When someone leaves, can you prove every one of their accounts is actually closed? Most teams can't, because offboarding runs on manual steps across Active Directory, Entra ID, and SaaS apps. This deep-dive shows security architects and the leaders who fund them how to build lifecycle workflows in Microsoft Entra ID Governance: the joiner-mover-leaver architecture, the deployment order that works, and the ROI case for automating it.

App owners can't always answer who has access to their app right now. Mid-market enterprises run about 200 SaaS apps; large enterprises closer to 350. Account Discovery (preview) in Microsoft Entra ID Governance reads each connected app and classifies every account as Local, Unassigned, or Assigned. This post covers the business case, the three categories, and a three-phase rollout worked through SAP.