TEXAS A&M UNIVERSITY
Entra ID Documentation
Audience: Platform Engineering, security administrators, identity managers
Purpose: Identity governance and access management best practices
Quick Links
| Resource | Description |
|---|---|
| Entra Portal | Microsoft Entra admin center |
| PIM Best Practices | Privileged Identity Management guide |
| Guest Accounts | Guest access for Intune devices |
| Conditional Access | Microsoft CA documentation |
Overview
Microsoft Entra ID (formerly Azure Active Directory) provides identity and access management for Texas A&M University's Microsoft 365 and Azure environments. This documentation covers identity governance, privileged access, and security configurations.
Key Concepts
Privileged Identity Management (PIM)
PIM provides just-in-time (JIT) access for privileged roles, reducing standing admin rights:
| Concept | Description |
|---|---|
| Eligible | User can activate role when needed (time-bound) |
| Active | User has role continuously (avoid except break-glass) |
| Activation | Process of requesting elevated access |
| Approval | Optional workflow for sensitive role activation |
Make all admin role assignments eligible rather than active. Maintain only two break-glass Global Admin accounts with permanent access.
Administrative Units (AUs)
AUs provide delegated administration at the unit level:
| Naming | Purpose |
|---|---|
AU-[FAMIS Code] | Contains groups and users for a specific unit |
Unit administrators with Groups Administrator role for their AU can:
- Create and manage scope groups within the AU
- Manage user group memberships
- Cannot access other units' resources
Role-Assignable Groups (RAGs)
Role-assignable groups enable group-based role management:
| Requirement | Details |
|---|---|
| Creation | Must set "Microsoft Entra roles can be assigned" at creation |
| Membership | Must be static (assigned), not dynamic |
| Management | Only Global Admin, Privileged Role Admin, or group owner |
| Limit | Maximum 500 per tenant |
Always use role-assignable groups for any group assigned to Entra roles. Non-role-assignable groups lack sufficient protection against privilege escalation.
Documentation
Identity Governance
| Document | Description |
|---|---|
| PIM Best Practices | Comprehensive PIM configuration guide |
| Guest Accounts for Intune | Guest access configuration |
Related Intune Documentation
| Document | Description |
|---|---|
| Scope Groups & Naming | Group naming conventions |
| Endpoint RBAC | Custom Intune roles |
PIM Approaches
Two approaches for role assignment with PIM:
Approach 1: Group Eligible for Role (Recommended)
- Group assigned as Eligible to the role
- Users are permanent members of the group
- Each user activates role individually when needed
- Recommended for: Exchange, SharePoint, Purview roles
Approach 2: PIM-Controlled Group Membership
- Group permanently assigned as Active to the role
- Users activate group membership via PIM
- Joining group grants associated role(s)
- Recommended for: Role bundles (e.g., Helpdesk = 3 roles)
Break-Glass Accounts
Maintain two emergency access accounts:
| Requirement | Details |
|---|---|
| Naming | Use *.onmicrosoft.com domain |
| MFA | Phishing-resistant (FIDO2 or CBA) |
| Assignment | Permanent Global Administrator |
| CA Exclusion | Exclude from most Conditional Access policies |
| Monitoring | Alert on any sign-in activity |
| Documentation | Secure storage of credentials |
Break-glass accounts are exclusively for emergency scenarios when PIM is unavailable or misconfigured.
Related Resources
- Intune Documentation — Endpoint management
- Internal Teams — Platform Engineering contact
- Admin By Request — Privilege management
- Entra ID Documentation — Microsoft documentation