I’d like to walk you through the new series of articles regarding Azure AD Identity Governance (AIG)
This is the first article (out of 4) where I would like to show you the AIG, how to configure it and the use cases.
So let’s start with the topic introduction.
According to the Microsoft documentation:
Azure AD Identity Governance allows you to balance your organization’s need for security and employee productivity with the right processes and visibility.https://docs.microsoft.com/en-us/azure/active-directory/governance/identity-governance-overview
In other words, using AIG you can govern three pillars:
- Identity Lifecycle
- Access Lifecycle
- Privileged access for admins
Like every tool, AIG is built based on components that used together can do magic 🙂
The picture below describes components of AIG (described more later in this article)
As you can see, there are four components:
- Entitlement Management – this is the stuff that will help you with External and Internal user access to the groups, teams, applications, and SharePoint sites.
- Access Reviews – this will help you with timeboxed repeatable reviews (manual and automatic) for your user’s group membership.
- Privileged Identity Management – you can use Just-In-Time access for your high privileged directory roles and resources (yes, PIM is not only for Azure AD roles but also for resources roles!).
But from my point of view, there are two more features that are somehow related to AIG:
- Azure AD B2B – If you want to invite external users, you have to use Azure AD B2B – remember there is a licensing limitation – 5 guests per one user from your tenant (if you have 100 users, you can invite up to 500 external users)
Azure AD Identity governance is a part of the Azure AD Premium P2 license level.
I assume that you have accepted any ToU during your life, so I will focus on why we have to do this and how it works.
Why to enable ToU?
It’s simple – we want to make sure that all guests/external users, who are accessing our environment will know what are the rules that are applied within the tenant.
How does it work?
The magic starts when we will connect it with Azure AD Conditional Access.
We all know that there are settings to target CA policy for guest/external users.
Diagram above describes the steps required to create ToU and CA policy.
- You need to login in with an account that has access to the Identity Governance and Conditional Access (let’s assume Global Admin)
- Switch to the Conditional Access and create a policy that will be enforced for all guest/external users that are trying to access your environment. this policy will require you to accept ToU file when accessing the environment for the first time.
The diagram below describes the situation when a guest/external user is trying to access our environment.
- Guest/External user is trying to access our application hosted under our Azure AD tenant.
- CA policy is triggered and the user is redirected to the Company ToU, and has to read it and accept it.
- When done access to the environment is granted, and the Guest/External user can access every application where he has access.
Let’s log in to the Azure Portal / Azure AD using the following link:
By default, there is no template/draft/sample file created, so you need to receive it from your Legal department as a pdf file.
Leave the rest on default settings with one exception – Enforce with conditional access policy templates: change it to the Create conditional access policy later.
We are almost done. TOU has been created but let’s check what we can see from the portal point of view.
Click on our freshly made Terms of view to see document details.
You may notice that there is information like Users accepted, Users declined, additionally, if you have enabled Azure AD diagnostics, you will be able to see audit logs as well.
Conditional Access configuration
Now we can switch to the Conditional Access configuration using the following link:
You might have some CA policies already configured, so click New policy
On the New screen, we need to provide:
- Name: Require ToU for all guests/external users
- Assignments\Users and groups: Select users and groups\All guest and external users
- Assignments\Cloud apps or actions: All cloud apps
- Access controls\Grant: Grant Access\Require multi-factor authentications
- Access controls\Grant: Require all selected controls
- Enable policy: ON (normally, I would suggest putting this into the Report-only mode first, but this policy will not harm anything)
The required continuation was configured, so no, it is the time for the test.
In order to do that, we need to invite an external user to our tenant (I will skip this) and then access the environment for the first time.
I will access the test environment using my private account (In fact, already a guest user of the test environment).
The first configuration setting that I will be affected by is the MFA requirement.
After reading the full TOU we can accept or decline it. I will accept it.
As you can see in the picture below Users accepted value changed to one.
This was just a small part of the huge tool, which is Identity Governance.
Stay tuned for the next article in the series related to Entitlement Management.