DEV Community

SUNIL KUMAR
SUNIL KUMAR

Posted on

Azure AD Entitlement Management

What is Entitlement Management?
Azure Active Directory (Azure AD) entitlement management is an identity governance feature that enables organizations to manage identity and access lifecycle at scale, by automating access request workflows, access assignments, reviews, and expiration.

Why should you adopt this solution?
If you are using Azure AD; Employees in your organizations need access to various groups, applications, and sites to perform their job. Managing this access is challenging, as requirements change - new applications are added or users need additional access rights. This scenario gets more complicated when you collaborate with outside organizations - you may not know who in the other organization needs access to your organization's resources, and they won't know what applications, groups, or sites your organization is using. Azure AD entitlement management can help you more efficiently manage access to groups, applications, and SharePoint Online sites for internal users, and also for users outside your organization who need access to those resources.

Let's see how you can deploy Azure Active Directory entitlement management-

First, go to Azure AD>Identity Governance>Access packages

Now let's explore these all feature's one by one.

Access packages-
Entitlement management introduces to Azure AD the concept of an access package. An access package is a bundle of all the resources with the access a user needs to work on a project or perform their task. Access packages are used to govern access for your internal employees, and also users outside your organization.

With Entitlement management, you can manage access to Azure AD security groups, Microsoft 365 Groups, and Teams, SaaS applications with SSO, etc.

Now let's create the first access package-
First, click on create access package and give it a name and description.

image

Now we need to assign the sales group a contributor role. So click on the group and select sales group. We will assign a member role once added.

image

Now we will create a policy to enable specify who can request access. We will select all members directory and will assign a sales manager who can approve access-
image

Now we can ask the requester a question and can select when the access package will expire.
image
Remember we selected a catalog "General" while creating Access packages. A catalog is a container of related resources and access packages. Catalogs are used for delegation so that non-administrators can create their own access packages. Catalog owners can add resources they own to a catalog.
image

Now let's suppose you want a freelancer to work on your sales campaign and want to assign him access. You can do that by configuring his domain in a connected organization and we can specify in policy whole creating access package that they also can access resources.

Now let's add a connected organization. To do that go to Azure AD> Identity Governance>Connected organizations and hit create "Add connected organization".
image

Now search for the domain you want to add and click on add.
image

You can add internal and external sponsors as well related to the project. Sponsors are internal or external users already in your directory that are the point of contact for the relationship with this connected organization. Internal sponsors are member users in your directory. Once you configured sponsors you can hit create.

In the report section, you can have an overview of users and their access packages and also can have an analysis of assigned resources to users.

image

Hopefully, you got an idea about Azure AD Entitlement Management. Follow for more such writeups.

Top comments (0)