Simplifying access to systems and data with Entra ID Groups

Entra ID groups are a key part of the Programme and the long-term Identity Service under development. In response to access control issues identified by IT Support Staff (ITSS), a pilot got underway last term to introduce more owner-maintained groups and consistent naming to reduce duplication and strengthen oversight. It enables access decisions to be managed locally through simple, reusable group structures that support a wide range of access scenarios, with three case studies highlighted below.   

Supporting a move to SharePoint file storage in Humanities 

The Humanities Division has been an early participant in the Entra ID security groups pilot, as part of its ongoing migration of faculty administration data and divisional shared services files for Finance, HR and IT, from legacy file-shares into SharePoint sites. The Division needed a robust solution for managing permissions and access to this data.  

In the pilot model, access levels are defined within a system such as SharePoint and each one is assigned an Entra ID security group. Access to files and data is then controlled through group membership, so adding someone to a group grants them access to everything they should have access to, and removing them withdraws it. This approach avoids fragmented, directly assigned permissions at site or page level, making access easier to manage, review and secure.  

In Humanities, this approach now supports SharePoint permissions as well as printing and scan-to-SharePoint functionality.  

The challenge 

Access to shared data was previously managed through a combination of local file permissions and SharePoint-only groups, with changes requiring a service request to the IT team. This was cumbersome to manage.  

Service requests to add or revoke access were required whenever staff joined, moved roles, covered absences or left, for example. While IT implemented the changes, the relevant decisions sat with service owners such as finance or HR leads. This increased turnaround time, added administrative overhead and often drew IT into routine changes that required no technical judgement.  

Fine-grained permissions managed directly in SharePoint were also difficult to review and easy to misconfigure. As access requirements evolved, SharePoint file access models became harder to understand and maintain, increasing the risk of incorrect access or unintended restrictions. 

The approach 

Use of Entra ID security groups has enabled Humanities to separate access decisions from the systems that enforce them. Group membership is managed centrally in Entra ID, while SharePoint permissions are aligned to those wider groups and kept deliberately simple.  

Ownership of the groups is delegated to those closest to the decisions. Divisional finance leads, for example, can routinely add or remove finance staff members directly in response to joiners, leavers or short-term cover, without raising service requests or involving the IT team. Access reflects operational reality, and changes can be made immediately when needed.  

The same groups can be reused across multiple services, including printing and scan-to-SharePoint, which reduces duplication and inconsistency.  

Humanities is deliberately limiting the number of groups per service and using broader access tiers rather than large numbers of highly specific groups, while retaining SharePoint-level permissions where genuinely required. 

Supporting secure administration in Microsoft Fabric 

The Microsoft Fabric data platform now has 6 Entra ID security groups to manage access for different administrative roles in non-production and production environments. These groups separate University and external users effectively, and assign role-based access consistently.  

Rather than configuring permissions for each staff member directly within the platform, access is assigned to centrally managed groups. Staff members are added or removed from these groups as required. This strengthens oversight, simplifies role changes, and supports secure collaboration across institutional boundaries.

Enabling controlled access for colleges 

Merton College requested an Entra ID group to manage access to web content for Fellows. Instead of using IP address restrictions or password protection, membership of a single, clearly owned Entra ID security group now allows controlled access to the Fellows site.  

This provides a straightforward way to restrict access to defined communities, reduces the risk of misconfiguration, and makes ongoing review of site permissions simpler. 

Pilot impact 

Across these examples, group-based access has helped to: 

• reduce dependency on IT teams for routine access changes 
• strengthen governance and clarity of ownership 
• enable reuse of  groups across different services 
• simplify complex or evolving access models 

These early results demonstrate how the Programme is enabling data owners in departments, divisions and colleges to work closely with specialists in IT Services to simplify access, reduce friction, and build more sustainable and easier-to-manage digital services for staff, students and external partners to use.  

New opportunities sought for pilot expansion 

As the pilot continues to roll out across the collegiate University, ITSS are invited to suggest practical scenarios where groups could support access management or eligibility checks. 

To explore an idea, ITSS colleagues are invited to complete this Group Request Form or contact the Identity Improvement Programme team to find out more.