Blog Post

Microsoft Mechanics Blog
9 MIN READ

Microsoft Entra user and admin access controls to prepare for Copilot

Zachary-Cavanell's avatar
Zachary-Cavanell
Bronze Contributor
Jan 20, 2024

Prevent over-permissioning of your data and resources using a Zero Trust “Just enough access” approach with proactive role-based Conditional Access controls with Microsoft Entra. Privileged identities, like admins, are your highest value targets. Use identity governance controls to scope their access to just what they need to perform their specific job roles within specified time limits. For everyday users, ensure “just enough access” so users can only access what they need to get their jobs done. This is done using Entitlement Management to select the right resources and apps to prevent over-permissioning. With Conditional Access adaptive controls, you can ensure users and devices meet predefined conditions prior to granting access to any resource.

 

 

 

Jeremy Chapman, Microsoft 365 Director, shares the controls you can put in place to help ensure access to your resources is protected.

 

Activate Just-In-Time access for a privileged role.

 

Prevent data loss and espionage via over-permissioned generative AI. Protect administrator accounts and resource entitlement using Microsoft Entra ID Governance. Check it out.

 

 

Help everyday users get “Just enough access” needed to do their jobs.

 

Choose who can request access, and require justification, proof of activity and quarterly access reviews. Get started with Microsoft Entra.

 

 

Put Conditional Access controls in place.

 

Control who can access resources, under what conditions, and with what level of access. Take a look at new Conditional Access controls and pre-built templates in Microsoft Entra.

 

 

Watch our video here:

 

 


QUICK LINKS:

00:00 — Microsoft Entra Conditional Access and ID Governance
01:35 — Privileged Identities
02:51 — How to activate Just-in-Time access
04:32 — Just Enough Access and entitlement management
06:08 — Create access packages
07:47 — Conditional Access
09:16 — Pre-built templates
10:20 — Wrap up

 

 

Link References:

Get started, go to https://entra.microsoft.com

For more information, check out https://learn.microsoft.com/entra

Watch our show and demo on lifecycle workflow automation at https://aka.ms/ILMMechanics

 

 

Unfamiliar with Microsoft Mechanics?

As Microsoft’s official video series for IT, you can watch and share valuable content and demos of current and upcoming tech from the people who build it at Microsoft.

 

 

Keep getting this insider knowledge, join us on social:


Video Transcript:

-Today, access management to your data is more important than ever. Security breaches are one thing, but so is the rapid adoption of Copilots or generative AI solutions that can be configured to retrieve private data to generate responses and can risk inadvertently surfacing information that you may or may not want accessible to everyone. 

 

-Now, the good news is, with Microsoft Entra, proactive role-based Conditional Access controls exist today to prevent over-permissioning of your data and resources using a Zero Trust, “Just enough access” approach. And this works in a few ways. 

 

-First, privileged identities, like the multitude of different admin roles, are your highest value targets for adversaries. And here you can use identity governance controls to scope admin access to just what they need to perform their specific job roles. 

 

-Then, as a role scoped admin within specified time limits, they can activate elevated privilege specific to their job role. Next, for everyday users you can ensure “just enough access” so that users can only access what they need and nothing more to get their jobs done. 

 

-And for Microsoft Entra admins, this is configured using entitlement management to select the right resources and apps to prevent over-permissioning. And with Conditional Access adaptive controls, you can ensure that users and devices meet predefined conditions prior to granting access to any resource. 

 

-Today we’ll go deeper into the controls that you can put in place to help ensure that access to your resources is protected. Let’s start with how you’d use Microsoft Entra ID Governance to limit access to only the people or processes who need it. 

 

-A great place to start is with your privileged identities. Now, these are often, but not always, administrative roles. And this lets you determine who can carry out privileged operations in places spanning Microsoft Entra, Azure, Microsoft 365 and more. 

 

-So I’m going to click into Manage Access, and you’ll see a detailed list of all the roles available, everything here from Application Developer on top, down to Global Administrator, and even workload-specific roles like SharePoint Administrators. Now, once you’ve defined privileged identities, it’s also important to protect these accounts. 

 

-And if we keep to our example of generative AI using Copilot for Microsoft 365, for example, administrative access to SharePoint, which includes OneDrive administration and also Microsoft Teams files, means that these services and locations will be used in Microsoft 365 to provide information that Copilot retrieves based on the access privileges of the user in order to augment the prompts used to generate an informed response. So protection of these accounts really helps to prevent espionage attempts via generative AI. 

 

-Additionally, if a privileged account is compromised by an attacker with elevated account permissions, they can access resources and even sometimes grant access to other accounts in order to move laterally and remain undetected. 

 

-Now this is where, as mentioned, privileged identity management with just-in-time approval-based role activation really comes in to offset the risks of excessive access permissions. And I’ll click into the SharePoint Administrator role. From here, I can add assignments, and I’m going to choose Mario Rogers. I want to make sure that Mario uses just-in-time approval to elevate his permission. 

 

-So I’ll leave the default of Eligible and then keep the duration defaults. Then I’ll hit Assign. Now if I click into Settings, I can see the details to activate his privileged role, like a maximum duration, if MFA is required, if approval is required by another individual, and whether other people will be sent email notifications when just-in-time elevation is activated. 

 

-So now let me show you the experience to activate just-in-time access for a privileged role. So from the Microsoft Entra Admin Center, under ID Governance, and Privileged Identity Management, I’m going to click into My Roles. And you’ll see that I have a few here. 

 

-Now, for SharePoint Administrator, I’ll hit Activate. And a reason’s required in this case, so I’ll paste in site administration and then hit Activate. And that runs the steps in my case to enable time-limited role access as a SharePoint admin. It’s also going to notify my team, and everything will be logged. And now I can administer SharePoint and OneDrive for the next eight hours, until my permission expires. 

 

-Next, we’ll move from high-privileged roles to everyday users in your organization to help them get to just enough access as well using entitlement management. Not only can this limit over-permissioning, but it also helps internal and external users quickly get access to what they need to do their jobs without even knowing who to ask. So let’s say you want to create a good starting point for newly hired sellers. 

 

-Now you’ll start by creating a catalog with different resources to choose from. To save time, I’ve already updated my general catalog with quite a few resources, and this includes things like applications, SharePoint sites, groups and teams, and we’re going to use those in the next step. 

 

-Now we’ll head over to Access Packages. Think of these as bundles of resources that a team needs, which is governed using policies. So I’ll create one, I’ll paste in the name Sales, then add a description, and in my case, I’ll leave the catalog as General, because I only have one here, but I can also add additional catalogs as I need them. 

 

-Next, in Resource Roles, I can assign this package to groups and teams. So I’m going to add a few here that are related to my sales staff and a couple more. And then I could add the applications that my sellers will need. So I’ll choose these three apps that our sellers use almost every day. 

 

-Now, for SharePoint sites, I’ll add a couple that all employees would be able to access. Then I’m going to search for sales and choose the corresponding sites. Then in the column on the right hand side for role, I can choose from owner or member. And by the way, you’ll do this for each of these resources based on the role type that each offers. 

 

-So now you can see that member and equivalent roles for all of them have been selected. Next, I can choose who can request access, and I’ll choose users in my directory, than all members in my case. But I could lock this down to sales roles using Group Assignment. In approval, I’ll require it. 

 

-Then I’m going to choose Require Justification where a manager needs to sign off on the request along with associated decision criteria, and I’m going to select a fallback approver, in this case, Adele. Then I’ll enable new requests. And for high risk actions, you can also require proof of activity to verify the user with Microsoft Entra Verified ID. 

 

-So now I’m going to skip to Lifecycle where I can set up access package expiration, which is great for time limited projects or events. But in my case, I’m going to choose Never. And in the spirit of keeping just enough access in check from now on, I’ll require quarterly access reviews using defaults. From there, I can review and create my access package. 

 

-And now with the configurations I’ve just set, sales personnel and related staff can be assigned with this access package. Where users can either request access directly themselves via the My Access portal, or I can assign users and manage identities to the access package as an admin. 

 

-And an even more powerful way of assigning access packages is by using Lifecycle Workflow Automation, and you can find an entire show and demo on that topic at aka.ms/ILMMechanics. So now with our privileged and everyday user accounts protected, let’s put controls in place to grant or block access at the moment when resources are requested. 

 

-And for that, we can use Conditional Access to control who can access your resources, under what conditions, and with what level of access using policies. Now, you might be using Conditional Access as a mechanism for enforcing multi-factor authentication now. 

 

-It also lets you scope specific identities and apps using conditions spanning user risk, sign-in risk, device platform, locations which now even include internet and private access apps, client apps and other filters, and recently we’ve added more controls related to Conditional Access, and I’ll highlight a few. 

 

-First, we’ve added locations for all compliant locations, which is a Microsoft managed list of geographical locations, as well as IP addresses set as a named location. And there are conditions to filter for devices, for example, whether the device is managed and compliant with your MDM policies. 

 

-And as resources are accessed, it assesses each sign-in attempt in real time at machine speed to grant or block access based on the rules you set, and what you’re seeing here also reflects the authentication strengths you’ve configured. So in authentication strengths, you have access to everything, from phishing resistant MFA strength to passwordless MFA strength and more. So here I’m going to set it to grant with passwordless MFA. 

 

-So far, I’ve shown the underpinnings of how to manually configure Conditional Access policies and what each setting does, and new prebuilt templates make this process even easier. So we’ve added over a dozen templates for Secure Foundation, Zero Trust, Remote Work, Protect Administrator, and Emerging Threats. 

 

-And from this page, you can view the details under each template. Now, we recommend that you start with Require Multifactor Auth for admins, then Block Legacy Auth, then Require MFA for all users. Now, the JSON files you’re seeing here are helpful as documentation, and you can also modify and directly upload them to create new policies as part of your change management process. Using these templates, this is as little as two clicks to enable them. 

 

-And we do recommend initially setting the policy state to report only in order to gauge the impact of the policy. Then from there, you’ll be able to edit the policy properties from the Conditional Access policy itself. 

 

-And when you’re ready, you can configure the policy state to on. And everything I’ve highlighted today will help you prevent over-permissioning and maintain just enough access, whether you want to implement copilot for Microsoft 365 or just take your access management to the next level. 

 

-To get started, go to entra.microsoft.com, and to find out more, check out learn.microsoft.com/entra. And also keep watching Microsoft Mechanics for the latest tech updates. Thanks for watching, we’ll see you next time.

 

 

Updated Jan 19, 2024
Version 1.0
No CommentsBe the first to comment