Separation of Duties in Microsoft Entra

The alert fired at 3:07 a.m. Something in the access graph was wrong. One account had both create-user and approve-access permissions. In Microsoft Entra, that is a violation of Separation of Duties.

Separation of Duties (SoD) is a rule that no single identity should control all steps of a critical process. In Entra, this means dividing permissions so no one account or role can bypass checks. Without SoD, a bad actor—or a simple mistake—can provision and approve themselves for sensitive systems before anyone notices.

Microsoft Entra provides built-in features to enforce SoD at scale. Role-based access control (RBAC) defines which identities have which actions. Privileged Identity Management (PIM) enables just-in-time access and approval workflows. Access reviews allow regular auditing of assignments. Conditional Access policies add another layer of enforcement. Together, these tools let you design the access boundaries that keep critical systems secure.

To implement SoD in Entra:

1. Identify processes with multiple risk steps.
2. Map roles so no single role spans the entire process.
3. Use PIM to require separate approvals for each sensitive step.
4. Schedule access reviews to catch drift or violation.
5. Monitor audit logs for changes in role assignments.

Strong SoD in Microsoft Entra reduces human risk, stops privilege escalation, and meets compliance requirements. It is not optional in regulated environments. It is a control that must be planned, implemented, and maintained.

You can see this live with automated detection and enforcement in minutes. Visit hoop.dev and start building Separation of Duties policies that actually hold.