If you are not familiar with Entitlement management, read this first.
Azure AD Entitlement Management
Hi all, Today’s post I will be discovering possibilities with Entitlement Management from Azure AD. First you have to understand that this solution isn’t a complete Identity and Access Management product (IAM) If you are looking for these, please see Identity Governance Solutions | One Identity or Lifecycle Management and App Provisioning Software | Okta […]
www.cloudpartner.fi
Microsoft keeps evolving Azure AD Entitlement management solution, here is a feature added previously.
Multi-stage access review (preview)
Microsoft introduced a feature to allow Multi-stage Access reviews. In this post I will cover what the feature is about. So why and what is needed? First You need a valid Azure AD Premium (P2) license for each person, other than Global administrators or User administrators, who will create or do access reviews. This feature […]
www.cloudpartner.fi
And there is again a new feature added, let us see what it is.
Automatic assignment policy
You can now create a Dynamic query for any attribute, the interface is identical to other Dynamic group interfaces.
If you want to learn more on Dynamic groups and the possible use cases, read this one.
Azure Dynamic Groups and how to use Extended attribute.
I wondered how to automagically add users to an Azure AD group with after their mailboxes have been migrated to the Cloud thru an Exchange Hybrid (Classic or Modern) And I figured out this one. Users get always populated with TargetAddress attribute when Mailbox migration has been finalized. Quick recap what is TargetAddress and how […]
www.cloudpartner.fi
Once you have added the rule, you can create an assignment.
And you can choose custom extensions to be used.
Custom extensions can be Logic apps that you have created and want to be initiated when policy kicks in.
Trigger custom Logic Apps with Azure AD entitlement management – Microsoft Entra
Learn how to configure and use custom Logic Apps in Azure Active Directory entitlement management.
Then you will give it a name and description. Once done hit create!
Now you have a Dynamic query based policy that will assign you defined assignments. Easy as that!
Microsoft Graph
You can also use Graph for the following actions.
| Method | Return type | Description |
|---|---|---|
| Get | entitlementManagementSettings | Read the properties of an entitlementManagementSettings object. |
| Update | entitlementManagementSettings | Update the properties of an entitlementManagementSettings object. |
| List accessPackages | accessPackage collection | Retrieve a list of accessPackage objects. |
| Create accessPackage | accessPackage | Create a new accessPackage object. |
| Get accessPackage | accessPackage | Read properties and relationships of an accessPackage object. |
| Update accessPackage | None | Update the properties of an accesspackage object. |
| Delete accessPackage | Delete accessPackage. | |
| FilterByCurrentUser | accessPackage collection | Retrieve a list of accessPackage objects filtered on the signed-in user. |
| List accessPackageAssignmentRequests | accessPackageAssignmentRequest collection | Retrieve a list of accessPackageAssignmentRequest objects. |
| Create accessPackageAssignmentRequest | accessPackageAssignmentRequest | Creates a new accessPackageAssignmentRequest object. |
| Get accessPackageAssignmentRequest | accessPackageAssignmentRequest | Read properties and relationships of an accessPackageAssignmentRequest object. |
| Delete accessPackageAssignmentRequest | None | Delete an accessPackageAssignmentRequest. |
| FilterByCurrentUser | accessPackageAssignmentRequest collection | Retrieve the list of accessPackageAssignmentRequest objects filtered on the signed-in user. |
| cancel | accessPackageAssignmentRequest collection | Cancel an accessPackageAssignmentRequest object that is in a cancellable state: accepted, pendingApproval, pendingNotBefore, pendingApprovalEscalated. |
| List accessPackageAssignments | accessPackageAssignment collection | Retrieve a list of accessPackageAssignment objects. |
| Get accessPackageAssignment | accessPackageAssignment | Retrieve a accessPackageAssignment object. |
| FilterByCurrentUser | accessPackageAssignment collection | Retrieve the list of accessPackageAssignment objects filtered on the signed-in user. |
| List accessPackageCatalogs | accessPackageCatalog collection | Retrieve a list of accessPackageCatalogs objects. |
| Create accessPackageCatalog | accessPackageCatalog | Create a new accessPackageCatalog object. |
| Get accessPackageCatalog | accessPackageCatalog | Read properties and relationships of an accessPackageCatalog object. |
| Update accessPackageCatalog | None | Update the properties of an accessPackageCatalog object. |
| Delete accessPackageCatalog | Delete an accessPackageCatalog. | |
| List accessPackageAssignmentPolicies | accessPackageAssignmentPolicy collection | Get a list of the accessPackageAssignmentPolicy objects and their properties. |
| Create accessPackageAssignmentPolicy | accessPackageAssignmentPolicy | Create a new accessPackageAssignmentPolicy object. |
| Get accessPackageAssignmentPolicy | accessPackageAssignmentPolicy | Read the properties and relationships of an accessPackageAssignmentPolicy object. |
| Update accessPackageAssignmentPolicy | accessPackageAssignmentPolicy | Update the properties of an accessPackageAssignmentPolicy object. |
| Delete accessPackageAssignmentPolicy | None | Deletes an accessPackageAssignmentPolicy object. |
| List connectedOrganizations | connectedOrganization collection | Retrieve a list of connectedOrganization objects. |
| Create connectedOrganization | connectedOrganization | Create a new connectedOrganization object. |
| Get connectedOrganization | connectedOrganization | Read properties and relationships of a connectedOrganization object. |
| Update connectedOrganization | None | Update a connectedOrganization. |
| Delete connectedOrganization | None | Delete a connectedOrganization. |
| List internalSponsors | directoryObject collection | Retrieve a list of a connectedOrganization's internal sponsors. |
| List externalSponsors | directoryObject collection | Retrieve a list of a connectedOrganization's external sponsors. |
| Add internalSponsors | None | Add a user or group to a connectedOrganization's internal sponsors. |
| Add externalSponsors | None | Add a user or group to a connectedOrganization's external sponsors. |
| Remove internalSponsors | None | Remove a user or group from a connectedOrganization's internal sponsors. |
| Remove externalSponsors | None | Remove a user or group from a connectedOrganization's external sponsors. |
| Get approval | approval | Retrieve the properties of an approval object. |
| filterByCurrentUser | approval collection | Retrieve the approval objects for an approver. |
| List approvalStages | approvalStage collection | List the approvalStage objects associated with an approval object. |
| Get approvalStage | approvalStage | Retrieve the properties of an approvalStage object. |
| Update approvalStage | None | Apply approve or deny decision on an approvalStage object. |
Why to use Entitlement Management?
Some of the scenarios could be the following:
- Access control for a variety of resources, such as software, SharePoint Online sites, already-existing Azure AD groups and Teams, and groups deployed to on-premises AD.
- Using a combination of policies to manage access so that both rules (such as granting access to everyone in a department) and exceptions (such as employees in other departments who require the same access) may be reviewed and deleted as necessary on a regular basis
- By using custom extensions for entitlement management, which launch workflows when users gain or lose assignments, duties across Microsoft and third-party applications are further automated.
RSS - Posts