Governance and identity how-to guides
Use these guides to turn cached governance and access data into verified review outcomes. The pages distinguish read-only analysis from local writes and Azure-side remediation.
| Goal | Guide |
|---|---|
| Scan and inventory policy | Inventory and assignments |
| Analyze policy ownership, scope, trends, and pivots | Policy pivots and history |
| Resolve effective policy and governance risks | Effective policy and advisors |
| Plan a staged policy change | Rollout Planner and AI tools |
| Reconcile observed policy with IaC | Policy drift and IaC |
| Triage identity, PIM, and applications | Identity reviews and handoffs |
| Review and export effective access | RBAC access reviews |
Common operating pattern
- Select the intended tenant connection and the narrowest useful workload or scope.
- Check generated time, cache age, collector status, and truncation or partial-result warnings.
- Refresh only the collector needed for the decision.
- Filter before interpreting totals or exporting.
- Validate a candidate against Azure, Entra, Policy Insights, or the authoritative IaC repository.
- Use an approved external change process, then refresh the affected data and preserve verification evidence.
Never put client secrets, access tokens, share tokens, real tenant IDs, object IDs, or user identifiers in prompts, exports used as examples, tickets, or documentation.