{
  "@context": [
    "https://www.w3.org/ns/credentials/v2"
  ],
  "type": [
    "VerifiableCredential",
    "BlogPostCredential"
  ],
  "id": "urn:uuid:166189e5-3b1a-4a2a-939c-7c7b0126f147",
  "issuer": "did:webvh:QmTVQnV3qGxWzWmnmWJAy1zkYswgbUmE95K5qodmAizVfr:mjendza.net",
  "validFrom": "2026-03-15T13:35:32Z",
  "credentialSubject": {
    "title": "Governance Entra ID with Backstage and Maester",
    "author": "Mateusz Jendza",
    "body": "![enum](/images/gov/big.jpg)\r\n\r\n𝐇𝐨𝐰 𝐝𝐨 𝐲𝐨𝐮 𝐞𝐧𝐬𝐮𝐫𝐞 𝐜𝐨𝐦𝐩𝐥𝐢𝐚𝐧𝐜𝐞 𝐚𝐧𝐝 𝐚𝐮𝐝𝐢𝐭𝐚𝐛𝐢𝐥𝐢𝐭𝐲 𝐰𝐡𝐞𝐧 𝐦𝐚𝐧𝐚𝐠𝐢𝐧𝐠 𝐒𝐞𝐫𝐯𝐢𝐜𝐞 𝐏𝐫𝐢𝐧𝐜𝐢𝐩𝐚𝐥𝐬 𝐚𝐧𝐝 𝐒𝐒𝐎 𝐚𝐩𝐩𝐥𝐢𝐜𝐚𝐭𝐢𝐨𝐧𝐬 𝐢𝐧 𝐌𝐢𝐜𝐫𝐨𝐬𝐨𝐟𝐭 𝐄𝐧𝐭𝐫𝐚 𝐈𝐃?\r\n\r\nHere's a proven architecture that combines developer self-service with strong governance:\r\n\r\nThe Flow:\r\n1. Developers request identities via Backstage\r\n2. Backstage generates Terraform configs as Pull Requests\r\n3. Identity Operations team reviews and approves\r\n4. GitHub Actions provisions resources in Entra ID via Terraform\r\n5. Maester continuously audits all non-human identities against Entra as Code (Terraform)\r\n6. Compliance issues are automatically detected and reported\r\n\r\nKey Benefits:\r\n- Everything-as-Code: Portal, Security, and Identity configurations versioned in Git\r\n- Zero manual changes in Entra ID\r\n- Full audit trail with PR-based approval workflow\r\n- Automated compliance validation via Maester\r\n- Developer self-service without sacrificing security\r\n\r\nThis approach eliminates identity drift and ensures every Service Principal is tracked, approved, and compliant.\r\n\r\n> 💡Side note:\r\n> The proposed solution will also work with the Entra External ID (CIAM) tenant.\r\n\r\n\r\nLinks and connected resources:\r\n- Backstage: https://backstage.io\r\n- My Post about Backstage for Entra: https://mjendza.net/post/backstage-for-entra-operations/\r\n- Maester: https://maester.io \r\n- Maester Diff PR: https://github.com/maester365/maester/pull/995",
    "datePublished": "2025-10-17",
    "url": "/post/governance-entra-id-backstage-maester",
    "tags": [
      "Entra-Id",
      "Backstage",
      "Developer Portal"
    ]
  },
  "proof": {
    "type": "DataIntegrityProof",
    "cryptosuite": "eddsa-jcs-2022",
    "verificationMethod": "did:key:z6MksoqpqENZmzzA4nhCPkfcbWtRHVegGV38Yqu2arRc5Er2#z6MksoqpqENZmzzA4nhCPkfcbWtRHVegGV38Yqu2arRc5Er2",
    "created": "2026-03-15T13:35:32Z",
    "proofPurpose": "assertionMethod",
    "proofValue": "z3RPP3GMyQ6XGvgiwYFqzVwRHWBXfmEcY2esN1a5STUWEiST15rvckH8PQ7pMTL1U8i6QpjgCcTA5f2v6GZCuEXPf"
  }
}