IAM1.8 Module Summary

What you built in Module 1

Seven subs assessed the identity ecosystem that every subsequent module depends on. Here's what you produced in each.

IAM1.1 — Identity Types as Governance Objects. You examined five identity categories through their governance properties — member, guest, service principal, managed identity, and AI agent. You queried the full Graph API user resource for a member identity with field-by-field governance annotation (employeeHireDate, employeeType, onPremisesSyncEnabled, signInActivity, lastPasswordChangeDateTime). You profiled guest identities with externalUserState, creationType, and the sponsor accountability gap. You examined service principal governance properties (notes, description, signInActivity). You produced the identity type governance coverage map — which controls exist for which types and where the gaps are. Artifacts: Member governance profile. Guest governance profile. Service principal profile. Identity type governance coverage map. Reusable identity type census script.

IAM1.2 — The Identity Data Model. You mapped twelve governance-critical attributes across four categories: lifecycle (employeeHireDate, employeeLeaveDateTime, createdDateTime), organizational (department, jobTitle, manager, employeeType, employeeOrgData), activity (signInActivity with three timestamps, lastPasswordChangeDateTime), and extended (customSecurityAttributes). You documented the employeeHireDate app-only permission restriction, the signInActivity pagination limit ($top=120), and the synced-vs-cloud attribute update constraint. You built the attribute dependency map showing which governance mechanisms fail when specific attributes are missing. Artifacts: Attribute dependency map. Data model audit output. Reusable data model audit script.

IAM1.3 — Data Quality as a Governance Foundation. You ran the composite data quality audit across nine governance-critical attributes, producing a composite score with per-attribute GOOD/ACCEPTABLE/POOR/CRITICAL thresholds. You documented the cascade of failures per CRITICAL attribute — lifecycle workflows that skip 80% of identities, access reviews with no reviewer for 25% of population, workflow scoping impossible without employeeType. You evaluated four remediation strategies (HR integration, CSV bulk import, Graph API enrichment, manual with process) and established minimum viable thresholds for each governance mechanism. You created the DQ-series risk register entries. Artifacts: Composite data quality score. Per-attribute coverage report. Remediation plan with timelines. DQ-001 through DQ-004 risk register entries. Reusable data quality audit script with CSV export.

IAM1.4 — Group Architecture for IAM. You classified all groups by type (security, M365, dynamic, role-assignable, mail-enabled security, distribution), queried ownership and description coverage, identified empty groups, analyzed naming convention adherence, examined dynamic group rules with the portal's Validate function, traced what resources groups grant access to through application assignments, and assessed the synced-vs-cloud group governance constraint. Artifacts: Group classification audit. Ownership audit (ownerless count and percentage). Description audit. Empty group list. Naming convention analysis. Reusable group architecture audit script.

IAM1.5 — Administrative Units and Delegation Boundaries. You assessed the AU state (likely zero AUs in most tenants), queried all role assignments with scope analysis (tenant-wide vs AU-scoped), listed high-privilege permanent assignments, built a test AU (AU-NE-Bristol) with member addition and scoped role assignment, documented the five AU constraints (no nesting, group-member independence, browse access not restricted, role scoping limits, licensing), and analyzed the delegation gap with a social engineering defense scenario. Artifacts: AU inventory (or absence thereof). Role assignment scope audit. Test AU with scoped assignment. Delegation gap assessment. Reusable delegation assessment script.

IAM1.6 — Licensing for Identity Governance. You audited your tenant's license state, mapped six license tiers to governance capabilities with current pricing (P1 $6, P2 $9, Governance $7/$4 step-up, Suite $12, Workload ID $3/workload, Agent 365 $15), documented the "Without Governance Licensing" workarounds with a concrete inactive-user-insights PowerShell script, mapped which course modules work at each license tier, and modeled the cost for production Governance licensing. Artifacts: License audit output. Feature availability matrix. Module-by-license-tier mapping. Cost model. Reusable license audit script.

IAM1.7 — The Governance State Assessment. You ran the consolidated diagnostic pulling every metric from IAM1.1–1.6 into a single output, wrote three ADRs (IAM1-001 data quality remediation, IAM1-002 group governance approach, IAM1-003 delegation model), created five risk register entries (GRP-001, GRP-002, DEL-001, DEL-002, LIC-001), and interpreted the assessment as a coherent governance readiness picture. Artifacts: Governance state assessment output (baseline). ADRs IAM1-001 through IAM1-003. Risk register entries GRP-001 through LIC-001. Reusable governance state assessment script (governance-state-assessment.ps1).

What you have now

After Module 1, your program package contains:

• 01-ADRs/: IAM1-001 (data quality remediation), IAM1-002 (group governance), IAM1-003 (delegation model)
• 03-Risk-Register/: DQ-001 through DQ-004 (data quality), GRP-001 and GRP-002 (groups), DEL-001 and DEL-002 (delegation), LIC-001 (licensing) — 9 entries total
• Governance state assessment baseline with the consolidated diagnostic script
• Test AU (AU-NE-Bristol) with 5 members and a scoped role assignment

Your tenant's governance state is documented. The gaps are quantified. The first design decisions are recorded. The remediation priorities are defined. Module 2 starts building.

What Module 2 requires

Module 2 — HR-Driven Provisioning and Lifecycle Workflows — is the first build module. It takes the data quality findings from M1 and begins constructing the lifecycle automation that addresses Gap 1 from IAM0.5 (no identity lifecycle automation).

Before starting Module 2, confirm:

• The data quality remediation from IAM1.3 has started: employeeType enrichment underway (target ≥ 70%), employeeHireDate enrichment underway for recent hires (target ≥ 70%), manager assignment underway for unassigned identities (target ≥ 80%). You don't need to reach the targets before starting M2 — the remediation runs in parallel. But the process must be in progress.
• The Entra ID Governance trial is active. Lifecycle workflows require the Governance add-on. If the trial has expired and you haven't secured permanent licensing, IAM1.6's "Without Governance Licensing" section describes the PowerShell alternative. Module 2 teaches both paths.
• The NE lab environment from IAM0.6 is intact: 15 personas, 13 groups, 7 app registrations, 5 guest accounts, the test AU from IAM1.5.
• Your program package folder structure contains the M1 ADRs and risk register entries.
• The governance state assessment script from IAM1.7 is saved and produces output when run.

Module 2 produces the lifecycle workflow infrastructure — joiner, mover, and leaver automation — and the first governance cadence document (daily/weekly/monthly activities for lifecycle operations). The transition from "we've assessed the ecosystem" to "we're governing the lifecycle" happens in Module 2.