As a security consultant I have been working for several companies over the years and have dealt with numerous issues surrounding Identity Management.
One of the recurring challenges has always been granting the right amount of access for the right amount of time. Especially the latter part has been a challenge, like removing users from groups after they leave the company or change position in the company.
Since the beginning of Azure AD, Microsoft has been implementing more and more self-service and automation regarding Identity Management, I for one am a big fan of this considering the risks when Identity Management isn´t done properly.
Entitlement Management is the ability to enable access to SharePoint sites, company apps and adding users to groups. Individually this is possible already, but with Entitlement Management it is possible to create Catalogs of resources that can be grouped together to Access Packages that users can request access to.
Using Entitlement Management starts with creating a catalog of resources
Go to the service tab – Identity Governance and select Catalogs under Entitlement Management
In the right pane select New Catalog
Figure 1 – Catalog creation
This brings up the catalog creation where a Name and Description for the catalog must be entered and if the catalog should be Enabled and if External Users can be added to it.
Figure 2 – Catalog settings
After the catalog has been created Resources should be added. Choose Resources in the left pane and press Add resources in the right pane.
Figure 3 – Adding resources to catalog
As mentioned, it is possible to add 3 types of resources Groups, Applications and Sharepoint Sites.
Figure 4 – Resource types
At this point resources are added to the catalog that will be available to the creation of Access Packages.
Figure 5 – Adding groups
Figure 6 – Adding groups
Figure 7 – Adding Sharepoint sites
Since we have no applications in our test tenant it is not possible to add these, but I hope you get the point.
Adding 2 groups and 1 SharePoint site leaves us with a catalog that looks like this. In production and for companies of a medium size, expect the catalog to contain a lot more resources.
Figure 8 – Resources selected to be added to the catalog
After selecting the resources for the catalog, press Add at the bottom of the screen.
Access Package creation
When the catalog has been created, we have a foundation to build our Access Packages from. To create an Access Package choose Access Packages in the left pane and press New access package.
Figure 9 – Access package creation
Access package creation consists of 3 parts – Basics like name and description, Resource roles where it is defined what to do with access to the chosen resources and Policy where it is defined how users can request the access package.
Note: The name and Description entered here will be displayed to the users.
Figure 10 – Access package creation – basics
By pressing the Groups, Applications or Sharepoint sites button at the top, resources ca be added.
Figure 11 – Access package creation – resource roles
When selecting resources, it is possible to tick the Only see Group(s)…. – to only have resources listed that are available from the catalog. It is possible to add resources that are not in the catalog, but only if the user has privileges that allows for those to be added to the catalog.
Figure 12 – Adding resources to access package – groups
After a resource has been added the Role needs to be set using the drop-down to the right of the resource.
Figure 13 – Choose the role the users should have when approved.
Policies define which users can request access, if the request requires approval and if the access should expire at a certain time or after a certain amount of time.
It is only possible to select if the users should come from your own directory or if they are external. Alternatively, you could choose that no users should be able to request access, but that access will be appointed by an administrator directly.
This is not a limitation, because it is possible to add multiple policies to every access package.
Figure 14 – Policy creation
Figure 15 – Directory selection when selecting users from external tenants.
Figure 16 – Approver selection.
Figure 17 – Expiration selection
When the access package has been created the link should be sent to external users that needs to request access.
Figure 18 – Review page
So, the Access Package we created ended up with these resources – which means that users that request access and are approved by the approvers will be added to the 2 groups and will be a member of the Sharepoint site.
Figure 19 – Resource overview
When users access the link, they will be accessing the “myportal” site. After a successful login they will be able to select the access package and request access. See below.
Figure 20 – The initial page after logging in.
Figure 21 – To request access – select the package and press Request access.
Figure 22 – Fill out the required fields.
Figure 23 – After the request has been added it can be viewed in the request history.
Figure 24 – And the approver will get a notification that there is a request waiting.
Using services like entitlement management can greatly reduce the management needed for adding resources to users and removing access to the same resources afterwards. This might not seem like a big security enhancement, but in fact the right access at the right time is a big security improvement. Also it reduces the time needed for administrative staff to help users with access and allows for outsourcing the administration to the people actually owning the resources. All in all we are very happy about Microsofts new features.
If you have any questions about this article or would like a demo in your own environment, as always just reach out to us.
Have a great summer all!