ARM already exposes Microsoft cloud technologies such as Entra ID, Teams, SharePoint, SharePoint Online and OneDrive within the recertification framework.
According to the API endpoint:
GET /api/v1/Recertification/RecertificationTechnologyDisplayNames
the following technologies are available:
{
"18896": "Teams",
"18891": "Entra ID", //18898 according to the ARM manual
"18892": "OneDrive",
"18894": "SharePoint",
"18895": "SharePoint Online",
"1": "Active Directory",
"2": "File server"
}
In ARM Configuration it is already possible to mark Teams and Entra ID resources as recertifiable resources. The ARM Web Portal also allows administrators and resource owners to start recertification campaigns for these resources.
However, unlike Active Directory and File Server resources, no actual access changes are executed when a recertification decision is processed.
Current Behavior
- Teams, Entra ID and other cloud resources can be configured for recertification.
- Recertification campaigns can be started successfully from the ARM Web Portal.
- ARM reports the recertification process as completed successfully.
- The Recertification History suggests that the process finished without issues.
- Users may therefore assume that access removals were executed.
In reality, no permissions or memberships are changed.
Only log entries can be found in armserver.log, for example:
|pn.connectors.serve…ChangeContextHandler|260619| 7:49:01.820|Info ]
RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor):
the check of the technology constraints for the change context failed with {
"$type": "pn.fasels.aidMan.activeDirectory.ActiveDirectoryChangeResponse, libInterfaces",
"AdWriteCredentials": null,
"Erroneous": [
{
"$type": "pn.fasels.aidMan.fileSystem.ChangeResultEntry, libInterfaces",
Why This Matters
The user interface already exposes these technologies as recertifiable resources. As a result, administrators naturally assume that the functionality is supported.
This is especially problematic during customer demonstrations, proof-of-concepts and production evaluations, where the workflow appears to work correctly while no actual changes are performed.
The frontend and configuration options already exist. Implementing the backend execution of recertification actions for Entra ID, Teams and the other listed cloud technologies would significantly improve ARM's cloud governance capabilities and avoid confusion for customers.
Many organizations are moving access governance processes from on-premises environments to Microsoft cloud services. Being able to perform automated recertification actions for Entra ID groups, Teams and related resources would make ARM considerably more valuable in hybrid and cloud-first environments.