Entra ID Governance Toolkit

Microsoft Identity Governance Automation with SIEM Integration

Enterprise identity governance automation for Conditional Access, PIM, Access Reviews, and Splunk SIEM correlation

The Problem

Microsoft Entra ID Governance is Complex

Enterprise challenges with Microsoft identity:

Conditional Access policies grow unmanaged (100+ policies)
PIM activations lack visibility and audit correlation
Access Reviews pile up with low completion rates
SOC teams lack identity context in SIEM

Manual governance leads to:

Policy conflicts and gaps
Standing admin access violations
Compliance audit failures
Slow incident response times

What Organizations Need

Modern identity governance requires:

Automated analysis of CA policies and conflicts
PIM monitoring with risk scoring
Access Review automation for scale
SIEM integration for SOC visibility
Compliance reporting for audits
PowerShell automation for AD admins

This toolkit bridges IAM and SecOps.

The Solution: Entra ID Governance Toolkit

Complete governance automation across all Entra ID pillars:

Capability	Technology	Outcome
CA Analysis	Graph API + Policy Engine	Find gaps and conflicts
PIM Monitoring	Role Activation Tracking	Standing access violations
Access Reviews	Automation Framework	95%+ completion rate
SIEM Integration	Splunk HEC + CIM	SOC identity visibility
Compliance	Automated Reports	Audit-ready evidence
PowerShell	Admin Scripts	Familiar AD tooling

Screenshots

Dashboard Views

Governance Dashboard
KPIs and security score

Conditional Access
Policy analysis

PIM Analysis
Standing access detection

Additional Views

Access Reviews
Completion tracking

Compliance Reports
Audit-ready evidence

Why Splunk SIEM Integration? (v1.1)

The Integration Rationale

Splunk was chosen for v1.1 because:

Market Leader - #1 SIEM platform in enterprises
HEC Protocol - HTTP Event Collector is industry standard
CIM Compliance - Common Information Model for interoperability
Enterprise Security - Native ES app integration
SOC Workflows - Familiar to security analysts

Skills Demonstrated

SIEM integration patterns
HTTP Event Collector (HEC) protocol
CIM data model mapping
Correlation score calculation
Automated remediation triggers

Before vs After

Metric	v1.0	v1.1
SIEM Integration	None	Splunk
Event Forwarding	Manual	Automatic
Alert Correlation	None	Real-time
SOC Visibility	Limited	Full

Event Types Forwarded

Access Review decisions
PIM role activations
CA policy changes
Entitlement modifications
Compliance violations

Architecture

                                MICROSOFT ENTRA ID
    ┌─────────────────┐    ┌─────────────────┐    ┌─────────────────┐
    │  Conditional    │    │      PIM        │    │    Access       │
    │    Access       │    │   Activations   │    │    Reviews      │
    └────────┬────────┘    └────────┬────────┘    └────────┬────────┘
             │                      │                      │
             └──────────────────────┼──────────────────────┘
                                    │
                                    ▼
    ┌─────────────────────────────────────────────────────────────────┐
    │                    MICROSOFT GRAPH API                          │
    │  ┌──────────────────────────────────────────────────────────┐  │
    │  │  MSAL Authentication + Token Caching + Retry Logic       │  │
    │  └──────────────────────────────────────────────────────────┘  │
    └─────────────────────────────┬───────────────────────────────────┘
                                  │
                                  ▼
    ┌─────────────────────────────────────────────────────────────────┐
    │                    ANALYSIS ENGINE                               │
    │                                                                  │
    │  ┌──────────────┐  ┌──────────────┐  ┌──────────────────────┐  │
    │  │ CA Analyzer  │  │ PIM Analyzer │  │  Review Analyzer     │  │
    │  │ ────────────│  │ ────────────│  │ ────────────────────│  │
    │  │ Policy Score │  │ Standing    │  │ Completion Rate      │  │
    │  │ Gap Detection│  │ Access      │  │ Bulk Approval        │  │
    │  │ Conflicts    │  │ Violations  │  │ Overdue Detection    │  │
    │  └──────────────┘  └──────────────┘  └──────────────────────┘  │
    └─────────────────────────────┬───────────────────────────────────┘
                                  │
            ┌─────────────────────┼─────────────────────┐
            ▼                     ▼                     ▼
    ┌──────────────┐      ┌──────────────┐      ┌──────────────┐
    │   FastAPI    │      │    React     │      │   Splunk     │
    │   Backend    │      │   Frontend   │      │   SIEM       │
    │              │      │              │      │              │
    │ 15+ Endpoints│      │ Dashboards   │      │ HEC Events   │
    │ REST API     │      │ Reports      │      │ CIM Format   │
    └──────────────┘      └──────────────┘      └──────────────┘

Features

Conditional Access Analysis

Policy coverage assessment
MFA enforcement gaps
Legacy auth block verification
Policy conflict detection
Security scoring (0-100)

PIM Monitoring

Standing admin access detection
Activation history tracking
Excessive privilege identification
Role eligibility analysis
Compliance violation alerts

Access Review Automation

Completion rate tracking
Bulk approval workflows
Overdue review detection
Reviewer assignment
Evidence export

Splunk SIEM Integration

HEC event forwarding
CIM data model compliance
Correlation scoring
Auto-remediation triggers
Alert webhook receiver

Quick Start

Prerequisites

Python 3.11+
Node.js 18+
Microsoft Entra ID tenant (free tier works)
Splunk instance (optional, mock mode available)

Installation

# Clone repository
git clone https://github.com/MikeDominic92/entra-id-governance.git
cd entra-id-governance

# Backend setup
python -m venv venv
source venv/bin/activate  # Windows: venv\Scripts\activate
pip install -r requirements.txt
cp .env.example .env

# Frontend setup (new terminal)
cd frontend
npm install

Configuration

# .env configuration
AZURE_TENANT_ID=your-tenant-id
AZURE_CLIENT_ID=your-app-registration-id
AZURE_CLIENT_SECRET=your-client-secret

# Splunk Configuration (optional)
SPLUNK_ENABLED=true
SPLUNK_HEC_URL=https://splunk.company.com:8088
SPLUNK_HEC_TOKEN=your-hec-token
SPLUNK_MOCK_MODE=false  # Set true for demo

Run the Platform

# Start Backend
python -m src.api.main

# Start Frontend (new terminal)
cd frontend && npm run dev

Access Points

API Docs: http://localhost:8000/docs
Frontend: http://localhost:3000

API Endpoints

Governance Analysis

Method	Endpoint	Description
GET	`/api/v1/ca/policies`	List CA policies
GET	`/api/v1/ca/analysis`	Policy analysis report
GET	`/api/v1/pim/assignments`	PIM role assignments
GET	`/api/v1/pim/violations`	Standing access violations
GET	`/api/v1/reviews/pending`	Pending access reviews
POST	`/api/v1/reviews/bulk-approve`	Bulk approval

Splunk Integration (v1.1)

Method	Endpoint	Description
GET	`/api/v1/splunk/health`	Connection status
GET	`/api/v1/splunk/statistics`	Forwarding stats
POST	`/api/v1/splunk/events/forward`	Manual event forward
POST	`/api/v1/splunk/alerts/webhook`	Receive Splunk alerts

v1.1 Splunk Integration Example

from src.integrations import SplunkHECConnector, EventForwarder

# Initialize connector
splunk = SplunkHECConnector(
    hec_url="https://splunk.company.com:8088",
    hec_token="your-token",
    index="identity_governance"
)

# Forward PIM activation event
forwarder = EventForwarder(splunk)
forwarder.forward_pim_activation(
    user_id="user@company.com",
    role_name="Global Administrator",
    activation_duration=8,
    justification="Emergency change request CR-12345"
)

# Statistics
stats = forwarder.get_statistics()
print(f"Events forwarded: {stats['events_sent']}")
print(f"Failed: {stats['events_failed']}")

Use Cases

1. CA Policy Audit

Scenario: 150 CA policies accumulated over 3 years.

Analysis:

Score each policy (0-100)
Identify MFA gaps
Find conflicting conditions
Detect legacy auth exposure

Outcome: Consolidated to 45 policies, gaps closed.

2. PIM Compliance

Scenario: SOX audit requires JIT access evidence.

Analysis:

Identify standing admin access
Track activation history
Measure average activation duration
Export compliance evidence

Outcome: Zero standing access findings.

3. Access Review Automation

Scenario: 500 pending reviews, 30% completion rate.

Automation:

Auto-remind reviewers
Escalate overdue reviews
Bulk approve low-risk items
Dashboard tracking

Outcome: 95% completion rate achieved.

4. SOC Identity Correlation

Scenario: Security incident requires identity context.

Integration:

Real-time PIM events to Splunk
CA policy change alerts
Access review decisions
Correlation with other security events

Outcome: MTTR reduced by 60%.

Project Structure

entra-id-governance/
├── src/
│   ├── api/                 # FastAPI application
│   │   ├── main.py          # Entry point
│   │   └── routes/          # API routes
│   ├── analyzers/           # Governance analyzers
│   │   ├── conditional_access.py
│   │   ├── pim_analyzer.py
│   │   ├── access_reviews.py
│   │   └── entitlements.py
│   ├── automation/          # Automation tools
│   │   ├── pim_activator.py
│   │   ├── policy_enforcer.py
│   │   └── review_processor.py
│   ├── integrations/        # v1.1: SIEM integration
│   │   ├── splunk_connector.py
│   │   ├── event_forwarder.py
│   │   └── alert_receiver.py
│   └── graph_client.py      # Microsoft Graph client
├── powershell/              # PowerShell scripts
├── frontend/                # React dashboard
└── docs/                    # Documentation

Skills Demonstrated

Category	Technologies
Identity	Microsoft Entra ID, Graph API, MSAL
Governance	Conditional Access, PIM, Access Reviews
SIEM	Splunk HEC, CIM Data Model, Correlation
Backend	Python, FastAPI, Pydantic
Frontend	React, TypeScript, Material-UI
Automation	PowerShell, Microsoft Graph SDK

Roadmap

v1.0: CA, PIM, Access Review analysis
v1.1: Splunk SIEM integration
v1.2: Microsoft Sentinel integration
v1.3: Teams notifications
v2.0: Multi-tenant support

Author

Mike Dominic

GitHub: @MikeDominic92
Focus: IAM Governance, Compliance Automation, Zero Trust Architecture

Chainguard IT Engineer (Identity/IAM) Alignment

This project demonstrates key competencies for senior IAM engineering roles:

Requirement	Evidence
Zero Trust architecture	Conditional Access policies with device compliance
IAM governance and RBAC	PIM role management and entitlement controls
SOC 2/ISO 27001/NIST compliance	Control mappings in `docs/compliance/`
Audit evidence preparation	Evidence generator documentation
Access review automation	Access review completion tracking

Enterprise Entra ID Governance with Compliance Automation
_{Demonstrates Conditional Access, PIM, Access Reviews, and SOC 2/ISO 27001 Compliance}

Name		Name	Last commit message	Last commit date
Latest commit History 20 Commits
.github		.github
docs		docs
frontend		frontend
powershell		powershell
src		src
tests		tests
.env.example		.env.example
.gitignore		.gitignore
CHANGELOG.md		CHANGELOG.md
CONTRIBUTING.md		CONTRIBUTING.md
LICENSE		LICENSE
README.md		README.md
requirements.txt		requirements.txt

License

MikeDominic92/entra-id-governance

Folders and files

Latest commit

History

Repository files navigation

Entra ID Governance Toolkit

Microsoft Identity Governance Automation with SIEM Integration

The Problem

Microsoft Entra ID Governance is Complex

What Organizations Need

The Solution: Entra ID Governance Toolkit

Screenshots

Dashboard Views

Additional Views

Why Splunk SIEM Integration? (v1.1)

The Integration Rationale

Skills Demonstrated

Before vs After

Event Types Forwarded

Architecture

Features

Conditional Access Analysis

PIM Monitoring

Access Review Automation

Splunk SIEM Integration

Quick Start

Prerequisites

Installation

Configuration

Run the Platform

Access Points

API Endpoints

Governance Analysis

Splunk Integration (v1.1)

v1.1 Splunk Integration Example

Use Cases

1. CA Policy Audit

2. PIM Compliance

3. Access Review Automation

4. SOC Identity Correlation

Project Structure

Skills Demonstrated

Roadmap

Author

Chainguard IT Engineer (Identity/IAM) Alignment

About

Topics

Resources

License

Contributing

Security policy

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages