Blog Post

Microsoft Entra Blog
3 MIN READ

Onboard partners more easily with new Azure AD entitlement management features

Joseph Dadzie's avatar
Joseph Dadzie
Icon for Microsoft rankMicrosoft
Sep 02, 2021

Onboarding partners cleanly and efficiently is now easier because of two recently introduced entitlement management features in Azure Active Directory – custom questions and attribute collection. Today, we’re highlighting how these features work and sharing how they help with processes like partner onboarding. These additions enhance Azure AD identity governance, which helps organizations balance the need for security and productivity with consistent processes and visibility.

 

Partner onboarding processes often involve collecting information about a partner to guide decisions about whether to grant access as well as set up their account properly for the apps and resources they’ll use. Before granting a partner access to a particular Teams, for instance, you might want them to share their role in their organization, so the approver knows whether the Teams is right for them. Or, you may need to set the location attribute for partner guests, the same way you do with employees, because they’ll be using an inventory app.

 

Previously, companies may have built custom forms to gather this information before setting up partner guests and granting access, but those forms were expensive to build and hard to maintain. Entitlement management’s new built-in capabilities automatically provide your approvers and apps with the information they need.

 

Let’s explore these two new features.

 

Configure custom questions

The custom questions feature in entitlement management access packages allows the access package creator to configure questions that the reviewer will answer as part of the request process. This feature, now generally available, supports different types of questions, including free form text or  multiple choice, which you can localize for partners in different locales.

 

 

When a partner requests an access package that has custom questions configured, they’ll answer those questions as part of the request process. The approver can then evaluate those answers as they decide whether to approve the request.

 

Specify built-in attributes

If you need to save partner information from requests for later use, you can now specify built in or custom attributes that will be persisted on the requestor’s user object itself. The attribute collection feature, just released to public preview, can be especially useful if an app requires the information to function properly, such as with an inventory app that needs the user’s region.

Configuring attributes is a similar experience to that of configuring questions, but it’s surfaced on the resources in the catalog – in this case, on the inventory app – rather than on individual access packages.

 

 

When an access package includes a resource configured for attribute collection, the partner is automatically asked for those values in addition to any custom questions specified for the access package itself. The information supplied for these attributes is also presented to the approver and is written into the requestor’s User object  if the request is approved.

 

 

While the scenario of needing more information about requestors is more common when supporting external users who reques access to your resources, such as partners or vendors, both of these features can also be used for employees.  

 

Give it a try

If you’re already using entitlement management, you can easily add questions or required attributes onto any of your existing access packages, or you can quickly set up a new access package to take advantage of them. We’d love to hear your feedback. Share your thoughts in the comments or reach out to us on Twitter!

 

 

 

Learn more about Microsoft identity:

Updated Sep 03, 2021
Version 3.0
  • magichappens's avatar
    magichappens
    Copper Contributor

    Nice feature but in the real world who is accepting an NDA which is not able to be linked? I doubt this would have any legal ground. It seems links are not even supported which makes the feature quite limited. Is it planned to improve this any time soon?