New week new article!

This will be the second article from the Azure AD Identity Governance series.
And today I would like to show you the Entitlement Management

The previous article is available here:

Entitlement Management overview

From my previous article, you may know that Entitlement Management (EM) is a part of the Azure AD Identity Governance (AIG).
According to the Microsoft documentation:

Azure Active Directory (Azure AD) entitlement management is an identity governance feature that enables organizations to manage identity and access lifecycle at scale, by automating access request workflows, access assignments, reviews, and expiration.

https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-overview

In other words, this is a set of tools that will help us to govern identity in our Azure AD tenant.
Entitlement Management is build based on the 5 components:

  • Catalog – Catalog of the resources (Groups/Teams, Applications, and SharePoint Sites) that could be used for Access Packages. For non-Global Administrator / User Administrator users, there is no possibility to add to the access package resources that are not part of the catalog.
    Additionally, there is an option to configure RBAC within the catalog.
  • Access Package – Package that could be requested by internal or guest/external users that has specific resources and roles assignment already configured.
  • Connected Organizations – Organizations that could be targeted by access packages.
  • Reports – self-explanatory 🙂
  • Settings – self-explanatory :).

As you may know, I like to show diagrams and describe them, so this is a time for a diagram 🙂 describing EM

Entitlement Management overview

In the picture above, we have two directories: Resource Directory and External Directory.

Inside the Resource Directory, we have Catalog1 configured that has Group1, Group2 App1, and Site2.
Those resources will be available for the access packages.

Speaking about them – in the Resource Directory, we have two access packages: Access Package 1 (for internal use) and Access Package 2 (for internal and external use). There is also an Access Package Manager role assigned (part of the EM RBAC).

And there are also users – Requestor1, Requestor2, Requestor 3 are the internal users, Requestor A and Requestor B are the external users who would like to have request Access Package 2

Does it sound interesting to you? I bet yes, so let’s switch to the portal and do some configuration.

Configuration

To configure Entitlement Management go to the following link: https://portal.azure.com/#blade/Microsoft_AAD_ERM/DashboardBlade/GettingStarted

Settings

From the left side, menu click on the Settings placed under the Entitlement Management section

Entitlement Management Settings

Under the Identity Governance | Settings screen, click Edit to change configuration settings

Entitlement Management Settings

We have two sections, and both of them are important:

  • Manage the lifecycle of external users – affecting our model of cooperation with external users.
  • Delegate Entitlement management – allowing to delegate EM configuration for the group of users (in my case Catalog Creators group members). This is a part of the EM RBAC

Let’s focus on the Manage the lifecycle of external users section:

  • Block external users from signing in to this directory – If you switch it to Yes, all guest/external users will be blocked automatically after access package expiration.
  • Remove external user – If you switch it to Yes, all guest/external users will be removed automatically after a defined number of days.
  • Number of days before removing the external user from this directory – Here, you can put the number of days after which the user account will be removed (o means immediately)

The first two settings are easy ones, but I can tell you the administrators have a problem after how many days we should remove the user. Zero is an easy one, but we need to remember that we could have the situation when one package will expire, but after two days, the same user will receive another one. If we remove the user automatically, he will need to go through the process again.

Connected Organizations

The next step on the list before going deeper with Catalogs and Access Packages is Connected organizations

Simply saying this will allow us to target access package for a specific organization.

To configure Connected Organization go to the following link: https://portal.azure.com/#blade/Microsoft_AAD_ERM/DashboardBlade/elmOrganizations

Click Add connected organization on the top menu.

Under the Add connected organization | Basics, fill required fields

Adding Connected Organization

Under the Add connected organization | Directory + domain, click on the Add directory + domain and, using the search box find the organization name that you want to add (in my case Azureblog.pl).
Accept by clicking add and select.

Adding Connected Organization

Under the Add connected organization | Sponsors, click on the Add/Remove link from Add internal sponsors section. Search the account that should be marked as an internal sponsor and click select.

Review the configuration and click Create

Adding Connected Organization

When the configuration is finished, you should be able to see a new connected organization on the list.

Catalogs

Now we can start the real Entitlement Management configuration.

Go to the following link to open Identity Governance | Catalogs and click New Catalog: https://portal.azure.com/#blade/Microsoft_AAD_ERM/DashboardBlade/elmCatalog

Provide the following information:

  • Name: self-explanatory 🙂
  • Description: self-explanatory 🙂
  • Enabled: Yes
  • Enabled for external users: Yes
Adding new catalog

When you click create after a couple of seconds, you should see a new catalog on the list. Click on it.

Catalog overview

At this moment, we can start configuring the catalog.
The first is to add resources. We can do this by clicking Resources from the Manage section on the left side menu.

Adding resources to catalog

On the Add resources to catalog screen, you will see three buttons:

  • Groups and Teams – This will allow you to add groups from Azure AD and Teams configured in MS Teams,
  • Applications – This will allow you to add applications that are configured within your Azure AD tenant,
  • SharePoint sites – This will allow you to add SharePoint Online sites.

Note!

Entitlement Management is not supporting OneDrive.
Adding resources to catalog

As for now, we have configured catalog and resources, and now we can move to the Roles and Administrators tab to do the RBAC

There are four roles that we can assign within the catalog.

Role Description
OwnerAdditional owner (by design creator becomesowner)
ReaderA person who will be able to check the configuration
Access Package ManagerA person who will be able to create new access packages under this Catalog (based on the resources that are configured in the catalog)
Access Package Assignment ManagerA person who will be able to view requests, view, add and remove assignments
Catalog RBAC overview

If you want, you can use the RBAC, for this exercise, I will skip it (this is homework for you :))

Access Packages

Everything that we have configured so far is not yet visible to our internal or external users.
Access Package will be the first thing that will change it – User will need to use myaccess.microsoft.com portal to request a package. It doesn’t matter if it is an internal or external user, every time, he will need to use the same portal.

We need to stop here for a while. We need to describe access packages.

This is a package with a group/application/site membership configuration for a specific time. After that time, based on the package configuration, we could extend the package assignment. We can also have multiple active access packages assignments. Administrators could, at any time decide to revoke the access package from the user.

We can create three types of access packages:

  • Internal – only for users from our directory,
  • External – for external users only,
  • All in One – for both internal and external users

Today we will focus on Internal and External.

Internal

So what are the possible use cases to create an Internal access package?

  1. Temporary workers (working for three months)
  2. Providing access to the optional resources (information groups, test-sites etc.)
  3. Group/Applications/Sites assignment automation (there is a beta API for EM)

To configure the Access Package, please go to the following link and click Access Packages placed under the Entitlement Section on the left menu: 
https://portal.azure.com/#blade/Microsoft_AAD_ERM/DashboardBlade/elmEntitlement

Access package configuration

Click New access package

On the New access package | Basics screen, fill in the followings:

  • Name: Access package name e.g. Internal_AccesPackage1
  • Description: Internal_AccesPackage1
  • Catalog: External (yes, we can use one catalog to create internal and external access packages)

Go to the next screen by clicking Next

Access package configuration

On the New access package | Resource roles screen, click on the Group and Teams and chose the group that you want to add to the package (from the existing catalog), and configure Role

Go to the next screen by clicking Next

Access package configuration

On the New access package | Requests screen fill the followings:

  • From Users who can request access, chose for users in your directory (this will lock this access package to internal users).
  • From the list chose All members (excluding guests) – you can decide if you want to target access package to a specific group of users or all members, all users
  • Require approval: No (if you want, you can enable approvals but for internal users, I’m not recommending that)
  • Enable new requests and assignments: Yes (this will enable access package)

Go to the next screen by clicking Next, skip the Requestor information (Preview) screen.

Access package configuration

On the New access package | Lifecycle screen, we will configure Access Review for this particular package. We will talk about the Access reviews in the dedicated article in this series.

Configure the lifecycle using the following configuration:

  • Access package assignments expire Number of days (up to you if you want to finish on a date, after a number of dates, or never) when the user will see this access package and be able to request it.
  • Assignments expire after 365
  • Allow users to extend the access: Yes (up to your preferences)
  • Require access reviews: Yes
  • Review frequency: Monthly (from my point of view it is better to do this on a monthly basis)
  • Duration (in days): 14 (how long the review will be active)
  • Reviewers: Specific reviewers (we can also involve users to do the access review by choosing self-review)
  • Select Reviewers: I’m recommending to assign here Access package Manager or Catalog Owner.
Access package configuration

On the New access package | Review + create screen do the final check, and click Create

And that is all that we need to do to have the Access package targeted for internal users. The next step is to create an Access package for external users.

External

Creating an access package for external users is very similar to the one that we did already.
The difference is on the New access package | Requests screen where we need to choose For users not in your directory under the Users who can request access

Access package configuration

When we chose For users not in your directory option, there will be three more settings to chose from:

  • Specific connected organizations – It will allow us to target access package to a specific organization
  • All configured connected organizations – It will configure a generic access package for all contacted organizations (basic one)
  • All users (All connected organizations + any new external users) – this is self-explanatory

In our case, we are going to use the first option and chose Azureblog from the list of connected organizations.

Other settings will be the same as for the Internal access package. Of course, if you want to change them, you are more than welcome to do this. Even I’m recommending to disallow users to extend access to the package.

So we have both access packages configured, let’s move on and test it.

Test in a LAB

For the test, I will use the following accounts

  • Adele – Access Package Manager from the tenant called Internal LAB, this user will accept all the requests
  • Allan – Internal LAB user who will request Internal_AccessPackage
  • Alex – External LAB user who will request External_AccessPackage

Internal LAB Test

The first test will be for the internal access package.

I’m logged on to the myaccess.microsoft.com using Allan account, and I can see the access package that we have created previously. To request it, click the plus “+” next to the access package name.

Requesting Access Package

Provide the business justification for your request and click Submit.

Requesting Access Package

From this moment, your request will be visible under the request history on the following link: https://myaccess.microsoft.com/@YOURTENANTNAME.onmicrosoft.com#/request-history 

Please rename YOURTENANTNAME with your tenant name.

Because we have configured Internal Access Package without approvals after some time Allan should be able to access group configured within the package.

Requesting Access Package

From the MS Teams perspective, Allan can see under the activity area that the bot added him to the External_Collaboration team.

MS Teams group assigned by Access Package
MS Teams group assigned by Access Package

When users with Global Administrator, User Administrator, Owner, Access Package Manager, or Access Package Assignment Manager roles will decide to revoke access, they can do this from the Azure AD by going to the Access Package configuration and clicking Requests. Then from the list, select the user, and click Cancel.

Access Package Requests

External LAB Test

Let’s switch to the Alex account. This is our external contractor who needs to have access to the Extenral_Collaboration team.

The process will look the same as for the internal users, Ok almost we need to send the Allex link to our access package.

In order to do this, we need to go to the External_AccessPackage configuration and copy the My access portal link. In our case the link looks like this:
https://myaccess.microsoft.com/@TENANTNAME.onmicrosoft.com#/access-packages/4699f517-891e-4466-8f84-5258f50067fd

Ok so now we just need to send the link to the AlexW. It doesn’t matter if we will do this by e-mail or teams. We just need to share it with AllexW.

Before we will switch to the AllexW account let me share one side information with you. For this purpose I will use the link mentioned above.

https://myaccess.microsoft.com/@TENANTNAME.onmicrosoft.com#/access-packages/4699f517-891e-4466-8f84-5258f50067fd

If you want to share with AlexW link to this one particular access package you need to send the whole link.

But if you want to share with AlexW link to all the access packages you just need to send the part of this link: https://myaccess.microsoft.com/@TENANTNAME.onmicrosoft.com#

AlexW will see only the access packages that are configured for him or his organization. So in fact you can share this link with all your external users 🙂

Ok let’s o back to the original topic and test it using AlexW account.

I’m logged in to the office 365 with Alex account and opening the link received from my colleagues from Internal LAB.

And because this is the first time for Alex that he is accessing Internal LAB tenant he need to review permissions and accept them

Reviewing permissions

Do you remember the Terms of Use that we have configured last time? It’s still working so we need to configure MFA and accept ToU.

Same like for the Allan Alex have to request the access packages and provide required information.

Requesting Access Package

Now this request will go to the Requestor – in our case Adele.

Adele will open myaccess.microsoft.com and from the left-side menu choose Approvals

MyAccess portal menu

Adele could accept or reject the approval, also she could view the approval details.

Approving request

When Adele chose Approve she will need to provide reason for the decision.

Approving request

As soon as the request will be approved access package will be delivered to the Alex account, and same like with internal access package Alex will be added to the External_collaboration team.

Team from the external directory

Summary

Today we have described Entitlement Management part from the Identity Governance bundle.

Key takeaways are:

  • You can decide if the user without the access package will be blocked and removed or removed immediately
  • You can configure RBAC for the Entitlement Management
  • You can create a Catalog – list of the resources that will be available for the access packages
  • You can configure Access Packages for internal users and external users
  • You can monitor Entitlement Management using Azure AD and Log analytics workspace workbooks.

12 Comments

  1. deloris_bloom Reply

    Hello! This is my 1st comment here so I just wanted to give
    a quick shout out and say I truly enjoy reading your articles.
    Can you suggest any other blogs/websites/forums that cover the same subjects?

    Many thanks!

  2. To share the access package link via teams means your teams tenant config as well as guests one need to be set to allow inviting / talking to external people. Right? There is no info about that in the blog article.

  3. I like the helpful information you provide to your articles.

    I will bookmark your weblog and test once more right here frequently.
    I’m somewhat sure I’ll be informed many new stuff right here!
    Best of luck for the next!

  4. I know this site offers quality depending articles and other information, is there any other web page which
    gives such things in quality?

  5. Undeniably believe that which you stated. Your favourite
    reason seemed to be at the internet the easiest
    factor to take note of. I say to you, I definitely get irked whilst other folks
    consider concerns that they just do not recognize about.
    You managed to hit the nail upon the highest and defined out the whole thing with no need side effect , other people could
    take a signal. Will likely be back to get more. Thank you

Write A Comment