Next section to my SC-300 study guide will cover the following:
- define catalogs
- define access packages
- plan, implement and manage entitlements
- manage the lifecycle of external users in Azure AD Identity Governance settings
Table of Contents
What is Entitlement management?
Azure AD entitlement management is an identity governance function that automates access request workflows, access assignments, reviews, and expiration, allowing companies to manage identity and access lifecycles at scale.
To do their jobs, employees in companies require access to a variety of groups, applications, and websites. Managing this access is difficult as requirements change, such as the installation of new applications or the need for increased access rights for users. When you collaborate with other organizations, this scenario becomes more problematic since you may not know who in the other organization needs access to your resources, and they may not know what applications, groups, or sites your organization uses.
Azure AD entitlement management can help you manage access to groups, applications, and SharePoint Online sites for internal users as well as external users who require access to those resources.
When should I use access packages?
Access packages do not replace other mechanisms for access assignment. They are most appropriate in situations such as:
- Employees need time-limited access for a particular task. For example, you might use group-based licensing and a dynamic group to ensure all employees have an Exchange Online mailbox, and then use access packages for situations in which employees need additional access, such as to read departmental resources from another department.
- Access that requires the approval of an employee’s manager or other designated individuals.
- Departments wish to manage their own access policies for their resources without IT involvement.
- Two or more organizations are collaborating on a project, and as a result, multiple users from one organization will need to be brought in via Azure AD B2B to access another organization’s resources.
How many licenses must you have?
Ensure that your directory has at least as many Azure AD Premium P2 licenses as you have:
- Member users who can request an access package.
- Member users who request an access package.
- Member users who approve requests for an access package.
- Member users who review assignments for an access package.
- Member users who have a direct assignment to an access package.
For guest users, licensing needs will depend on the licensing model you’re using. However, the below guest users’ activities are considered Azure AD Premium P2 usage:
- Guest users who request an access package.
- Guest users who approve requests for an access package.
- Guest users who review assignments for an access package.
- Guest users who have a direct assignment to an access package.
Azure AD Premium P2 licenses are not required for the following tasks:
- No licenses are required for users with the Global Administrator role who set up the initial catalogs, access packages, and policies, and delegate administrative tasks to other users.
- No licenses are required for users who have been delegated administrative tasks, such as catalog creator, catalog owner, and access package manager.
- No licenses are required for guests who have a privilege to request access packages but they do not choose to request them.
Summary of terminology
To better understand entitlement management and its documentation, you can refer back to the following list of terms.
|access package||A bundle of resources that a team or project needs and is governed with policies. An access package is always contained in a catalog. You would create a new access package for a scenario in which users need to request access.|
|access request||A request to access the resources in an access package. A request typically goes through an approval workflow. If approved, the requesting user receives an access package assignment.|
|assignment||An assignment of an access package to a user ensures the user has all the resource roles of that access package. Access package assignments typically have a time limit before they expire.|
|catalog||A container of related resources and access packages. Catalogs are used for delegation, so that non-administrators can create their own access packages. Catalog owners can add resources they own to a catalog.|
|catalog creator||A collection of users who are authorized to create new catalogs. When a non-administrator user who is authorized to be a catalog creator creates a new catalog, they automatically become the owner of that catalog.|
|connected organization||An external Azure AD directory or domain that you have a relationship with. The users from a connected organization can be specified in a policy as being allowed to request access.|
|policy||A set of rules that defines the access lifecycle, such as how users get access, who can approve, and how long users have access through an assignment. A policy is linked to an access package. For example, an access package could have two policies – one for employees to request access and a second for external users to request access.|
|resource||An asset, such as an Office group, a security group, an application, or a SharePoint Online site, with a role that a user can be granted permissions to.|
|resource directory||A directory that has one or more resources to share.|
|resource role||A collection of permissions associated with and defined by a resource. A group has two roles – member and owner. SharePoint sites typically have 3 roles but may have additional custom roles. Applications can have custom roles.|
What it can do
- Delegate to non-administrators the ability to create access packages. These access packages contain resources that users can request, and the delegated access package managers can define policies with rules for which users can request, who must approve their access, and when access expires.
- Select connected organizations whose users can request access. When a user who is not yet in your directory requests access, and is approved, they are automatically invited into your directory and assigned access. When their access expires, if they have no other access package assignments, their B2B account in your directory can be automatically removed.
Creating a catalog
When you create a catalog, you can choose it be externally available or not.
But you can change the settings after it’s created.
The concept is that you will make Catalogs that contain the following.
Resources to be published
Access Packages for the resources
And the Catalog owner
With Access Packages you can give user permission for the following resources.
- Membership of Azure AD security groups
- Membership of Microsoft 365 Groups and Teams
- Assignment to Azure AD enterprise applications, including SaaS applications and custom-integrated applications that support federation/single sign-on and/or provisioning
- Membership of SharePoint Online sites
- You can give users licenses for Microsoft 365 by using an Azure AD security group in an access package and configuring group-based licensing for that group.
- You can give users access to manage Azure resources by using an Azure AD security group in an access package and creating an Azure role assignment for that group.
- You can give users access to manage Azure AD roles by using groups assignable to Azure AD roles in an access package and assigning an Azure AD role to that group.
So there is many possibilities with this product inside Microsoft environment and third-party products that rely on your Cloud Identity. For example you can use dynamics groups for your needs. I wrote a blog about Dynamic Groups and using them to automate user rights and policies Azure Dynamic Groups and how to use Extended attribute.
Resources can be Teams channel, SharePoint sites or regular application that you have inside your tenant.
There is a new a feature called require attributes.
The function for this is to get the info from the user when they request access. The below example with ask their Employee ID and pass it to users employeeID attribute.
You an also choose keep it after access is revoked and to make it editable.
When you create an access package. You can choose the resources that you defined to the catalog but also all resources available in the tenant by select “See all”
You have corresponding roles for the resources.
A Team Owner or member
Group or Team
With the application you have the roles defined in the App registration.
And result is this.
And with the SPO site you will the following.
So really straight forward and understandable structure.
When we chose not to allow external access to this catalog, this is what we find out.
But you can still enable new request.
Notice the difference with “For users in your directory” and “For users not in your directory”
The first one covers also Guest users, so if you want manage guests inside your tenant, this could be your option.
- Only one of the selected approvers or fallback approvers needs to approve a request for single-stage approval.
- Only one of the selected approvers from each stage needs to approve a request for multi-stage approval for the request to progress to the next stage.
- If one of the selected approved in a stage denies a request before another approver in that stage approves it, or if no one approves, the request terminates and the user does not receive access.
- The approver can be a specified user or member of a group, the requestor’s Manager, Internal sponsor, or External sponsor depending on who the policy is governing access.
You can request answer from users.
And the attributes are mandatory as we added them to one of application in the catalog as required.
Inside the lifecycle you can define expiration of the package, possible extension and Access reviews.
Custom extensions if still in preview but I will explain it anyway, shortly.
You can create a new custom extension under the catalog. It will use existing Logic apps triggers to run after some of the above conditions are true.
Guest user experience
Once you send the URL for your guest users, they will be asked the question that we defined.
Once they fill the info, the approval request will be sent to the Approver.
The approver can go to https://myaccess.microsoft.com/ and find the pending requests that they have.
And clicking details will give more info and because we required, they have to provide a justification.
From request details they will see the requester provided information.
And the end-user will see it as Active at their end.
If You don’t want or have guest users, you could use connected organizations. With this feature, You don’t need to add any users inside your own tenant.
When you start adding Connected Organizations, you will see two options.
Proposed and Configured, these are the differences between these.
Configured org has full federation to access packages that you have made. And these organizations will be available in all target.
Proposed means that you created it on your end, but other end didn’t yet approve or configure it at their end.
When you add a domain to the list that don’t have Azure AD, it will show that OTP is used, you can change this authentication type later.
But when you add an organization that has Azure AD (like mine), it will show Azure Ad in the authentication type.
Then you can add sponsors (It’s optional). Sponsors are user inside the org or external users that already have access to the environment.
You can give them permissions to accept new users request for resources inside your organization.
And then inside the access package there is more settings for policies and also for access reviews.
In the initial policy you can set options for access reviews and user the organizational connection that was made in the previous part.
Request can be approved from inside or externally. Here where the sponsors have their say (if you added them in the previous steps) or can be only assigned by the admin.
Sponsors can be reviewers for the assigned groups and keep it up-to-date.
So when you choose “in your directory”
When you choose “Require approval” you will be presented with another options for approval stages
And if that first approver didn’t react, you can flow the request to a second one.
And users NOT in your organization you will use the sponsors.
Internal or external, but again because it was optional you may not have them. You can also choose approvers from your directory.
And then in the life cycle, you can choose access package expiration and how often to require Access Reviews.
And finally on the reports page you can see reports based on access package and resources assigned for a user.
Creating new terms
You can choose multiple languages and PDF document localized for them.
You can also define expiration of the consent and enforcement with Conditional access.
By default users are not required to expand the Terms, which is funny as they should read it but most of us don’t read what we consent to.
Also you can require users to consent on every device.
You can create policy automatically or create Your own.
And how the finished terms look like.
When a user logins, they will see the following.
You also have Lifecycle Management for external users that had their access revoked.
You can select what happens when an external user, who was invited to your directory through making an access package request, no longer has any access package assignments. This can happen if the user relinquishes all their access package assignments, or their last access package assignment expires. By default, when an external user no longer has any access package assignments, they are blocked from signing in to your directory. After 30 days, their guest user account is removed from your directory..
Once an external user loses their last assignment to any access packages, if you want to block them from signing in to this directory, set the Block external user from signing in to this directory to Yes.
Note! If a user is blocked from signing in to this directory, then the user will be unable to re-request the access package or request additional access in this directory. Do not configure blocking them from signing in if they will subsequently need to request access to other access packages.
Once an external user loses their last assignment to any access packages, if you want to remove their guest user account in this directory, set Remove external user to Yes.
Note! Entitlement management only removes accounts that were invited through entitlement management. Also, note that a user will be blocked from signing in and removed from this directory even if that user was added to resources in this directory that were not access package assignments. If the guest was present in this directory prior to receiving access package assignments, they will remain. However, if the guest was invited through an access package assignment, and after being invited was also assigned to a OneDrive for Business or SharePoint Online site, they will still be removed.
If you want to remove the guest user account in this directory, you can set the number of days before it is removed. If you want to remove the guest user account as soon as they lose their last assignment to any access packages, set Number of days before removing external user from this directory to 0.
Things to remember
What is a connected organization and what is the differences compared to Guest users.
How many licenses you must have.
Terminology used in Entitlement management
When don’t have Azure AD in the connected organization, it will show that OTP is used.
What is the difference with internal and external sponsors.
You can localize terms and upload your own pdf files.
If you want to remove the guest user account as soon as they lose their last assignment to any access packages, set Number of days before removing external user from this directory to 0
If the guest was present in this directory prior to receiving access package assignments, they will remain. However, if the guest was invited through an access package assignment, and after being invited was also assigned to a OneDrive for Business or SharePoint Online site, they will still be removed.