๐๐จ๐ฐ ๐๐จ ๐ฒ๐จ๐ฎ ๐๐ง๐ฌ๐ฎ๐ซ๐ ๐๐จ๐ฆ๐ฉ๐ฅ๐ข๐๐ง๐๐ ๐๐ง๐ ๐๐ฎ๐๐ข๐ญ๐๐๐ข๐ฅ๐ข๐ญ๐ฒ ๐ฐ๐ก๐๐ง ๐ฆ๐๐ง๐๐ ๐ข๐ง๐ ๐๐๐ซ๐ฏ๐ข๐๐ ๐๐ซ๐ข๐ง๐๐ข๐ฉ๐๐ฅ๐ฌ ๐๐ง๐ ๐๐๐ ๐๐ฉ๐ฉ๐ฅ๐ข๐๐๐ญ๐ข๐จ๐ง๐ฌ ๐ข๐ง ๐๐ข๐๐ซ๐จ๐ฌ๐จ๐๐ญ ๐๐ง๐ญ๐ซ๐ ๐๐?
Here’s a proven architecture that combines developer self-service with strong governance:
The Flow:
- Developers request identities via Backstage
- Backstage generates Terraform configs as Pull Requests
- Identity Operations team reviews and approves
- GitHub Actions provisions resources in Entra ID via Terraform
- Maester continuously audits all non-human identities against Entra as Code (Terraform)
- Compliance issues are automatically detected and reported
Key Benefits:
- Everything-as-Code: Portal, Security, and Identity configurations versioned in Git
- Zero manual changes in Entra ID
- Full audit trail with PR-based approval workflow
- Automated compliance validation via Maester
- Developer self-service without sacrificing security
This approach eliminates identity drift and ensures every Service Principal is tracked, approved, and compliant.
๐กSide note: The proposed solution will also work with the Entra External ID (CIAM) tenant.
Links and connected resources:
- Backstage: https://backstage.io
- My Post about Backstage for Entra: https://mjendza.net/post/backstage-for-entra-operations/
- Maester: https://maester.io
- Maester Diff PR: https://github.com/maester365/maester/pull/995