Access Governance Toolset - Feature Request

%3CLINGO-SUB%20id%3D%22lingo-sub-2658086%22%20slang%3D%22en-US%22%3EAccess%20Governance%20Toolset%20-%20Feature%20Request%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2658086%22%20slang%3D%22en-US%22%3E%3CP%3EDoes%20Azure%20or%20Azure%20AD%20provide%20a%20single%20pane%20of%20view%20(dashboard%2C%20report%2C%20etc.)%20from%20the%20portal%20or%20by%20other%20mean%2C%20allowing%20administrators%20with%20correct%20roles%20to%20pull%20resource%20assignment%20data%20across%20the%20full%20Azure%20landscape%3F%20For%20example%2C%20as%20an%20IAM%20professional%20and%20administrator%2C%20if%20I%20need%20to%20know%20what%20all%20does%20an%20internal%20user%2C%20e.g.%2C%20sballmer%40corporate.com%20or%20an%20external%20user%20(invited%20guest)%2C%20e.g.%2C%20someone%40gmail.com%2C%20have%20access%20to%20in%20my%20tenant%2Fspace%2C%20across%20Azure%20AD%20and%20Azure%20features%2Fofferings%20(applications%2C%20APIs%2C%20Azur%20Functions%2C%20SharePoint%20site%2C%20VMs%2C%20databases%2C%20AKVs%2C%20and%20such)%2C%20for%20defining%20and%20implementing%20access%20governance%20processes%20with%20better%20IP%20protection%20and%20zero-trust%20implementation%2C%20is%20there%20something%20prebuilt%20I%20can%20use%20and%20possibly%20augment%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBased%20on%20the%20documentation%20and%20previous%20discussions%20with%20Microsoft%20(premier%20partner%20engagement)%2C%20it%20sounds%20like%20the%20best%20that%20is%20available%20today%20is%20Access%20Reviews.%20The%20way%20Access%20Review%20features%20has%20been%20implemented%20and%20stands%20today%2C%20it%20only%20allows%20me%20to%20establish%20review%20process%2Fautomation%20for%20applications%20and%20user%2Fgroups.%20It%20suggests%20me%20to%20limit%20my%20concerns%20about%20applications%20(that%20I%20still%20need%20to%20handpick)%2C%20individuals%2Fgroups%20assignment%20only%20so%20that%20I%20can%20do%20periodic%20reviews%2C%20and%20any%20subsequent%20changes%20to%20the%20application%E2%80%99s%20access%20permissions%2C%20etc.%20are%20totally%20opaque%20to%20me.%20It's%20neither%20complete%20nor%20a%20holistic%20solution%20and%20misses%20a%20lot%20of%20pieces%20that%20I%20have%20highlighted%20in%20the%20previous%20para.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESounds%20like%20a%20custom%20automation%20can%20be%20built%20using%20the%20existing%20technologies%2C%20e.g.%2C%20Graph%20API%2C%20KQL%20(Kusto%20Query%20Language)%20on%20internal%20Audit%20tables%2C%20etc.%20but%20I%20don't%20fully%20understand%20why%20does%20this%20have%20to%20be%20an%20organization%20specific%20need%20and%20why%20does%20everyone%20need%20to%20reinvent%20the%20wheel%20for%20this%20feature.%20IMO%2C%20the%20best%20would%20be%20to%20have%20some%20sort%20of%20mature%20and%20consistent%20toolset%20from%20Microsoft%20that%20provide%20the%20overarching%20tenancy%20access%20view%20for%20an%20identity%20(internal%20or%20external%20-%20federated%20or%20non-federated)%20or%20a%20group%20(on-prem%20synced%20or%20just%20the%20AAD%20group)%20that%20the%20IAM%20team%20can%20use%20the%20output%2Fdata%20from%2C%20to%20build%20the%20governance%20processes%20and%20strengthen%20their%20organization's%20identity%20and%20access%20security%20posture.%20It%20can%20further%20be%20extended%20for%20B2B%20accounts%20lifecycle%20management%2C%20which%20for%20the%20most%20part%2C%20is%20ungoverned%20with%20the%20default%20offerings%2Fsettings.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20would%20like%20to%20request%20the%20product%20team%20to%20consider%20this%20feature%20request%20and%20help%20prioritize%20this%20for%20the%20Microsoft%20Azure%20customers.%20Thank%20you.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2658086%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Visitor

Does Azure or Azure AD provide a single pane of view (dashboard, report, etc.) from the portal or by other mean, allowing administrators with correct roles to pull resource assignment data across the full Azure landscape? For example, as an IAM professional and administrator, if I need to know what all does an internal user, e.g., sballmer@corporate.com or an external user (invited guest), e.g., someone@gmail.com, have access to in my tenant/space, across Azure AD and Azure features/offerings (applications, APIs, Azur Functions, SharePoint site, VMs, databases, AKVs, and such), for defining and implementing access governance processes with better IP protection and zero-trust implementation, is there something prebuilt I can use and possibly augment?

 

Based on the documentation and previous discussions with Microsoft (premier partner engagement), it sounds like the best that is available today is Access Reviews. The way Access Review features has been implemented and stands today, it only allows me to establish review process/automation for applications and user/groups. It suggests me to limit my concerns about applications (that I still need to handpick), individuals/groups assignment only so that I can do periodic reviews, and any subsequent changes to the application’s access permissions, etc. are totally opaque to me. It's neither complete nor a holistic solution and misses a lot of pieces that I have highlighted in the previous para.

 

Sounds like a custom automation can be built using the existing technologies, e.g., Graph API, KQL (Kusto Query Language) on internal Audit tables, etc. but I don't fully understand why does this have to be an organization specific need and why does everyone need to reinvent the wheel for this feature. IMO, the best would be to have some sort of mature and consistent toolset from Microsoft that provide the overarching tenancy access view for an identity (internal or external - federated or non-federated) or a group (on-prem synced or just the AAD group) that the IAM team can use the output/data from, to build the governance processes and strengthen their organization's identity and access security posture. It can further be extended for B2B accounts lifecycle management, which for the most part, is ungoverned with the default offerings/settings.

 

We would like to request the product team to consider this feature request and help prioritize this for the Microsoft Azure customers. Thank you.

0 Replies