Hello friends,
Hope you all are doing good!!!
In our last post, we have continued our discussion on different Entitlement Management Roles and discussed about Access Package Manager Role and also discussed how can we create a new Access Package in a catalog . Today In this article, we will continue with rest of the two roles Requestor Role and Approver Role.
If you have missed our previous articles on Azure Identity And Access Management (IAM), please check it in following links.
Part 1 – Azure Active Directory – Overview
Part 2 – Azure Active Directory – Enterprise Users
Part 3 – Azure Active Directory – Create Custom Directory Role & Assign Role using Power-Shell
- *
- *
- *
Part 19 – Azure Active Directory – Entitlement Management 1 – Overview
Next Article : Part 23 – Azure Active Directory – Terms Of Use
Azure AD Entitlement Management Roles :
As we discussed in our previous articles, in a big organisation, to manage and handle Entitlement Management, organizations delegates users with different roles. So that, specific user with special role, can perform their task without involving IT personal. In our last articles we have discussed on Administrator, Catalog Creator and Access Package Manager Roles. Today we will discussed on Requestor and Approver Roles and their responsibilities.
Azure AD Entitlement Management Requestor Role :
As said in a MS document, with Azure AD entitlement management, an access package enables a one-time setup of resources and policies that automatically administers access for the life of the access package.
An access package manager can configure policies, which will go for approval for users, to have access to access packages. A user that needs access to an access package can submit a request to get access.
Access package manager also configure, who can request for the access. In our last article, we have created a new access package and access package manager has configured MSTechs Group as Requestor group. So that all the member of this group can request access for MSTech Development access package.
Let’s go through the following steps, to see how a member of MSTechs group ( Ganesh@knowledgejunction1.onmicrosoft.com ) can send an access request. As we can see in the following figure, Ganesh is a member of MSTechs group. The minimum role requirement to request an access package is Requestor Role.
Step – 1 : Let’s sign-in to the My Access portal (https://myaccess.microsoft.com) as are where requestor can see a list of his access packages and also can request access to an access package.
Step 2 – Now Ganesh has log-in as a Requestor to My Access Portal and we can see, he has two access packages for which he can send request. Now select the access package (MSTech Development) and click +Request access button.
Step 3 – As we can see in the following figure, Ganesh is requesting for access by providing details like, for what reason he want the access and if it is for a specific period of time and what would be the start and end date if it is for specific period. If we request access to an access package that has multiple policies that apply, we might be asked to select a policy. Click Submit button to send the access request.
Step 4 – Once we send the access request, let’s check the request history of requestor Ganesh. Select Request history from left menu and click View link of the request, from the list of requests. In turn this will show the current status of request. As shown in the following figure, the request is pending for the approval.
Azure AD Entitlement Management Approver Role :
Step 5 – As per the initial policy configuration, when requestor send access request, the request needs approval by configured approver. In this case Manas is ‘Manas@knowledgejunction1.onmicrosoft.com’ is the approver. So let’s log-in as an approver to My Access Portal (https://myaccess.microsoft.com). In the following figure, we can see Manas has log-in to his My Access Portal and he has one approval request pending in his list. If we see carefully, he has only one access package, for which, he can send access request but in case of Ganesh, he had two access packages. Therefore it is clear that, user can only see those access packages, for which they are allowed to send access request. So let’s proceed with approver role and select Approvals from left menu as shown in the following figure. This page will show a list of pending request for the approval.
Step 6 – Select the pending request and click Approve to approve the request or Deny to reject the access request. When approve or deny the request, we should provide the details of, for what reason we are approving or denying the access request of the user as shown in the following figure.
Step 7 – In this case, click Approve button to approve the access request sent by requestor Ganesh and as showing in the following figure the approver will get notification once it approved.
Step 8 – Now let’s go back to the Approvals page and click on View link of the approved request to check the status of the request and we can see in the following figure that, Manas Moharana has approved the access request as an Approver.
Step 9 – Let’s go back to requestor’s (Ganesh) my access portal to check the request history of the request. As shown in the following figure, there are a list of events happened during this access request and approval process.
Azure Active Directory (Azure AD) Identity Governance helps you to protect, monitor, and audit access to critical assets while ensuring employee productivity.
I am hopping, these articles on Azure AD helps you to configure your environment and helping you to fulfill your organization’s requirements.
Next Article : Part 23 – Azure Active Directory – Terms Of Use
As I am exploring the Azure Identity and Access Management (IAM) in a deep level. Please let me know if I missed anything important or if my understanding is not up to mark.
Keep reading, share your thoughts, experiences. Feel free to contact us to discuss more.
Thanks for reading 🙂
good