Ensure compliance using separation of duties checks in access requests
Published Jul 26 2021 09:00 AM 14.1K Views

With Azure Active Directory (Azure AD) identity governance, you can balance your organization's need for security and employee productivity with consistent processes and visibility. The new separation of duties checks feature now in preview in Azure AD entitlement management helps you prevent users from acquiring excessive or incompatible access rights.


Today, many organizations, such as those featured in our customer stories, use Azure AD identity governance entitlement management and access reviews features to set time limits for access, so users do not retain access to business-critical apps longer than necessary.


In entitlement management, you can bundle all project resources – groups, Teams, app roles, and site roles – into a single access package. If users need the Sales Executive role in a sales app, for instance, they can request an access package that includes that role. If approved, they’re also given access to a Team for discussion or a relevant SharePoint Online site for document storage. Once their assignment ends, their access is automatically removed.


Separation of duties configuration in the Azure portal.png


Separation of duties checks is one of the top-requested additions to Azure AD for identity governance because it reduces risk exposure, preventing users from receiving combinations of permissions that could lead to misuse.


How the separation of duties checks feature works

Imagine that in addition to a sales application, you have an accounting application. Your auditors are concerned that no one person should be able to change both sales and accounting data. They insist that all approval processes check that users requesting accounting access don’t already have sales access, and vice versa.


The separation of duties preview lets you prevent users from requesting an access package if they’re already assigned to other access packages or are a member of other groups. Configuring the access packages for sales and accounting so they’re incompatible — either through the Azure Portal or Graph API — simplifies the process. since approvers don’t need to manually check which assignments a user has. 


An attempt to request an access package is prevented by a separation of duties check because the user already was assigned to another access package.jpg



Set up separation of duties checks in two steps

If someone with the Accounting Specialist access package visits the MyAccess page and requests the Sales Executive access package, they’ll be informed that their current access is incompatible.  They can either give up their existing access, or request using a different access package with a different role.


Getting started takes just two steps. 


We’d love to hear your feedback, whether you’ve just tried this preview or have already been using entitlement management or other Azure AD identity governance features. Share comments and suggestions below or on Twitter.




Learn more about Microsoft identity:

Version history
Last update:
‎Nov 02 2021 02:47 PM
Updated by: