New week new article!
This will be the second article from the Azure AD Identity Governance series.
And today I would like to show you the Entitlement Management
The previous article is available here:
Entitlement Management overview
From my previous article, you may know that Entitlement Management (EM) is a part of the Azure AD Identity Governance (AIG).
According to the Microsoft documentation:
Azure Active Directory (Azure AD) entitlement management is an identity governance feature that enables organizations to manage identity and access lifecycle at scale, by automating access request workflows, access assignments, reviews, and expiration.https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-overview
In other words, this is a set of tools that will help us to govern identity in our Azure AD tenant.
Entitlement Management is build based on the 5 components:
- Catalog – Catalog of the resources (Groups/Teams, Applications, and SharePoint Sites) that could be used for Access Packages. For non-Global Administrator / User Administrator users, there is no possibility to add to the access package resources that are not part of the catalog.
Additionally, there is an option to configure RBAC within the catalog.
- Access Package – Package that could be requested by internal or guest/external users that has specific resources and roles assignment already configured.
- Connected Organizations – Organizations that could be targeted by access packages.
- Reports – self-explanatory 🙂
- Settings – self-explanatory :).
As you may know, I like to show diagrams and describe them, so this is a time for a diagram 🙂 describing EM
In the picture above, we have two directories: Resource Directory and External Directory.
Inside the Resource Directory, we have Catalog1 configured that has Group1, Group2 App1, and Site2.
Those resources will be available for the access packages.
Speaking about them – in the Resource Directory, we have two access packages: Access Package 1 (for internal use) and Access Package 2 (for internal and external use). There is also an Access Package Manager role assigned (part of the EM RBAC).
And there are also users – Requestor1, Requestor2, Requestor 3 are the internal users, Requestor A and Requestor B are the external users who would like to have request Access Package 2
Does it sound interesting to you? I bet yes, so let’s switch to the portal and do some configuration.
To configure Entitlement Management go to the following link: https://portal.azure.com/#blade/Microsoft_AAD_ERM/DashboardBlade/GettingStarted
From the left side, menu click on the Settings placed under the Entitlement Management section
Under the Identity Governance | Settings screen, click Edit to change configuration settings
We have two sections, and both of them are important:
- Manage the lifecycle of external users – affecting our model of cooperation with external users.
- Delegate Entitlement management – allowing to delegate EM configuration for the group of users (in my case Catalog Creators group members). This is a part of the EM RBAC
Let’s focus on the Manage the lifecycle of external users section:
- Block external users from signing in to this directory – If you switch it to Yes, all guest/external users will be blocked automatically after access package expiration.
- Remove external user – If you switch it to Yes, all guest/external users will be removed automatically after a defined number of days.
- Number of days before removing the external user from this directory – Here, you can put the number of days after which the user account will be removed (o means immediately)
The first two settings are easy ones, but I can tell you the administrators have a problem after how many days we should remove the user. Zero is an easy one, but we need to remember that we could have the situation when one package will expire, but after two days, the same user will receive another one. If we remove the user automatically, he will need to go through the process again.
The next step on the list before going deeper with Catalogs and Access Packages is Connected organizations
Simply saying this will allow us to target access package for a specific organization.
To configure Connected Organization go to the following link: https://portal.azure.com/#blade/Microsoft_AAD_ERM/DashboardBlade/elmOrganizations
Click Add connected organization on the top menu.
Under the Add connected organization | Basics, fill required fields
Under the Add connected organization | Directory + domain, click on the Add directory + domain and, using the search box find the organization name that you want to add (in my case Azureblog.pl).
Accept by clicking add and select.
Under the Add connected organization | Sponsors, click on the Add/Remove link from Add internal sponsors section. Search the account that should be marked as an internal sponsor and click select.
Review the configuration and click Create
When the configuration is finished, you should be able to see a new connected organization on the list.
Now we can start the real Entitlement Management configuration.
Go to the following link to open Identity Governance | Catalogs and click New Catalog: https://portal.azure.com/#blade/Microsoft_AAD_ERM/DashboardBlade/elmCatalog
Provide the following information:
- Name: self-explanatory 🙂
- Description: self-explanatory 🙂
- Enabled: Yes
- Enabled for external users: Yes
When you click create after a couple of seconds, you should see a new catalog on the list. Click on it.
At this moment, we can start configuring the catalog.
The first is to add resources. We can do this by clicking Resources from the Manage section on the left side menu.
On the Add resources to catalog screen, you will see three buttons:
- Groups and Teams – This will allow you to add groups from Azure AD and Teams configured in MS Teams,
- Applications – This will allow you to add applications that are configured within your Azure AD tenant,
- SharePoint sites – This will allow you to add SharePoint Online sites.
Entitlement Management is not supporting OneDrive.
As for now, we have configured catalog and resources, and now we can move to the Roles and Administrators tab to do the RBAC
There are four roles that we can assign within the catalog.
|Owner||Additional owner (by design creator becomesowner)|
|Reader||A person who will be able to check the configuration|
|Access Package Manager||A person who will be able to create new access packages under this Catalog (based on the resources that are configured in the catalog)|
|Access Package Assignment Manager||A person who will be able to view requests, view, add and remove assignments|
If you want, you can use the RBAC, for this exercise, I will skip it (this is homework for you :))
Everything that we have configured so far is not yet visible to our internal or external users.
Access Package will be the first thing that will change it – User will need to use myaccess.microsoft.com portal to request a package. It doesn’t matter if it is an internal or external user, every time, he will need to use the same portal.
We need to stop here for a while. We need to describe access packages.
This is a package with a group/application/site membership configuration for a specific time. After that time, based on the package configuration, we could extend the package assignment. We can also have multiple active access packages assignments. Administrators could, at any time decide to revoke the access package from the user.
We can create three types of access packages:
- Internal – only for users from our directory,
- External – for external users only,
- All in One – for both internal and external users
Today we will focus on Internal and External.
So what are the possible use cases to create an Internal access package?
- Temporary workers (working for three months)
- Providing access to the optional resources (information groups, test-sites etc.)
- Group/Applications/Sites assignment automation (there is a beta API for EM)
To configure the Access Package, please go to the following link and click Access Packages placed under the Entitlement Section on the left menu:
Click New access package
On the New access package | Basics screen, fill in the followings:
- Name: Access package name e.g. Internal_AccesPackage1
- Description: Internal_AccesPackage1
- Catalog: External (yes, we can use one catalog to create internal and external access packages)
Go to the next screen by clicking Next
On the New access package | Resource roles screen, click on the Group and Teams and chose the group that you want to add to the package (from the existing catalog), and configure Role
Go to the next screen by clicking Next
On the New access package | Requests screen fill the followings:
- From Users who can request access, chose for users in your directory (this will lock this access package to internal users).
- From the list chose All members (excluding guests) – you can decide if you want to target access package to a specific group of users or all members, all users
- Require approval: No (if you want, you can enable approvals but for internal users, I’m not recommending that)
- Enable new requests and assignments: Yes (this will enable access package)
Go to the next screen by clicking Next, skip the Requestor information (Preview) screen.
On the New access package | Lifecycle screen, we will configure Access Review for this particular package. We will talk about the Access reviews in the dedicated article in this series.
Configure the lifecycle using the following configuration:
- Access package assignments expire Number of days (up to you if you want to finish on a date, after a number of dates, or never) when the user will see this access package and be able to request it.
- Assignments expire after 365
- Allow users to extend the access: Yes (up to your preferences)
- Require access reviews: Yes
- Review frequency: Monthly (from my point of view it is better to do this on a monthly basis)
- Duration (in days): 14 (how long the review will be active)
- Reviewers: Specific reviewers (we can also involve users to do the access review by choosing self-review)
- Select Reviewers: I’m recommending to assign here Access package Manager or Catalog Owner.
On the New access package | Review + create screen do the final check, and click Create
And that is all that we need to do to have the Access package targeted for internal users. The next step is to create an Access package for external users.
Creating an access package for external users is very similar to the one that we did already.
The difference is on the New access package | Requests screen where we need to choose For users not in your directory under the Users who can request access
When we chose For users not in your directory option, there will be three more settings to chose from:
- Specific connected organizations – It will allow us to target access package to a specific organization
- All configured connected organizations – It will configure a generic access package for all contacted organizations (basic one)
- All users (All connected organizations + any new external users) – this is self-explanatory
In our case, we are going to use the first option and chose Azureblog from the list of connected organizations.
Other settings will be the same as for the Internal access package. Of course, if you want to change them, you are more than welcome to do this. Even I’m recommending to disallow users to extend access to the package.
So we have both access packages configured, let’s move on and test it.
Test in a LAB
For the test, I will use the following accounts
- Adele – Access Package Manager from the tenant called Internal LAB, this user will accept all the requests
- Allan – Internal LAB user who will request Internal_AccessPackage
- Alex – External LAB user who will request External_AccessPackage
Internal LAB Test
The first test will be for the internal access package.
I’m logged on to the myaccess.microsoft.com using Allan account, and I can see the access package that we have created previously. To request it, click the plus “+” next to the access package name.
Provide the business justification for your request and click Submit.
From this moment, your request will be visible under the request history on the following link: https://myaccess.microsoft.com/@YOURTENANTNAME.onmicrosoft.com#/request-history
Please rename YOURTENANTNAME with your tenant name.
Because we have configured Internal Access Package without approvals after some time Allan should be able to access group configured within the package.
From the MS Teams perspective, Allan can see under the activity area that the bot added him to the External_Collaboration team.
When users with Global Administrator, User Administrator, Owner, Access Package Manager, or Access Package Assignment Manager roles will decide to revoke access, they can do this from the Azure AD by going to the Access Package configuration and clicking Requests. Then from the list, select the user, and click Cancel.
External LAB Test
Let’s switch to the Alex account. This is our external contractor who needs to have access to the Extenral_Collaboration team.
The process will look the same as for the internal users, Ok almost we need to send the Allex link to our access package.
In order to do this, we need to go to the External_AccessPackage configuration and copy the My access portal link. In our case the link looks like this:
Ok so now we just need to send the link to the AlexW. It doesn’t matter if we will do this by e-mail or teams. We just need to share it with AllexW.
Before we will switch to the AllexW account let me share one side information with you. For this purpose I will use the link mentioned above.
If you want to share with AlexW link to this one particular access package you need to send the whole link.
But if you want to share with AlexW link to all the access packages you just need to send the part of this link: https://myaccess.microsoft.com/@TENANTNAME.onmicrosoft.com#
AlexW will see only the access packages that are configured for him or his organization. So in fact you can share this link with all your external users 🙂
Ok let’s o back to the original topic and test it using AlexW account.
I’m logged in to the office 365 with Alex account and opening the link received from my colleagues from Internal LAB.
And because this is the first time for Alex that he is accessing Internal LAB tenant he need to review permissions and accept them
Same like for the Allan Alex have to request the access packages and provide required information.
Now this request will go to the Requestor – in our case Adele.
Adele will open myaccess.microsoft.com and from the left-side menu choose Approvals
Adele could accept or reject the approval, also she could view the approval details.
When Adele chose Approve she will need to provide reason for the decision.
As soon as the request will be approved access package will be delivered to the Alex account, and same like with internal access package Alex will be added to the External_collaboration team.
Today we have described Entitlement Management part from the Identity Governance bundle.
Key takeaways are:
- You can decide if the user without the access package will be blocked and removed or removed immediately
- You can configure RBAC for the Entitlement Management
- You can create a Catalog – list of the resources that will be available for the access packages
- You can configure Access Packages for internal users and external users
- You can monitor Entitlement Management using Azure AD and Log analytics workspace workbooks.