In the previous article, we discussed the first piece of AAD Identity Governance, Access Reviews. In the following article I will go over the second primary component, Entitlement Management. As previously mentioned, Entitlement management allows administrators the ability to create, automate, and categorically group together necessary resources into what is called an access package. Entitlement management is an Azure AD Premium P2 feature.
An access package contains several components to provide a single grouping of solutions together as a one stop shop for providing users the access to what they need. There are several other components of Entitlement management that are necessary to fully configure access packages.
This article will show the components of Entitlement management and help you get started in creating access packages for your users.
Here are a few key terms to understand some of the components of Entitlement management.
A collection of resources, such as group, app, or site, that can be grouped together and assigned to users using a single request or assignment. Provides additional governance via Policies to control access.
A digital depot that has a collection of associated resources and access packages.
An external Azure AD directory configured to allow outside users to request access to resources in your directory
A set of rules defining who can request, approve access, and access expiration.
These include Microsoft 365 Groups, Azure AD Security Groups, Azure AD Enterprise Application, or SharePoint Online site.
Level of permissions to assign to a resource that is part of an access package. Roles differ based on resource type.
The first task you will probably undertake in creating access packages is defining catalogs. An access package requires a catalog. In addition, an access package can only be assigned resources that were added to the selected catalog. You can create a new catalog, which allows you to specify if you want to enable external users or start with the default General catalog.
When configuring a catalog, there are three sections:
- Access Packages
- Roles and Administrators
On the Resources page, you can review the resources that have already been added to the catalog as well as select + Add resources to add additional resources. You can add Groups and Teams, Applications, and SharePoint Sites.
On the Access packages page, you can view all access packages created using this catalog. You can see the details of each access package or start the creation of a new access package directly from this screen.
On the Roles and administrators page, this is where you can delegate rights to non-administrators, such as managers, team leads, or project managers.
- Owner – Can perform all tasks on the catalog
- Reader – Provides read only rights to the catalog
- Access Package Manager – Provides user(s) the ability to create access packages and assign to users. Cannot add resources to catalogs
- Access Package Assignment Manager – Ability to assign access packages. Cannot create access packages.
- None: Direct assignment only, users cannot request access.
As mentioned above, connected organizations allow access packages to be assigned to any user part of the specified external Azure AD tenant. You must configure a connected organization by entire domain (cannot granularly specify a single user yet), else you will not be able to add external\guest users to your access packages.
When creating a connected organization, you need to configure the Name, description, domain name, and sponsors. Sponsors are contacts that are either internal or external users that already exist in your tenant.
When adding a domain, be aware that this will allow any user from any domain in the external Azure AD tenant to request access.
The reporting aspect of entitlement management provides information related to what access packages and assignments are assigned to a specific user.
Settings available to entitlement management include external user lifecycle management and delegated catalog owners.
Finally, now we are ready to create an access package.
On the Basics page, enter Name, description, and select which catalog to use for this access package. If you still need to create a catalog, you can do so from this screen.
On the Resource roles page, add the resources available from the catalog to be part of your access package. Each resource can be configured to assign a specific role to the users assigned. For example, you can have some groups set to Owner, where others are set to members. The type of role differs from the resource type.
On the Requests page, you can configure which users can request access and any approval settings. There are three choices for who can request access:
- For users in your directory: Internal and existing guest users only
- For users not in your directory: Any user from designated connected organization
The first two options allow you to specify further the specific users who can request access. With approvals enabled, you can configure one or two stages as well as whether the requestor and approver require to specify a reason when requesting or granting access.Finally, on the Lifecycle page, you can configure expiration settings as well as require access reviews. Once finished click on Review + Create and the Create to finish the creation of your access package.
You can now provide instructions your users or managers on how to assign or request access without the need to go to your IT department.
End user experience
Administrators can directly assign access packages to users, including options to bypass approvals. However, authorized users can request access themselves. Users can go to My Access page to see the available access packages assigned to them.When requesting access, a user may require entering a reason and can enter a time for when access is needed. If multiple policies exist on an access package, you will also be required to select a policy.
You can select Request history to view your requests. If Approvals were needed, notices will be sent to one or both approvals, if configured. Once approved, your status be changed to Delivered and access is granted.
You will also receive an email notification upon receiving access as well as once access is almost expired and has ended.
Entitlement management not only provides a great way to stay organized and diligent regarding access needs for your users, but also allows administrators to offload the responsibilities to non-IT employees to manage and maintain. Out next article in this series goes deeper into access management specifically for administrators, Privileged Identity Management.
Enabling Technologies can help you properly prepare for moving to the cloud based on Microsoft Best Practices and utilizing a secure and productive environment. You can check out more in the Security section of our website.
- None: Direct assignment only, users cannot request access.