Azure, Office 365, Technology

14. Planning and Implementing Entitlement Management


Defining Catalogs for Entitlement Management

Microsoft provides us with a way a user can self-manage access rights to resources using “self-service”. With this method a user can logon and request access to a particular resource.

A catalog is a group of resources like access packages. EG: if the company is doing a big marketing push, you could create a catalog of everything relating to marketing.

  1. Go Azure AD -> Identity Governance -> Catalogs
  2. Click new Catalog
  3. Give it a name and description
  4. Enable the catalog
  5. Choose whether you want to make it available to external users or not


Defining Access Packages

An Access Package is an object that allows users to request access to. You can specify what is in the Access Package.

You can set whether the users have to justify why they need the Access Package and whether or not an admin needs to approve the request.

  1. Go Azure AD -> Identity Governance -> Access Packages
  2. New Access Package
  3. Give it a name and description
  4. Choose which Catalog it will go in  (we created in previous section)
  5. Resources roles: this is where you choose what is in the Access Package. Here you can add:
    – Groups and Teams (you can choose whether to add them as member or owner)
    – Applications
    – SharePoint Sites
  6. Requests: who can request this access package?:
    – Users in your directory (you can specify users & groups)
    – Users not in your directory
    – None – administrators assign users
  7. approval: do they need to get approval?
    – who can approve it?
    – within how many days?
  8. Requestor information: here you can request extra information for the user. EG: a mobile phone number so someone can call them
  9. Lifecycle: expiration date/ days
    – you can set periodic access reviews

Once the Access Package is created you get a direct link to this which you can share with users.

Exploring the user side of Entitlement with Azure AD

When you go to this link it shows the user the Access Packages available to them.

From here, they can request access to the package and enter any required information (set in the package in the previous steps).

From this area the user can look at their request history, approvals, Access reviews etc…


Implementing and Managing Terms of Use

When someone signs on to their Microsoft 365 account you can have a terms of user pop up.

To set this up:

  1. Go to Azure AD- > Identity Governance – >Terms of use
  2. Click New Terms
  3. Options:
    – Name
    – Display Name
    – Term of use document: you can upload a pdf
    – requires users to expand the terms”
    – require consent on every device
    – Expire consent: so they have to do it again after certain amount of days
    – Duration before re-acceptance: eg: every 90 days they have to re-accept
    – Apply using Conditional Access policy: you can choose to apply this using existing conditional access policy or create a new one

Create Conditional Access Policy for Terms of Use

  • Go to Azure AD- > Security -> Conditional Access -> New
  • Give it a name
  • Assignments: select the users and groups this will apply
  • Go to Access controls: from here you can now see the “Terms of Use” you created in the previous step are here as an option when granting access. You can require them to go through the Terms of use.
  • It can take up to a few hours to apply


Managing the lifecycle of external users (Guests) in Azure AD Governance Setting

Periodically you should monitor the external accounts in your organisation to see if they are still active and if so, are they required.

Create New Access Review for external users

  1. Go to Azure AD -> Identity Governance -> Access Reviews -> New Access Review
  2. Review Type:
    – What to review: Teams and Groups -> Select “All M365 groups with guests”
    – Select Review scope: “guest users only”
  3. Reviews:
    – Select reviewers: group owners, Specific users, managers of users
    – Recurrence of reviews: number of days
    – Review recurrence: quarterly, fortnightly etc…
    – Start Date
    – End date
  4. Settings:
    – Auto reply results to resource: if enabled this will revoke users access automatically
    – If reviewers don’t respond: remove access , approve access, make no change
    – Send notification to
    – Review decision helpers: if the reviewer hasn’t signed in for 30 days
  5. Advanced settings:
    – which info will you gather when running access review

Leave a Reply

Your email address will not be published. Required fields are marked *