Jul 23 2021
- last edited on
Jan 14 2022
Hi Azure / Microsoft365 friends,
Before we start with the example, let's first clarify the license issue. In order to work with an Access Package in Azure Active Directory (Azure AD) Identity Governance you need Azure AD Premium P2.
The following situation from a customer project:
In my example, I am working with a group in Azure AD. You can also work with Apps or SharePoint Sites. Imagine that a group named "Bitcoin Traders" needs to be managed. It is about managing the members. Who can decide which users can be a member of this group or not? The IT administrator or the owner of the group? In my example, the manager of the Bitcoin Trader team. This person can best decide who can be a member and who cannot. This is where our Access Package comes into play!
Let's get started.
We start in the Azure Active Directory!
I navigate to the groups.
Under Members we now see the current members.
We go back to Azure AD and click on Identity Governance.
Click on Access packages.
Click on New Access packages.
Specify a name and description (Ich arbeite mit dem Standard Katalog mit dem Namen "General").
I now select Groups (as explained at the beginning). Check the box so you can see all the groups. Select the appropriate group.
Now we determine whether the role of the new members. In my case, I select member.
Which users can perform a request and needs an approval.
I select a specific person as Approver. Since the Azure AD users do not have a manager configured in the profile. The approver must also provide a reason for the approval.
I now select the person (Ed Jones).
One more additional question that the applicant must answer (but it is optional).
How long should this Access Package be valid (should be discussed for each company). I do not want an Access Review at this point (I will explain another time ;-).
Overview and click create.
Now we have the Access Packet.
Unfortunately the following printscreens are in German, I could not change the language to English. Sorry.
Now a user can visit the website https://myaccess.microsoft.com after that he sees the following. Then click on Request access (highlighted in yellow)
The following window appears.
The person who can give the permission logs on the website http://myaccess.microsoft.com. and click Approve (also in yellow).
The following window appears and at the bottom you can decide whether to grant or deny access. In my case approve (in yellow).
Back to Azure Active Directory and again to the "Bitcoin Traders" group and see, now "Jon Prime" is a member of this group. BINGO!
This is a possible example of using an Access Package in Azure Active Directory (Azure AD) Identity Governance. I absolutely aware that this was now not the absolute ultimate! But I really wanted to share my experience with you.
I hope this article was useful. Best regards, Tom Wechsler