Hope you all are doing good!!!
In our last post, we have discussed about the overview of Azure AD Entitlement Management. Today in this article, we will continue with the same feature and explore more about all roles specific to Azure AD Entitlement Management and their abilities.
If you have missed our previous articles on Azure Identity And Access Management (IAM), please check it in following links.
Azure AD Entitlement Management :
As we discussed in our last article, it is a policy-driven access management for Groups, Applications, and SharePoint online Sites and this feature should be considered by large enterprise tenants where automation becomes most important for access management.
Azure AD Entitlement Management Roles :
When we talking about a large organization, there are different departments like (HR,Finance,production,marketing ) working on their part to help organisation to achieve the goal. Again in each department, there are different teams working with different projects. Sometime one department/team is working with other department/team to achieve a common goal or working with other organisations, vendors , partners towards a common goal by sharing resources, data. In this process, many resources and data utilized/shared by organisations and it required a robust system, which provides best authentication and authorization methods to manage Identity and Accesses.
In big organizations, it is very hard to to know , who needs which access for how long and also it is difficult to manage. For this reason, peoples are delegated with different roles with different level of permission to swiftly and smartly handle this process. Following Roles are designed by Azure, specially to work with Entitlement Management to help organisations.
Azure AD Entitlement Management Administrator Roles:
In our last we have discussed a little on Entitlement management specific roles. Here we will discuss more on each of the following roles. As we know by default, global administrators and user administrators can create and manage all aspects of Azure AD entitlement management. In details, global administrators and user administrators can also do following activities.
Delegate access governance to catalog creators – Administrator can assign a user to the Catalog Creator role. So that the user can create and manage the Catalog to reduce the work load of administrators or the assigned use must have more familiar about the work culture for which the catalog will be created. There are two step to perform to add/configure Catalog Creator. The first one is, log-in as an administrator to
, click Azure Active Directory and then
Identity Governance > Settings > Click
Edit. In this page we can Manage the life-cycle of the external users.
As shown in the above figure, Click Add catalog creators link to delegate an user/group as Catalog creator. After selecting the user/group save the changes. Now the user or all the users from that group has rights to create and manage catalog. And the second step is , to allow delegated users to access Azure AD Administration Portal by configuring
Restrict access to Azure AD administration portal is set to
User Setting page of
Users as shown in the following figure.
Here in the ”
life-cycle of external users ” section of the page, we can configure, what will happens when an external user, who was added to our directory through an access package request, loses their last assignment to any access package as shown in the following figure.
Add a connected organization – A connected organization is an external Azure AD directory or domain with which our organization have a relationship. We can add an external Azure AD directory or domain as a connected organization, If our organization collaborate users in that domain or Azure AD directory. To perform this task Identity Governance > Connected organizations > +Add Connected organization. Provide Name an Description in Basic tab and select Directorates + domains section as shown in the following figure.
Select the Sponsors tab, which will be the point of contact for the relationship with this connected organization. Then Review and create the connected organization. In the following figure, as it showing, we have added new domain as connected organization.
Govern access for external users – Azure AD entitlement management consume Azure AD B2B to collaborate with people outside our organization in another directory. We can define policies that allows users from organizations we specify to be able to self-request an access package. We can specify whether approval is required or not and an expiration date for the access.
To enable users out of our organization, to request access packages and included resources in those access packages, there are following settings which we should verify .
1) Verify if Catalog allows external User – Enable for external users is set to Yes when create a new catalog as showing in the following figure.
2) Verify Azure AD B2B external collaboration settings – The configuration should have following configuration.
3) Review Conditional Access policies setting – if any as shown in the following figure.
4) Verify Office 365 group and SharePoint Online external sharing settings – If we want external users to be able to access the SharePoint Online site and resources associated with an Office 365 group we should verify following configurations. Go to Microsoft 365 admin center > Org settings > Service
!) Select Office 365 Groups and verify following configurations.
!!) Select SharePoint Groups and verify following configurations.
Click on Manage additional settings link and verify following configuration.
!!!) To include Office 365 groups in our access packages for external users, Go to Microsoft 365 admin center > Org settings > Security and Privacy and configure Let users add new guests to the organization is set to On to allow guest access.
5) Review your Teams sharing settings – Sign in to the Microsoft Teams admin center, and in Guest access, set Allow guest access in Microsoft Teams to On.
View reports and logs – The Azure AD entitlement management reports and Azure AD audit log provide additional following details.
- Administrator can view all access packages
- Resource assignments for each users
- Administrator can view request logs for auditing and to determine user’s request status.
To check reports, Click Azure Active Directory > Identity Governance > Reports. From this page we can search a report for a specific user. There, we can find two different reports as described here.
1) Access packages for a user – On this page, there two tabs, one is Can request tab, which displays a list of the access packages the user can request. And the other one is Assigned tab, which shows all access package assigned to the selected user.
2) Resource assignments for a user – this report shows a list of the resources currently assigned to the user is displayed. The list also shows the access package and policy they got the resource role from, along with start and end date for access.
Archive logs and reporting – Azure AD stores audit data for up to thirty days in the audit log. By routing it to an Azure Storage account or using Azure Monitor, we can keep the audit data for longer period and then we can then use workbooks and custom queries and reports on this data. We can do the following actions.
- Configure Azure AD to use Azure Monitor
- View events for an access package
- Create custom Azure Monitor queries using the Azure portal
Audit Log – To get additional details on how a user requested and received access to an access package, you can use the Azure AD audit log. Go to Azure Active Directory > Identity Governance > Audit logs , we will see the details of the events as in following figure.
Troubleshoot – Administrator can troubleshoot the issue related to Azure AD entitlement management. Microsoft provides very good document Troubleshoot Azure AD entitlement management.
Azure AD Entitlement Management Catalog Creator Roles:
As we discussed catalog is a container of resources and access packages. The Catalog Creator becomes the first Catalog Owner and a Catalog Owner can add additional catalog owners. A Catalog Creator/Catalog Creator can perform following actions for organizations.
Create And Manage Catalog Of Resources – An user can create a Catalog, if he/she has any of the following roles.
- Global administrator
- User administrator
- Catalog creator role
So lets login as a user, who is a member of a group, and the group has delegated with Catalog Creator role. The group name is ‘Knowledge Catalog Creator‘ and the user is ‘Manas Moharana‘
Step 1 – Log-in to Azure portal as a Catalog creator > Azure Active Directory > identity Governance > Catalogs and then from Catalogs page, Click on +New Catalog link to create a new Catalog.
Step 2 – In the new catalog window, provide Name and Description also select if this catalog allow external users to request and then click create button after enable the catalog, to finish the process as shown in the following figure.
Step 2 – To include resources in an access package, the resources should exist in a catalog. From Catalogs page > select the catalog we want to proceed with. In Selected catalog page click Resource in the left menu > click +Add Resources link. Following are types of resources we can add to the Catalog.
Groups and Teams
SharePoint Online sites
Step 3 – Select one or more resources of the type that we would like to add to the catalog. We should check the access permission, If we don’t see a resource that we want to add or we are unable to add a resource. As showing in the following figure we have added different types of resource.
Addition to the above, Catalog Owner can Edit or Delete the existing catalog.
Delegate Access Governance To Access Package Managers –
We have already discussed, in our previous article, that a Catalog creator/Owner can add a additional Catalog Owner or Access Package Manager. To Add new owner or Access Package Manger, Select Catalog from Catalog list > select Roles and administrators and click +Add owner(s) or click on +Add access package manager(s) link as per the requirement. In the following figure, I have added ‘Prasham’ as a new Owner and ‘Prasham1′ as Access Package Manager for Knowledge Junction Catalog. In our next article we will see how Access Package Manager can manage an Access Package.
I hope, this article provide you some more additional information and base knowledge about Azure AD Entitlement Management’s different roles. We will continue our discussion on the responsibilities of rest of the roles in our up-coming articles.
As I am exploring the Azure Identity and Access Management (IAM) in a deep level. Please let me know if I missed anything important or if my understanding is not up to mark.
Keep reading, share your thoughts, experiences. Feel free to contact us to discuss more.
Thanks for reading 🙂