Blog Post

Microsoft Entra Blog
3 MIN READ

Manage Microsoft Entra ID role assignments with Microsoft Entra ID Governance

Joseph Dadzie's avatar
Joseph Dadzie
Microsoft
Oct 28, 2024

I’m excited to announce that we now support Microsoft Entra role assignments in Microsoft Entra ID Governance's Entitlement Management feature! 

 

To ensure least privilege, many of you are using Privileged Identity Management to provide IT administrators just-in-time (JIT) access to the least privileged role assigned. This approach allows you to minimize the attack surface in your organization by reducing the number of permissions IT administrators have. However, some admins in your organization may require long-standing permissions coupled with other resources, like specific applications.  

 

Now, you can use Microsoft Entra ID Governance to assign Microsoft Entra roles to users and groups through Entitlement Management access packages. This helps you: 

 

  1. Minimize impact of security breaches by setting eligibility for privileged roles in Privileged Identity Management and reducing unnecessary access. 
  2. Ensure that the right people have access to the right resources and roles with periodic access reviews. 
  3. Scale role assignments as your organization grows using self-service access request processes. 
  4. Enable business functions by combining assignment of tools or applications with the Microsoft Entra roles required to use them for increased visibility and ease of management. 

 

We’ve seen customers use this capability in scenarios such as: 

 

  • IT helpdesk: Reduce administrator fatigue by delegating IT support tasks to helpdesk employees. 
  • Application administration: Ensure regulatory compliance by managing access to sensitive applications. 
  • Operations: Empower security operations center analysts with monitoring tools and the ability to read logs. 

 

Managing assignment of Microsoft Entra ID roles through access package policies enables control of the full role assignment lifecycle from request, to approval, to provisioning of that role.  

 

Let’s explore how you can leverage Microsoft Entra ID Governance to manage the role assignment lifecycle. 

 

Scenario: Automate Microsoft Entra role assignments with self-service processes

 

Imagine your organization's Support department is expanding by hiring 50 new IT helpdesk staff. Manually assigning Microsoft Entra roles to each user is neither efficient nor repeatable by Identity Access Management (IAM) team to meet compliance and audit requirements.

 

Tenant administrators can streamline this by creating an access package with the necessary roles, allowing IT staff to request access via the My Access portal and delegating approvals to the Helpdesk department managers. This frees up the IAM team to focus on security by utilizing Microsoft Entra ID Governance policies and user self-service capabilities. 

 

To limit standing access for the Helpdesk Administrator role, you can set eligibility in the access package, requiring users to just-in-time activate the role through Privileged Identity Management (PIM) when needed. 

 

Here’s how you can do it in three easy steps: 

 

1. Create an access package and add the Helpdesk Administrator Microsoft Entra role as “Eligible member” and Service Support Administrator as “Active member”. 

 

Figure 1: How to add Microsoft Entra roles as resources of an access package.

 

2. Allow members of the IT Helpdesk group to request access and configure approval settings.

 

Figure 2: Policy configuration targeting the IT Helpdesk group as users who can request access.

 

 

Figure 3: Approval settings.

You can set up periodic access reviews to remove role assignments when access is no longer required.

 

3. In the Lifecycle tab, configure expiration and require access reviews. You can select the review frequency and specify who will conduct the reviews. 

 

Figure 4: Access review configuration for the access package.

 

  

By applying these governance processes, you can ensure least privileged access for all your IT administrators, reducing the risk of unnecessary access and potential misuse. Combining this new feature with other governance features like Lifecycle workflows ensures that role assignments are removed automatically when those IT administrators leave the organizations or change roles. This enables your organization to operate more smoothly and securely.

 

Give it a try 

 

We’re excited about this new capability, and we'd love for you to try it out! If you’ve already got Microsoft Entra ID Governance, you’re ready to go! If you don’t, but already have Microsoft Entra ID Premium, you have two ways to enable this feature:  

 

You can set up a trial of Microsoft Entra ID Governance or upgrade to Microsoft Entra ID Governance by purchasing licenses online via our licensing partners or directly from Microsoft if they work with a Microsoft account team. 

 

You can also set up a trial of Microsoft Entra Suite, which includes Microsoft Entra ID Governance.

 

Joseph Dadzie

 

 

Read more on this topic 

 

Learn more about Microsoft Entra  

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds. 

Updated Oct 24, 2024
Version 1.0