Defining Catalogs for Entitlement Management
Microsoft provides us with a way a user can self-manage access rights to resources using “self-service”. With this method a user can logon and request access to a particular resource.
A catalog is a group of resources like access packages. EG: if the company is doing a big marketing push, you could create a catalog of everything relating to marketing.
- Go Azure AD -> Identity Governance -> Catalogs
- Click new Catalog
- Give it a name and description
- Enable the catalog
- Choose whether you want to make it available to external users or not
Defining Access Packages
An Access Package is an object that allows users to request access to. You can specify what is in the Access Package.
You can set whether the users have to justify why they need the Access Package and whether or not an admin needs to approve the request.
- Go Azure AD -> Identity Governance -> Access Packages
- New Access Package
- Give it a name and description
- Choose which Catalog it will go in (we created in previous section)
- Resources roles: this is where you choose what is in the Access Package. Here you can add:
– Groups and Teams (you can choose whether to add them as member or owner)
– SharePoint Sites
- Requests: who can request this access package?:
– Users in your directory (you can specify users & groups)
– Users not in your directory
– None – administrators assign users
- approval: do they need to get approval?
– who can approve it?
– within how many days?
- Requestor information: here you can request extra information for the user. EG: a mobile phone number so someone can call them
- Lifecycle: expiration date/ days
– you can set periodic access reviews
Once the Access Package is created you get a direct link to this which you can share with users.
Exploring the user side of Entitlement with Azure AD
When you go to this link it shows the user the Access Packages available to them.
From here, they can request access to the package and enter any required information (set in the package in the previous steps).
From this area the user can look at their request history, approvals, Access reviews etc…
To set this up:
- Click New Terms
– Display Name
– Term of use document: you can upload a pdf
– requires users to expand the terms”
– require consent on every device
– Expire consent: so they have to do it again after certain amount of days
– Duration before re-acceptance: eg: every 90 days they have to re-accept
– Apply using Conditional Access policy: you can choose to apply this using existing conditional access policy or create a new one
- Go to Azure AD- > Security -> Conditional Access -> New
- Give it a name
- Assignments: select the users and groups this will apply
- It can take up to a few hours to apply
Managing the lifecycle of external users (Guests) in Azure AD Governance Setting
Periodically you should monitor the external accounts in your organisation to see if they are still active and if so, are they required.
Create New Access Review for external users
- Go to Azure AD -> Identity Governance -> Access Reviews -> New Access Review
- Review Type:
– What to review: Teams and Groups -> Select “All M365 groups with guests”
– Select Review scope: “guest users only”
– Select reviewers: group owners, Specific users, managers of users
– Recurrence of reviews: number of days
– Review recurrence: quarterly, fortnightly etc…
– Start Date
– End date
– Auto reply results to resource: if enabled this will revoke users access automatically
– If reviewers don’t respond: remove access , approve access, make no change
– Send notification to
– Review decision helpers: if the reviewer hasn’t signed in for 30 days
- Advanced settings:
– which info will you gather when running access review