Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Announcing a new Azure AD identity governance preview—entitlement management
Published Apr 30 2019 08:00 AM 26.3K Views

Howdy folks,


Today I’ve got more exciting news to share. We’ve just turned on the public preview of Azure AD entitlement management!


Now Azure AD enables you to govern employee and business partner access to resources at enterprise scale with great compliance and auditing controls. Azure AD entitlement management removes barriers to internal and external collaboration by automating employee and partner access requests, approvals, auditing, and review for Office 365, for thousands of popular SaaS apps like ServiceNow, Workday, Google Apps, and Salesforce.com to any line of business app integrated with Azure AD.

 

Last year at Ignite, we outlined our vision for how to govern access to your resources with Azure Active Directory. The public preview of entitlement management, is the fourth module of Azure AD identity governance. (The other three modules, Privileged Identity Management (PIM), Terms of use, and Access reviews are already generally available.)


With the rapid adoption of SaaS apps and cloud services by business units, many central IT teams don’t have the knowledge to know which access rights which users should have. They have to delegate management of access approvals and review, such as having someone in the sales department determine what access rights someone in the sales team needs while maintaining strong compliance and security policies.


For example, if the Contoso sales division needs to enable more employees to work on sales support, they can create a “Sales Support” access package which includes the relevant memberships in Office 365 and Azure AD security groups, Microsoft Teams, role assignments in SaaS apps such as Salesforce, roles in their own apps, and access to SharePoint Online sites.

 

Azure AD identity governance preview.png

 

They can configure policies to include who can request this access package, who must approve, and how long the users who request will have access to these specific resources.

 

Azure AD identity governance preview 1.png

 

When an employee requests an access package, and their request is approved, the employee is automatically provisioned access to the groups, apps, and other resources in the access package.

 

Azure AD entitlement management works with Azure AD B2B to enable collaboration across business partners. Employees from a business partner can request access to resources using the same access packages and our policy engine, including provisioning their accounts upon approval by a business sponsor. This makes it simple to grant access to a specified set of resources for your business partners while knowing your processes are compliant and secure.


Regardless of how they got access, when a user’s access package assignment expires, their access rights are automatically removed, so you don’t need to remember to manually remove when a project is done.


With this preview, Azure AD now has:

  • Access package request policies, so you can configure different approval workflows for different groups of employees or guests who might request access.
  • Time-limited access for groups, apps, and sites, so users who are approved don’t retain access indefinitely—their access can be set to automatically expire.

We’ve been working with Avanade, which chose Azure AD to simplify the collaboration experience with their clients. Here’s what they had to say about entitlement management:

 

 

Learn more with the case study and video at Digital innovator Avanade chooses Azure AD Identity Governance for streamlined, highly secure collaboration.

 

Entitlement management along with the other Azure AD features—including Azure AD B2B, provisioning, Access reviews, Terms of use, and PIM—enable you to better protect, monitor, and, audit access to critical assets while ensuring employee and guest productivity.

 

To try these features in your own directory, sign in to the Azure portal as an administrator, and go to the Azure Active Directory > Identity governance section.


Note: Entitlement management is an Azure AD Premium P2 feature as part of Enterprise Mobility + Security (EMS) E5.


To learn more, look at the entitlement management overview and scenario guides, try it out, and let us know your feedback in the comments below.


Best regards,
Alex Simons (@Alex_A_Simons)
Corporate VP of Program Management
Microsoft Identity Division

8 Comments
This is a great release and provides a nice option to shift some of the administrative burden off of IT to the business user with the appropriate knowledge of the project/access requirement. I've not had long to dig into this yet, but am testing it now and look forward to finding out the capabilities. One that I'll be testing and will probably be brought up by others, is if it's possible to auto-approve the request based on the domain of the user requesting? I'm working with clients that want to provide access to resources during mergers and acquisitions, and being able to auto-approve based on the domain portion of the requesting identity would help address these initial scenarios immediately post-merger before the identity platforms have been merged. Paul.
Microsoft

Hello @Paul Hunt - Cimares thanks for your feedback.  Yes, it's possible to configure in an entitlement management access package whether to require approval or to auto-approve a request from a user outside your directory, based on the source directory of that user.  You could have one policy for requests from users in directories that require approval, and another policy for requests from users in directories that do not require approval.  You can also configure different expiration schedules for each, if you wish. 

Thanks Mark, that's great. I've since tested it and that meets the needs of my client for sure! I have noticed that in a multi-geo scenario, the Policy creation scheme only seems to offer sites from the Primary SharePoint site and not from any of the secondary Geos.
Copper Contributor

First of all, this is great stuff and PERFECT timing for us, as we were in the process of building our own process for user entitlements to groups, and then this came along.  Our workflow is similar where users are granted group membership to a target group, say Group.ScopeA.Readers, where that group is assigned RBAC role READER in a subscription somewhere.

 

Depending on their whether they're a pre-approved,the users can be automatically granted membership (via a JIT request) if they are members of Group.ScopeA.Readers.Eligible, if they aren't in the eligible "list", then anybody in Group.ScopeA.Approvers can either temporarily add them to the target group, OR if they are permanently eligible, add them to the Eligible group so users can auto-join at any time.

 

Given that "schema", we'd need to create an access package for many Scopes.  Is there a more programattic method available (either azure cli/graph api/powershell module/ARM, etc) to create these packages?

Iron Contributor

Specifying "for users in your directory" under "Who Can Request Access" still requires an explicit declaration of users and groups. If that is left blank, the policy switches to "none (administrator direct assignments only)." Is that to force the admin to recognize the difference between internal users and guests already in your directory? Would you consider a fourth option - "internal users only" - or does that unnecessarily complicate the set up?

Microsoft

Thanks for the feedback.  Yes, we'll be adding entitlement management APIs to Microsoft Graph in future, and are also investigating options to further simplify policy configuration.  

Copper Contributor

I've been trying this as a possible mechanism to delegate security group ownership, negating the need for assigning User Administrator role, unfortunately it doesn't seem to work. No new group owners are assigned.   @Mark Wahl any ideas?  thanks.

Deleted
Not applicable

Miss the opportunity to assign default access packages to groups via an access package policy.

This in the scenario where you want to define default access for an organization unit - lets say a department.

Users account  has an attribute populated with department ID, and is assigned membership into a dynamic department group based on this.

You want members of this dynamic group to get the default access package for this department auto assigned.

If this was supported you could easy set up default access to data and apps for levels like:

* Company

* Departments

* Sections

etc.

Version history
Last update:
‎Apr 30 2019 08:12 AM
Updated by: