Mark Brezicky / / Categories: Cloud Security, Azure, Security, Azure Active Directory

Azure AD Identity Governance - Overview

As organization start to move faster and faster into the cloud, adoption service after service, they can sometimes find themselves asking whether they are secure and compliant.  Identity is a main pillar of the Zero Trust model and a foundation of any cloud infrastructure.  With cloud-based accounts, synchronized accounts, B2B, and B2C, access to resources within your environment can quickly become out of control.    

Identity Governance is a component of an Identity and Access Management solution (IAM).  It provides the means of centrally managing and maintaining user identity entitlementsrole-based access, and privileges across an organization by linking people, data, and applications to determine who requires access to resources.  It provides policy-based controls to enforce and review your IAM solution to evaluate and govern identity and access lifecycle as well as privileged access for administration.  

Azure Active Directory (Azure AD) Identity Governance allows you balance productivity with security.  When certain access is granted, it is not necessarily meant to be permanent, but only for as long as your job dictates it necessary.  In addition, as time goes on and your job evolves, IT admins need to assure that they not only remove permissions, but also make available the necessary resources to users to perform new tasks that may be required from them.  Finally, with a wide variety of administrative controls and Role Based Access Control groups, IT admins also need some checks and balances when it comes to privileged access.  

Azure AD Identity Governance provides the tools to manage three life cycles within the IAM solution: Identity, Access, and Privileged Access. 

Azure Active Directory Governance

To maintain these lifecycles, Azure AD has four primary features: 

  • Access Reviews 
  • Entitlement management 
  • Privileged Identity Management 
  • Terms of use  

Azure AD Identity Governance Features 

Azure Active Directory (Azure AD) Identity Governance Requires Azure AD Premium P2 license (except for Terms of Use, which requires P1).  It contains the following four features: 

 

Mark graph 1

Azure Active Directory Identity Governance

Access Reviews 

Access Reviews are the first component of Azure AD Identity Governance.  They allow for organizations to efficiently review access to applications and group membership within Azure AD.  Access Reviews can be configured to run on a reoccurring basis to constantly check and verify access is still required.    

Access Reviews can help organizations ensure new and former employees have access needs processed accordingly and prevent too many rights from being granted that can lead to compromises or audit failures. When proactively reviewing resource access, you can ensure you meet your security and compliance regulations.  Use cases for Access reviews include:  

  • Screening privileged roles like Global Administrator 
  • Group membership review such as groups for Conditional Access Exclusions 
  • Verifying Application access is still necessary 
  • Business critical asset access 
  • Guest user access reviews 
  • Automated and Recurring reviews for compliance needs.  

Who can create and manage Access reviews depends on the Resource type.  The chart below defines who can create, manage, and review Access reviews. 

Mark graph 2

Entitlement Management 

Entitlement Management is an Azure AD Identity Governance feature that provides administrators the ability to create, automate, and categorically group together necessary resources into what is called an access package.  Entitlement management managed both Identity and Access lifecycles by providing access workflows, assignments, reviews, and expirations.  

Entitlement management helps users get the access they need even when they did not know they need certain access to resources.  This access can be time limited and B2B accounts automatically removed.    

Global and User administrators have rights to create and manage entitlement management.  Creation of access packages can be delegated to non-administrators, such as a project lead or managers.  Users can also request access to a package.  

Entitlement management can manage of the following resources: 

 

  • Azure AD security group membership 
  • Microsoft 365 Group membership (including Teams) 
  • Azure AD application assignments 
  • SharePoint Online site membership  

This allows organizations to manage and assign several core features of Azure AD, including licenses via group-based licensing, other resources already having group assignmentsor conditional access requirements, but also productivity platforms in Microsoft Teams and SharePoint.  

Privileged Identity Management 

Azure AD Privileged Identity Management (PIM) provides an approval-based activation system for certain Azure AD roles to grant limited, or “Just-in-time” access to resources.  With PIM, you can not only control and limit the length of access, but you can also:  

  • Enforce the use of Azure MFA for privileged roles 
  • Require approvals before activation 
  • Enforce written justifications, 
  • Get notified when roles are activated 
  • Integrate with Entitlement Management and Access Reviews 
  • Provide audit history  

 Only Global and Privileged Role Administrators can manage PIM.  However, you can delegate control for PIM approvals to any Azure AD user or group.  Each user assignment grants the role to users in an eligible state where they can request to activate that specific role at any time.  All requests are audited, and PIM can be incorporated into Access reviews to configure recurring evaluation of access needs.  

The latest feature of PIM, Privileged Access Groups, also allows the use of Azure AD role-assignable groups.  This allows administrators to use group-based assignments to have privileged roles rather than direct user assignments.  When a user request access, they are essentially being added to a group that indirectly grants the appropriate rights.  When time is up, they are removed from the group.  This allows for application of different policies for different groups of users, rather than on a single role.  

Terms of Use 

Azure AD Terms of User provides administrators the ability to provide information to end users.  This can be for informational purposes, but most commonly, this is to provide some for of legal or compliant acceptable use policy prior to providing access to the requested resource.  

Terms of Use are uploaded and stored in Azure AD in PDF format.  They are enforced via Azure AD Conditional Access policies.  Because of that, you can create a great variety of different Terms of Use based on the criticality or type of resource, different languages (currently 100+ supported), or even different user groups.  

Terms of Use only requires Azure AD Premium P1 licenses.  All activities are automatically logged in Azure AD for 30 days, although the list of users’ acceptance and denials are stored for the life of the policy.  Currently, direct updates to a Terms of Use PDF file are not supported and a new instance will need to be created.  However, you can set a Terms of Use policy to use a recurring schedule to enforce acceptance of the policy again.  

Each of these features will be discussed further in the next parts of this series providing insights and best practices on how to deploy each feature within your environment.   

Enabling Technologies can help you properly prepare for moving to the cloud based on Microsoft Best Practices and utilizing a secure and productive environment.  You can check out more in the Security section of our website. 

 

Work with our team of Cloud Computing Consultants who have done this so many times they know all of the “minefields” to prevent missteps.

Subscribe to Email Updates

Refine by

To expand the list, please click on the double arrows.

 

Search by Category or Author:

ref:_00D80KtFf._5000y1WwWQD:ref