Skip to content
EP365 IDENTITY MANAGER
Group and access governance in Microsoft 365 · v 1.0

Hundreds of groups in Entra ID.
Do you even know what they're for?

Identity Manager gives IT and security administrators a central overview of groups, access and their classification — delegated, inside your Microsoft 365. No PowerShell scripts, no expensive IGA tool.

Delegated
The app calls Microsoft Graph on your behalf. It does nothing you couldn't do yourself in Entra ID.
No IGA cost
Group governance without an expensive tool, without PowerShell scripts, without another cloud.
Under your control
Administrator and regular user, read-only gating, everything inside your Microsoft 365 tenant.
Book a demo View pricing DELEGATED MODEL · DEPLOYED IN DAYS
A glimpse of how it looks
Governance · Groups
Directory status, 190 groups, Thursday 14 May 2026
190
Groups total
38
Without an owner
7
Due for review
12
Access risks
Access risks · Top 3
HR-Payroll-All Sensitive + guest guest unreviewed
Project-Alfa No owner orphan
All-Company Public M365 public
Directory health score · 72 % v 1.0 · delegated Graph
2 types
Security and Microsoft 365 groups managed
100 %
of data in your M365 tenant
0
extra privileges — the app acts as you
NIS2 / ISO
audit trail over access and groups
What companies with hundreds of groups deal with · 3 / 3

Three pains every IT and security administrator knows.

01 · OWNERSHIP

Groups with no owner

After years of growth, half the groups in Entra ID have an empty owner field. With no one accountable for the contents, membership balloons and no one reviews it.

02 · CLASSIFICATION

No one knows what a group is for

“HR-2019”, “Project-Alfa”, “Test-Marek” — names all over the place. No classification, no sensitivity, no label. At audit time you're guessing what's actually sensitive.

03 · REVIEW

Access is never reviewed

Ex-employees, guests from long-finished projects, dead distribution groups. Least privilege falls apart and the NIS2 audit is knocking at the door.

What it solves · who it's for

For companies that want access governance without costly IGA or scripts.

EP365 Identity Manager is for you if…
  • You have tens to hundreds of groups in Entra ID (Security and Microsoft 365 / Teams) and you're losing track of them.
  • You want access governance without an expensive IGA tool and without PowerShell scripts.
  • A security or IT administrator needs one view — group health, risks, recertification and cleanup.
  • You're addressing NIS2 or ISO 27001 and need a verifiable audit trail over access.
  • You want the app to act delegated — doing nothing an administrator couldn't do themselves in Entra ID.
  • You already have Microsoft 365 and Entra ID — and don't want another SaaS or a service account with elevated privileges.
We're not the right fit if…
  • You're after full IGA — automated joiner-mover-leaver identity provisioning from an HR system. That's Entra ID Governance or SailPoint, a different league.
  • You need entitlement management with access packages and a catalogue of permissions across apps (Entra ID P2).
  • You want privileged access management for directory roles — that's Entra PIM, not this app.
  • You don't have Entra ID / Microsoft 365. Identity Manager is a SharePoint webpart — strictly Microsoft 365 only.
  • You want to manage local on-premises Active Directory. The app works with Entra ID in the cloud; synchronised groups are read-only.
Key features

Eight things that finally make your directory make sense.

01

Group overview and search

One list of every group — Security and Microsoft 365 — live from Microsoft Graph. Each group shows a health score and member, owner and guest counts. Filters by type, state and management, full-text search, saved views and a ⌘K command palette to jump to any group or screen.

Security + M365Health scoreSaved views⌘K palette
02

Classification and taxonomy

Custom classification schemes and trees — sensitivity, labels, categories. You finally know what each group is for and how sensitive it is. Bulk-classify several groups at once and record EP365 administrators next to native Entra owners.

Schemes and treesSensitivity and labelsBulk classificationEP365 administrators
03

Members, owners and dynamic rules

Manage members and Entra owners straight from the app, create new groups and define dynamic membership rules by user attribute — including ready-made rule templates. Add or remove members in bulk in one go.

Members + ownersGroup creationDynamic rulesRule templates
04

Access recertification

Periodic review as a workflow: an administrator starts a round, a reviewer certifies or revokes access for each group. Deadlines, a decision history and a “to review” queue for each reviewer. No Entra ID P2 required.

Review roundsCertify / revokeDeadlines + historyNo Entra P2
05

Access risks

Detect least-privilege violations: groups with no owner, guests in sensitive groups, public Microsoft 365 groups, sensitive yet exposed permissions. A severity score and filter; a click opens the group detail to fix it.

No ownerGuests in sensitivePublic M365Severity score
06

Directory cleanup

Finds orphans (no owner), empty and long-unused (stale) groups, and duplicates — similar names are surfaced by diacritics-insensitive comparison and matching mail prefixes. Inline remediation and merge suggestions; the decision is always yours.

Orphans + emptyStale groupsDuplicate detectionInline remediation
07

Teams and lifecycle

Provision Microsoft Teams over a Microsoft 365 group in one click. A governed lifecycle: archive as an EP365 flag (nothing is deleted in Entra ID) and controlled group deletion with confirmation — synchronised groups stay protected.

Teams provisioningGroup archivingControlled deletionSynced protection
08

Change audit and reports

Each group's history merges the real Entra audit (directory audits) with derived EP365 events. Export membership and owners to CSV, a usage overview and the recertification decision trail — a direct basis for NIS2 and ISO 27001.

Entra auditCSV exportUsage overviewNIS2 / ISO basis
Use cases

What people do with it every day.

Real situations from day-to-day operations — from an administrator at the group overview, through a security access review, to IT directory cleanup and a compliance audit.

ADMIN

Find ownerless groups in a minute

Scenario
“Access risks → 38 groups with no owner, three of them sensitive. I'm assigning owners and putting the rest into recertification.”
  • Severity filter on access risks
  • Click a group = detail to fix
  • Bulk-add to a review
SECURITY · REVIEW

Quarterly access review

Scenario
“I started a recertification round over 24 sensitive groups. Reviewers have 30 days to certify or revoke. The history is saved.”
  • Review-round workflow
  • Reviewer certify / revoke
  • Deadlines and audit history
IT · CLEANUP

Tidy the directory before an audit

Scenario
“Cleanup: 17 empty groups, 4 orphans, 3 suspected duplicates. I merge the duplicates, archive the empties — the directory is a third lighter.”
  • Orphans, empty and stale
  • Duplicate-name detection
  • Archive or delete
COMPLIANCE

Who added a guest to payroll?

Scenario
“History of the HR-Payroll group → real Entra audit: guest added on 12 May, by whom and when. I have the NIS2 evidence in CSV in five minutes.”
  • Entra directory audit in the detail
  • EP365 decision trail
  • CSV export for the auditor
How it's built

Four layers. All inside your M365.

No server of ours holds your data. Identity Manager is a webpart running in your SharePoint that calls Microsoft Graph delegated — on behalf of the signed-in administrator.

01
INTERFACE
Identity Manager webpart on a SharePoint page
Add it to any page in your SharePoint. Two roles: Administrator (full governance) and regular user (overview). The licence controls who may make changes.
02
LIVE DATA — GRAPH
Groups, members, owners, audit
We read and write everything through Microsoft Graph delegated — on behalf of the signed-in administrator. The app does nothing they couldn't do in Entra ID. Data never leaves the tenant.
03
METADATA — SP LISTS
Classification, recertification, lifecycle
Classification schemes, EP365 administrators, access reviews and lifecycle flags live in SharePoint Lists in your Microsoft 365. No copy of your data leaves it.
04
AUDIT
Entra audit + decision trail
Group history reads the real directory audit from Entra and merges it with EP365 events. No separate log, no external log management system.
Comparison

Where EP365 Identity Manager has a clear edge.

Area
EP365 Identity Manager
Entra ID portal (manual)
Enterprise IGA
Group overview + health
one view
! fragmented
comprehensive
Classification and taxonomy
custom schemes
none
yes
Access recertification
workflow
manual
reviews (P2)
Access risks
least privilege
manual
yes
Duplicate & empty cleanup
detection
manual
! partial
Audit for NIS2 / ISO
Entra + trail
! Entra log only
yes
Delegated model
as you
as you
! service account
Price
from 3,000 CZK / mo.
included in M365
P2 + tool
Deployment
in days
! manual work
weeks — months
For IT and GDPR

Security and compliance — arguments that land.

When your security team says “nothing ships until it passes review” — here's the review material.

Delegated model

The app calls Microsoft Graph as the signed-in administrator (delegated permissions), not via application permissions or a service account with elevated rights. What you can't do, the app can't do either.

Data in your M365

Groups stay in Entra ID, classification and reviews in SharePoint Lists, the audit in Entra. No server of ours holds your data; nothing leaves the tenant.

Least privilege in practice

The app itself helps enforce minimal permissions — access risks, recertification and cleanup reveal where someone has access they no longer need.

Audit trail for NIS2 / ISO

The real directory audit from Entra plus a verifiable decision trail: who certified or revoked access, and when. A basis for NIS2 and ISO 27001 access governance.

Role and licence gating

Administrator versus regular user. With an inactive licence the app runs read-only — no group mutations. Deletion is additionally protected by confirmation.

No IGA overhead

No god-mode application permissions, no service account, no extra cloud. Governance runs on the delegated Graph you already have in your Microsoft 365.

Bonus integration with EP365 Hub: groups past their recertification deadline surface as alerts in the global My operations view. The administrator sees an attention panel across all EP365 apps in one place.
Pricing

A monthly licence by company size + support as needed.

The monthly subscription depends on the size of your organisation — the total number of users in your Microsoft 365 environment. Unlimited managed groups and administrators — you pay for the size of the environment, not the number of groups.

Licence

How we set the licence price

1
Up to 25 users
3,000 CZK / month
2
26–70 users
4,500 CZK / month
3
71–150 users
6,000 CZK / month
4
More than 150 users
Contact us
I'm interested in a licence
Extended support

Support pricing

2,200 CZK / hour

Consultations, setting up classification, custom reports or preparing recertification rounds.

How we calculate support pricing

Support is billed per every started 15 minutes of work. The customer is informed in advance about the expected scope of work.

Prices exclude VAT
Case study

What it looks like in real operation.

Manufacturing company · 280 employees · 190 groups

“This year the access audit was an export, not a three-day panic.”

Deployment
5 days
Groups in Entra ID
190 → 142
Groups with an owner
100 %
Groups classified
100 %
First recertification
24 groups
PROBLEM
A manufacturing company, 280 employees, 190 groups in Entra ID accumulated over eight years. 38 with no owner, guests in sensitive groups, dozens empty or duplicated. A NIS2 audit at the door and no overview of who has access to what.
DELIVERED
Identity Manager on the company intranet. Every group classified into three sensitivity levels, owners assigned, empties and duplicates cleaned up. A first recertification round over 24 sensitive groups. 5 days from kickoff.
RESULT
190 groups trimmed to 142. 100 % of groups have an owner and a classification. Out-of-date guests removed during recertification. The NIS2 auditor got a CSV with a full decision trail — without a single PowerShell script.
“For the first time in years we know what every group is for and who's accountable for it. This year the audit was a matter of an export, not panic.”
— IT manager, manufacturing company
FAQ

What IT and security administrators ask.

Do we need Entra ID P1 or P2?
For most features, standard Entra ID is enough. Dynamic membership rules require Entra ID P1 — that's a Microsoft licensing condition, not ours. We do recertification, access risks and cleanup even without Entra ID P2, so you don't have to buy a pricier plan for access reviews.
Does the app do anything I, as an administrator, can't do myself?
No. Identity Manager works delegated — it calls Microsoft Graph on your behalf. If you can't make a change in Entra ID, neither can the app. No application permissions with elevated rights, no service account.
Does any of our data leave the tenant?
No. Groups stay in Entra ID, classification and reviews in SharePoint Lists in your tenant, the audit in Entra. No server of ours holds your data. Everything runs inside your Microsoft 365.
Isn't deleting groups dangerous?
Deletion is protected: only an administrator may do it, it's confirmed with a checkbox, and synchronised (synced from on-premises AD) groups can't be deleted. If you only want to take a group out of service, use archiving — it's merely an EP365 flag and deletes nothing in Entra ID.
Does it work on Security and Microsoft 365 groups?
Yes, on both types. Overview, classification, risks and recertification all cover Security and Microsoft 365 groups. Provisioning Microsoft Teams applies only to Microsoft 365 (cloud) groups.
Does recertification replace Entra Access Reviews?
It's a lighter alternative. Instead of Entra ID P2 and access reviews you get a review-round workflow in a SharePoint list — a reviewer certifies or revokes access, all with deadlines and history. For organisations that don't have or don't want P2.
How do you spot duplicate groups?
By comparing names without diacritics, token similarity and matching mail prefixes — from data we've already loaded, with no extra Graph calls. We offer suspicious pairs for merging; the decision is always yours.
Do we need PowerShell or an IT specialist?
No. Everything happens through the user interface in SharePoint — overview, classification, reviews and cleanup. No scripts, no modules, no service accounts.
Is it ready for NIS2 and ISO 27001?
The audit trail over access — the real Entra directory audit merged with the recertification decision trail — is a direct basis for access governance under NIS2 and ISO 27001. Exporting to CSV for an auditor is one click.
Can it handle hundreds of groups?
Yes. Lists are paginated, with full-text search, filters and a ⌘K command palette to jump to any group. The health score and risks point you to where to start, even with hundreds of groups.
Does it integrate with the other EP365 apps?
Yes. Groups past their recertification deadline surface as alerts in EP365 Hub — in the global My operations overview. The administrator sees governance tasks alongside tasks from the other EP365 apps.
NEXT STEP

What exactly do you want to discuss?

Pick what's burning most right now. We'll get back to you, walk through your situation and propose next steps, including an indicative price.

I want a 30-minute app demo
We'll walk through a specific workflow and show you possible solutions.
I want a quick SharePoint health check
In an online meeting we'll name the main risks and recommend a solution.
I want to know if we're ready for Copilot
In a short audit we'll reveal which sensitive data AI could reach.
I want an indicative price
Within 24 hours of the intro call we'll give you the budget range.
Get in touch