Today we will start with blog post 2 of 4. Today’s blog post will be about providing access to specific company resources by using Azure AD access packages, which are part of the Azure AD Identity Governance and Azure AD entitlement management. Azure AD access packages can be very useful in several use-cases. Read this blog to found out when.
Identity Governance is a feature that allows us to balance productivity with security for end-users. With entitlement management we enable organizations to manage identity and access lifecycle at scale. This can be done by automating access requests workflows, access assignments, reviews, and expiration.
In the first blog, we already spoke about the reasons why we would grant access to guest accounts in the tenant. In this demonstration, we will provide access to a specific Teams channel by creating an access package. This could be used for your internal and external users.
Azure AD access packages allow administrators to manage access permissions to applications, Teams, Azure AD and Microsoft 365 Groups, and SharePoint Online sites. Users and guests will have the permissions to do their tasks only when required.
Access packages are used to govern access for your internal employees, and also users outside your organization. Working with access packages ensures that users (guests included) only have the relevant permissions when required.
These access packages contain resources that users can request upon their needs, and the delegated managers can define policies with rules for which users can request, who must approve their access, and when access expires.
Use cases for using access packages
- Grant access for temporary workers (internal and external users).
- Grant access to specific applications (e.g. Microsoft Visio and Project).
- In combination with Access reviews, we ensure that no permanent permissions are given.
In this demonstration, I will use a demo environment with a Global Administrator and a test user. My access package will provide access to a Sales and Marketing Teams channel. Anyone who has the access package available, and activates it, will be a member of this Teams channel for a month. Now let’s start!
- First, start browsing to the Azure Portal with an account that has the required administrative privileges. This could be a Global Administrator, Identity Governance administrator, User administrator, Catalog Owner, or Access package manager.
- Click in the left navigation menu on Azure Active Directory.
- Then click on Identity Governance.
4. Click on Create an access package
5. Specify the Name, Description, and Catalog for the access package. At the time of writing it isn’t possible to change the Catalog afterward when created the access package. Therefore I would suggest you create a catalog. A catalog defines what resources you can add to your access package.
6. In the Resource roles we need to specify which company resources you want to apply the access package for. In my case, it’s a Microsoft Teams channel for the Sales and Marketing team. It is also possible to give the user member or owner access rights. As stated earlier, for applications it is also possible to configure application roles.
7. Now select the users who can request access to the access package. In my demo, I will add my test user as the only user. Besides granting access for users or groups, it is also possible to require approval(s) before the user gets access. In that case, the user does not have access until one of the approvers has granted access. Click on the Require approval button to activate an approval process.
8. Now that we have specified which access the user will get, it’s now time to specify the lifecycle. Under this section, we configure when the assignment expires. In my case, after 30 days. In my next blog post, we will talk about access reviews this is an option you can select when specifying the Lifecycle.
9. The last section shows us a summary of the access package that will be created.
Testing and simulation
First, we need to ask the user to access the My Access page. On this page, the user will see the available access packages that they can activate. If one of the access packages is assigned to a user or group, it will be visible on this page.
Now select the appropriate access package and click on request access.
Now that we have clicked on Request access, it will ask us optionally for a business justification. In my case, the justification isn’t mandatory for the request. As you can see, we can also request access for a specific period of time. Now to request access, click on submit.
Since we haven’t configured any approval workflow, the user gets direct access to the Sales and Marketing Teams Channel and the access package has been run successfully.
To verify that the access package has been successfully applied, click on the tab “Active” and look if the access package you just requested access for appears. We can also see that the 30 days expiration date that we have configured is applied.
Result
Instantly we can see that the test user has access to the Teams Channel where we created an access package for.
Licensing
- To make use of the Azure AD access packages, you need to have an active Azure AD Premium P2 license. 1 user license allows you to have 5 guests for each premium license in your tenant.
Hope this blog will help you or your organization creating workflows and start with using these tools to optimize your Identity Governance.