Domain 4 of 4

Identity Governance

Domain · 20–25% of the SC-300 exam

Governance is access on a clock, not access for life

Most of identity work hands someone a permission and moves on. Identity governance assumes the opposite: every grant is temporary and has to keep earning its place. A contractor who got a SharePoint role for one project, an admin who needed Global Administrator once last quarter, a partner you onboarded a year ago, all of them keep their access by default unless something forces a recheck. The whole domain is the machinery that forces those rechecks, so access stays matched to need instead of quietly piling up into the over-privileged sprawl auditors flag. Microsoft Entra ID Governance is the licensed bundle that turns these features on, and the exam's favorite trap is licensing: entitlement management and access reviews need a Microsoft Entra ID Governance (or Entra Suite) subscription for the users involved, Privileged Identity Management needs Microsoft Entra ID P2 (which ID Governance includes), and only terms of use slips by on plain Microsoft Entra ID P1. "Entra ID P2 alone" is the wrong answer the moment a question turns on entitlement management or on the Governance-only review features like inactive-user scoping.

The domain unfolds as one lifecycle: grant, recertify, time-box, watch

Read the four subtopics as four stages of a single loop, in order. Entitlement Management is the front door: instead of an admin hand-assigning each group, app, and site, you build an access package that people request and that provisions everything inside it as one assignment, with approval and an expiry built in, including self-service onboarding of external partners as Microsoft Entra B2B guests. Access Reviews is the recurring recertification: a named reviewer periodically attests that each person still needs what they hold, so stale access gets caught instead of accumulating. Privileged Identity Management handles the highest-risk access by making it just-in-time: an admin is eligible for a role but holds no power until they activate it for a capped window with multifactor authentication, justification, and approval. Identity Monitoring closes the loop by watching it all: the three Entra activity logs, the diagnostic settings that ship them somewhere durable, and Identity Secure Score, which grades your posture against Microsoft's own benchmarks. Reach for them in that order when you design: grant it cleanly, recertify it on a schedule, time-box the dangerous parts, and keep the evidence.

When two answers both work, the exam rewards least standing privilege

The instinct that resolves most close calls here is to keep the smallest amount of access standing at any moment, then make everything else requestable, expiring, and reviewed. Prefer an eligible just-in-time assignment over a permanent active one; prefer a requestable access package with an expiry over a hand-assigned permanent grant; prefer a recurring access review over a one-time cleanup. That single bias also tells you which control owns a scenario. Recertifying who is still a Global Administrator is a PIM access review, not the Access Reviews blade, because privileged roles live in PIM; onboarding a partner's users to a resource is an access package, not a manual guest invite; and elevating into a role for an afternoon is PIM activation, never a standing assignment. The one deliberate exception proves the rule: break-glass emergency accounts are kept permanently active and outside PIM and Conditional Access on purpose, so a misconfigured just-in-time policy can never lock every administrator out of the tenant.

The governance lifecycle: which control owns each stage

Lifecycle stageQuestion it answersPrimary controlDrill into
GrantHow does the right person get the right access, cleanly?Access packages, catalogs, assignment policies (with approval and expiry)Entitlement Management
RecertifyDoes this person still need what they hold?Recurring access reviews with a named reviewer and apply settingsAccess Reviews
Time-boxShould this privilege stand all the time, or only when used?PIM eligible assignments, activation with MFA/justification/approval, break-glassPrivileged Identity Management
WatchWhat happened, and how good is our posture?Entra activity logs, diagnostic settings, Identity Secure ScoreIdentity Monitoring

Subtopics in this domain