifecycle) and the non-human identities are inventoried (ownership). Building reviews before lifecycle automation means reviewing access that was never properly provisioned in the first place.

Scenario 2. The governance state assessment reveals that NE's identity governance is stronger than you expected in some areas — SSPR is at 94% coverage, MFA is enforced for all users, and password policy follows NIST 800-63B. The CISO is surprised. Should you adjust the program scope based on these findings?

No — don't reduce scope, but do adjust priority. The strong authentication posture means M4 (Authentication) and M5 (Conditional Access) can focus on optimization rather than remediation. Shift effort to the weaker domains: non-human identity (M7–M8), lifecycle automation (M10), and access reviews (M12). The assessment data justifies the prioritization — present it as "we're building on an already-strong authentication foundation, which lets us focus resources on the governance gaps that create the most risk."

Scenario 3. You run the governance state assessment quarterly. Between Q1 and Q2, the non-human identity score dropped from 52% to 41% because developers created 28 new app registrations for a product launch — all without ownership, credential policies, or permission reviews. What does this tell you about the governance model?

It tells you the governance model is detective, not preventive. The assessment caught the degradation after it happened. A preventive model would require admin consent for new app registrations, enforce ownership at creation time, and set credential expiry policies by default. The quarterly assessment is valuable for trend tracking, but it needs a preventive counterpart: a policy that governs app registration creation, not just an audit that measures it after the fact. Module 7 builds the preventive controls.