Automatic assignment policy in Entitlement management

If you are not familiar with Entitlement management, read this first.

Microsoft keeps evolving Azure AD Entitlement management solution, here is a feature added previously.

And there is again a new feature added, let us see what it is.

Automatic assignment policy

You can now create a Dynamic query for any attribute, the interface is identical to other Dynamic group interfaces.

If you want to learn more on Dynamic groups and the possible use cases, read this one.

Once you have added the rule, you can create an assignment.

And you can choose custom extensions to be used.

Custom extensions can be Logic apps that you have created and want to be initiated when policy kicks in.

Then you will give it a name and description. Once done hit create!

Now you have a Dynamic query based policy that will assign you defined assignments. Easy as that!

Microsoft Graph

You can also use Graph for the following actions.

MethodReturn typeDescription
GetentitlementManagementSettingsRead the properties of an entitlementManagementSettings object.
UpdateentitlementManagementSettingsUpdate the properties of an entitlementManagementSettings object.
List accessPackagesaccessPackage collectionRetrieve a list of accessPackage objects.
Create accessPackageaccessPackageCreate a new accessPackage object.
Get accessPackageaccessPackageRead properties and relationships of an accessPackage object.
Update accessPackageNoneUpdate the properties of an accesspackage object.
Delete accessPackageDelete accessPackage.
FilterByCurrentUseraccessPackage collectionRetrieve a list of accessPackage objects filtered on the signed-in user.
List accessPackageAssignmentRequestsaccessPackageAssignmentRequest collectionRetrieve a list of accessPackageAssignmentRequest objects.
Create accessPackageAssignmentRequestaccessPackageAssignmentRequestCreates a new accessPackageAssignmentRequest object.
Get accessPackageAssignmentRequestaccessPackageAssignmentRequestRead properties and relationships of an accessPackageAssignmentRequest object.
Delete accessPackageAssignmentRequestNoneDelete an accessPackageAssignmentRequest.
FilterByCurrentUseraccessPackageAssignmentRequest collectionRetrieve the list of accessPackageAssignmentRequest objects filtered on the signed-in user.
cancelaccessPackageAssignmentRequest collectionCancel an accessPackageAssignmentRequest object that is in a cancellable state: accepted, pendingApproval, pendingNotBefore, pendingApprovalEscalated.
List accessPackageAssignmentsaccessPackageAssignment collectionRetrieve a list of accessPackageAssignment objects.
Get accessPackageAssignmentaccessPackageAssignmentRetrieve a accessPackageAssignment object.
FilterByCurrentUseraccessPackageAssignment collectionRetrieve the list of accessPackageAssignment objects filtered on the signed-in user.
List accessPackageCatalogsaccessPackageCatalog collectionRetrieve a list of accessPackageCatalogs objects.
Create accessPackageCatalogaccessPackageCatalogCreate a new accessPackageCatalog object.
Get accessPackageCatalogaccessPackageCatalogRead properties and relationships of an accessPackageCatalog object.
Update accessPackageCatalogNoneUpdate the properties of an accessPackageCatalog object.
Delete accessPackageCatalogDelete an accessPackageCatalog.
List accessPackageAssignmentPoliciesaccessPackageAssignmentPolicy collectionGet a list of the accessPackageAssignmentPolicy objects and their properties.
Create accessPackageAssignmentPolicyaccessPackageAssignmentPolicyCreate a new accessPackageAssignmentPolicy object.
Get accessPackageAssignmentPolicyaccessPackageAssignmentPolicyRead the properties and relationships of an accessPackageAssignmentPolicy object.
Update accessPackageAssignmentPolicyaccessPackageAssignmentPolicyUpdate the properties of an accessPackageAssignmentPolicy object.
Delete accessPackageAssignmentPolicyNoneDeletes an accessPackageAssignmentPolicy object.
List connectedOrganizationsconnectedOrganization collectionRetrieve a list of connectedOrganization objects.
Create connectedOrganizationconnectedOrganizationCreate a new connectedOrganization object.
Get connectedOrganizationconnectedOrganizationRead properties and relationships of a connectedOrganization object.
Update connectedOrganizationNoneUpdate a connectedOrganization.
Delete connectedOrganizationNoneDelete a connectedOrganization.
List internalSponsorsdirectoryObject collectionRetrieve a list of a connectedOrganization's internal sponsors.
List externalSponsorsdirectoryObject collectionRetrieve a list of a connectedOrganization's external sponsors.
Add internalSponsorsNoneAdd a user or group to a connectedOrganization's internal sponsors.
Add externalSponsorsNoneAdd a user or group to a connectedOrganization's external sponsors.
Remove internalSponsorsNoneRemove a user or group from a connectedOrganization's internal sponsors.
Remove externalSponsorsNoneRemove a user or group from a connectedOrganization's external sponsors.
Get approvalapprovalRetrieve the properties of an approval object.
filterByCurrentUserapproval collectionRetrieve the approval objects for an approver.
List approvalStagesapprovalStage collectionList the approvalStage objects associated with an approval object.
Get approvalStageapprovalStageRetrieve the properties of an approvalStage object.
Update approvalStageNoneApply approve or deny decision on an approvalStage object.

Why to use Entitlement Management?

Some of the scenarios could be the following:

  • Access control for a variety of resources, such as software, SharePoint Online sites, already-existing Azure AD groups and Teams, and groups deployed to on-premises AD.
  • Using a combination of policies to manage access so that both rules (such as granting access to everyone in a department) and exceptions (such as employees in other departments who require the same access) may be reviewed and deleted as necessary on a regular basis
  • By using custom extensions for entitlement management, which launch workflows when users gain or lose assignments, duties across Microsoft and third-party applications are further automated.
Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *