Azure Identity And Access Management Part 19 – Azure Active Directory – Entitlement Management 1 – Overview
Hope you all are doing good!!!
In our last post, we have discussed on, how to Bulk Invitation Of B2B Guest User Using Powershell . Today in this article, we will start with a new very important Azure AD preview feature Azure AD Entitlement Management. As this is very crucial and a big topic, I would like to take few more upcoming articles on this Azure feature. This article is fully theoretically, so please bear with me 🙂 as I am trying to collect the basic concepts of this feature. Unfortunately, my Azure portal has blocked my access, when working one POC of conditional access policy. So the following figures are from different articles. I will try to back with my own azure portal , in a practical session for this service.
If you have missed our previous articles on Azure Identity And Access Management (IAM), please check it in following links.
Azure AD Entitlement Management :
Azure Active Directory (Azure AD) Entitlement Management is an identity governance feature that enables organizations to manage identity and access life-cycle at scale. On top of that, it offers a built-in approval workflow, expiration controls, and integrates with the Access Reviews feature, and more.
It is a policy-driven access management for Groups, Applications, and SharePoint online Sites. This feature should be considered by large enterprise tenants where automation becomes most important for access management.
Major Components Of Entitlement Management :
Catalog -A Catalog is a container of Resources and Access Packages. we create a catalog when we want to group related resources and access packages. Catalogs are also used for delegation, so that non-administrators can create their own access packages. Whoever creates the catalog becomes the first catalog owner. A catalog owner can add additional catalog owners. To create a Catalog, the user must have one of the following role,
By default, only Global Administrator and User Administrator can create and manage all catalog. Global Admin can delegate a group as Catalog creator so that all member of that group can create a Catalog.
Resources -We can include resources required for the team/project. The types of resources we can add are groups, applications, and SharePoint Online sites. The groups can be cloud-created Office 365 Groups or cloud-created Azure AD security groups. To include Resources in an Access Package, we can select predefined resources in a Catalog or we can include new resources. After creation of Catalog, Catalog Creator can include resource to the catalog.
Access Package -The building block of the Entitlement Management feature is an Access package, basically a set of permissions/roles on given resources and policies that control just how access will be granted. Access packages are used to govern access for both our internal and external users. As we discussed, All access packages must be put in a container called a catalog. A Catalog can defines what resources we can add to our Access Package or we can also include additional resource. If we don’t specify a catalog, our access package will be put into the General Catalog.
Resource Role -Resource Role are the resources we including in our Access Package . As we discussed, we can include those resource, which we have added to it’s parent Catalog .
Policy -Access packages also include one or more policies. A policy defines a set of rules that defines the access life-cycle, such as how users get access, who can approve, and how long users have access through an assignment. For example, an access package could have two policies – one for employees to request access and a second for external users to request access. Within each policy, an administrator or access package manager defines,
- Either the already-existing users (typically employees or already-invited guests), or the partner organizations of external users, that are eligible to request access.
- The approval process and the users that can approve or deny access.
- The duration of a user’s access assignment, once approved, before the assignment expires.
Issues Addressed With Azure AD Entitlement Management :
Now a days the demand of SaaS apps and cloud services by business units has increased in many fold but many central IT teams don’t have the knowledge to know which access rights which users should have. So they should delegate management of access, approvals and review, for example, having someone in the sales department determine what access rights employees in the sales team needs while maintaining strong compliance and security policies. Organizations often face following challenges when managing employee access to resources.
- Users may not know for what access they should request.
- Users may not know who is the right individual to approve their access request.
- Once users find and receive access to a resource, they may hold the access longer than is required.
- How to check if the user still need access after task done.
This is more difficult to manage if, access required from another organization because of following cause.
- One person may not know, who are those people from other organisation need to be invited.
- One person in that organization may not remember to manage all of the user’s access consistently.
Azure AD Entitlement Management service help organizations, to come out of the above types of challenges.
Azure AD Entitlement Management Roles:
Entitlement management has the following roles that are specific to entitlement management.
Administrator -A Global administrator can add or remove any group, application, or SharePoint Online site in a catalog. A User administrator can add or remove any group or application in a catalog.
Catalog Owner -Edit and manage existing catalogs. Typically an IT administrator or resource owners, or a user who the catalog owner has designated.
Access Package Manager -Edit and manage all existing access packages within a catalog.
Approver -Authorized by a policy to approve or deny requests to access packages, though they cannot change the access package definitions.
Requestor -Authorized by a policy of an access package to request that access package.
We will discuss in detail about the responsibility of each role in our next article.
View Assignments Of Access Package :
Global administrator, User administrator, Catalog owner, or Access package manager can review the assignments of a Access Package. We can click a specific assignment to see additional details. We can also directly assign specific users to an access package so that users don’t have to go through the process of requesting the access package by click on +New assignments.
License Requirements :
Using this feature requires an Azure AD Premium P2 license. We need to ensure that our directory has at least as many Azure AD Premium P2 licenses as the following numbers.
- Number of member users who can request an access package.
- Number of member and guest users who request an access package.
- Number of member and guest users who approve requests for an access package.
- Number of member and guest users who have a direct assignment to an access package.
Azure AD Premium P2 licenses are not required for the following tasks:
- No licenses are required for users with the Global Administrator role
- No licenses are required for users who have been delegated administrative tasks, such as catalog creator, catalog owner, and access package manager.
- No licenses are required for guests who can request access packages, but do not request an access package.
Working With The Azure AD Entitlement Management API :
If you want more information on how to proceed with Azure AD Entitlement Management with Graph API, following This Link.
I hope, this article helps you to get basic information and knowledge about Azure AD Entitlement Management. We will discuss in detail about the responsibility of each specific Role in our next article to have a better understanding of each actors in this feature.
As I am exploring the Azure Identity and Access Management (IAM) in a deep level. Please let me know if I missed anything important or if my understanding is not up to mark.
Keep reading, share your thoughts, experiences. Feel free to contact us to discuss more.
Thanks for reading 🙂