Explore how new capabilities in Microsoft Entra help modernize governance, streamline access, and reduce risk.
Identity governance is undergoing changes. As work occurs across cloud applications, remote settings, and on-premises systems, it becomes increasingly important to track and manage access. Organizations require effective controls to oversee access, minimize manual tasks, and fulfill compliance requirements while maintaining necessary business systems.
To help organizations easily migrate to the cloud for enhanced security controls and improve security, we’re excited to announce the public preview of two new capabilities that further modernize identity governance and address critical challenges in access management:
- Group Source of Authority (SOA) conversion streamlines governance by converting legacy Active Directory (AD) groups into dynamic, policy-driven groups managed in Microsoft Entra ID, while keeping on-premises app compatibility.
- Face Check in Entitlement Management adds an element of high assurance identity verification to Entitlement Management by requiring users to present a valid digital credential to prove who they are before being granted access.
Group SOA conversion: Cloud governance for legacy groups
Many critical applications still rely on Active Directory (AD) security groups. These groups are often manually managed, with no lifecycle policies, no approval workflows, and no visibility into who should still have access.
Group SOA conversion changes that — enabling cloud-first governance of legacy AD groups without breaking compatibility. Group SOA conversion brings modern governance to legacy groups by enabling you to:
- Manage groups in the cloud. Shift the source of authority for AD groups to Microsoft Entra ID, giving you a single place to manage membership with greater flexibility and visibility.
- Simplify on-premises cleanup. Once governed in the cloud, unused or redundant groups can be safely removed from Active Directory, reducing clutter and improving manageability.
- Extend governance to on-premises apps. With Group SOA conversion and group writeback, you can apply modern governance policies, including request workflows, expiration, and AI-assisted reviews, to groups that still control access to on-premises applications.
The result: quick deployment and secure governance for hybrid environments, delivered from the cloud with no disruption to apps that still depend on Active Directory groups.
To learn more about Group SOA and how it can help you adopt a cloud first strategy for groups, check out this video.
Face check in entitlement management: Securing access with real-time identity verification
Identity verification is just as critical as verifying access, especially when onboarding users into sensitive roles. Manual identity checks can slow down onboarding and introduce risk, particularly for contractors and guests.
Microsoft Entra now integrates Verified ID and Face Check directly into Entitlement Management, enabling real-time identity verification before access is granted.
This integration allows you to:
- Automate privacy-respecting identity verification. Match a user’s selfie to a government-issued credential before granting access to an Access Package.
- Accelerate onboarding. Eliminate manual checks and reduce delays for users entering regulated or privileged roles.
- Strengthen access assurance. Ensure only the right people get access to the right resources, with confidence and compliance.
The Result: faster onboarding, fewer delays, and stronger security — delivered without compromising user experience.
Scenario: Governing on-premises applications without changing the app
Now let’s walk through a real-world scenario to see how both capabilities help Contoso Finance modernize access to a critical on-premises application without changing the app itself.
At Contoso Finance, the Finance department depends on a business-critical application hosted on-premises. Access is controlled through a traditional AD security group — a setup that still works but offers little flexibility. Membership is updated manually, with no expiration policy, no approval workflow, and no clear visibility into who should still have access.
This kind of configuration is still widespread, especially in environments where cloud adoption is happening alongside long-standing infrastructure. While the application itself isn’t moving to the cloud anytime soon, the way access is governed can, and should, evolve.
Transferring control to the cloud
The AD security group tied to the Finance app is transitioned to cloud management using Group SOA conversion. The group now becomes editable in the cloud and integrated into governance workflows. Cloud Sync can provision any security group membership changes to the existing AD security group, so the on-premises app continues to function as expected.
From the app’s perspective, nothing has changed. But for the identity team, everything has — the group’s membership is now fully governable using cloud-native tools like lifecycle workflows, access packages, and periodic access reviews.
Introducing request and lifecycle governance
With the group managed in Microsoft Entra, it’s wrapped in an access package. Employees who need access to the Finance system must now submit a request, which goes through a defined approval workflow. Access is time-bound, automatically expiring unless renewed. This introduces clear business justification and auditability into a process that used to rely on static group membership.
Because this access package governs highly confidential financial information, Contoso adds an additional layer of identity verification before granting access. By integrating Microsoft Entra Verified ID with Entitlement Management, users must complete a privacy-respecting Face Check; matching a real-time selfie with a government-issued ID. This ensures that only the intended individual gains access, while also relieving managers from manually identity validation.
For Contoso Finance, this means access is not only governed by policy-based workflows and time-bound controls, but also reinforced with real-time identity verification — delivering a fully auditable, end-to-end approach to securing sensitive financial data.
Modern controls, legacy compatibility
What started as a static AD group tied to a legacy application is now governed through policy, automation, and intelligence — without rewriting the app or migrating away from AD. Contoso Finances’ identity team now has:
- Cloud-governed security groups synced back to AD.
- Approval workflows and expiration policies.
- High-assurance identity verification with Face Check in Verified ID
Contoso Finance didn’t need to modernize the app to secure and govern access to it. And that’s the real power of Microsoft Entra ID Governance.
Get started
Microsoft Entra ID Governance is designed to meet identity teams where they are, including managing access to legacy apps with AD dependencies. Through cloud-native policy, hybrid group support, and real-time identity verification, Microsoft Entra enables you to bring structure, automation, and intelligence to the systems you rely on today.
To see these capabilities in action, register for Cabin check-in: Ensure least privilege access. You can also explore the full Microsoft Entra Suite Summer Camp webinar lineup.
To fully capitalize on the value of Microsoft Entra Suite, read the recent blog or get started with a free trial to experience the benefits for yourself.
--Joseph Dadzie, VP Product Management
Read more on this topic
Learn more about Microsoft Entra
Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.
Microsoft
