The previous chapter covered the advanced tools and capabilities of Microsoft Defender for Cloud Apps, formerly Microsoft Cloud App Security, to monitor and manage the use of cloud applications in your company. In this chapter, we will discuss the planning and implementation process for entitlement management as an important part of Identity Governance. This includes life cycle management for external users and managing the terms of use.
In this chapter, we're going to cover the following main topics:
In this chapter, we will continue to explore configuring a tenant to use Microsoft 365 and Azure. There will be exercises that will require access to Azure Active Directory (AD). If you have not yet created the trial licenses for Microsoft 365, please follow the directions provided within Chapter 1, Preparing for Your Microsoft Exam.
Up to this point, you have worked on planning and implementing various aspects of security identity and access throughout the company tenant. This has included providing access to the tenant for members and external users. When adding a member or external user, you need to govern that they have the authorization to access immediately upon authenticating them to the company tenant. The catalogs that are created define the resources that a user or group is authorized to use. This allows clear governance of the resources that a user or group has access to use once they authenticate to the tenant. Entitlement management provides this governance through the creation of catalogs and access packages that you can build for these groups of users. Entitlement management is a premium feature and requires Azure AD Premium P2 licenses to assign to users and groups. Entitlement management is found under Identity Governance within Azure AD. Figure 12.1 shows the Getting started tile of this service and where Entitlement management is found in the menu:
For additional information, please refer to this link: https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-overview. Let's discuss how catalogs and access packages work to provide this governance.
The first step in entitlement management is to create catalogs. If you do not create a catalog for your access packages, users will have access to the general catalog. If you want to clearly define the catalog, then one should be created because you cannot move an access package to another catalog once it is created. Additional information can be found at this link: https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-access-package-create#basics. These catalogs can be created within the Identity Governance services within Azure AD under the Entitlement management menu, as shown in Figure 12.2:
Catalogs are a collection of users and groups, SaaS applications (Salesforce, Workday, ServiceNow, and others), enterprise applications, and SharePoint sites. To create these catalogs, you must be assigned the Identity Governance Administrator role or Global Administrator role. Previously, the User Administrator role was authorized to create these catalogs, but that is currently being phased out. In the Planning, implementing, and managing entitlements section, we will go through the steps to create catalogs. Let's define each of the areas that make up this catalog. For additional information and examples, refer to this link: https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-access-package-create#overview.
Users and groups are assigned to catalogs in order to access the applications and sites that are within the catalog. These users and groups can include internal and external users. The ability to create catalogs with internal and external users allows us to use entitlements for project-based access or other applications, such as branch offices and departmental assignments.
Applications are the enterprise and cloud applications that are registered through the steps that were completed in Chapter 10, Planning and Implementing Enterprise Apps for Single Sign-On (SSO). The applications that are added to the catalog provide the users and groups assigned with the authorization to use these applications.
SharePoint sites can be added to a catalog. These sites can be a project-based internally created SharePoint site, a file share site on SharePoint, or any SharePoint URL that you determine should be assigned to the catalog. Multiple sites can be added to a single catalog.
Once these three areas are configured, we have our catalog prepared and ready to be assigned. You will go through the configuration process in the Implementing entitlements section of this chapter.
The next section will discuss the next step of entitlement management, which is the access package.
As discussed in the previous section, catalogs define the groups and teams, applications, and SharePoint sites within Identity Governance. Creating a catalog does not establish access to these catalogs. You must go through the creation of access packages to approve and allow access to these catalogs. As stated in the previous section, once an access package is created and assigned to a catalog, this cannot be changed.
When creating an access package, at a minimum, you define the catalog that the access package governs, how requests are handled, and the life cycle of the access package, as shown in Figure 12.3:
The configuration and assignment of an access package will be shown in the Implementing entitlements section.
The next section will go through the process of planning, implementing, and managing entitlements.
In the previous sections, we discussed and defined how catalogs and access packages are used for Identity Governance within entitlement management. This section will discuss how to plan for these entitlements, how they are implemented, and how to manage access and review these entitlements.
Before creating catalogs and access packages, you should plan and determine how they are going to be used within your company. Entitlement management can be a helpful tool for companies that have projects that utilize internal and external users, departments that utilize different and specialized resources that other departments don't require access to, and branch and global offices that have their own users, groups, and partners.
As someone in charge of Identity Governance, you should work with stakeholders to plan these catalogs and access packages, as well as determine how often they will be reviewed for continued use and access. Proper planning with stakeholders based on the business model will allow the stakeholders to quickly provide users with access to the resources that are required for a given project or department once they are onboarded.
Something that is going to be important in the meeting with stakeholders will be to determine the internal and external users that will make up the group that will be assigned to the catalog. Stakeholders should be asked what the job roles for the users that need access are and what the list of applications that they need to be authorized to use is. This may need to be created prior to the implementation of the entitlement. Stakeholders should also provide the list of applications and SharePoint sites that the entitlement will be required to access.
The next section will go through the process of creating a catalog and access package.
After planning with the necessary groups about what is needed for catalogs and access packages within your company, they are ready to be implemented. To better understand how catalogs and access packages are created, let's go through the steps to create a catalog that identifies the users and groups with access and the applications and SharePoint sites that they have access to. Then, you will step through how to assign that catalog through the creation of an access package:
This completes the process of creating a catalog. Next, you will implement the access package that will have this catalog as the assignment:
Now that you have configured your catalog and access package, you will want to understand how to manage these entitlements; this includes how to request access and validate access. The next section will go through how you can manage access packages, catalogs, and entitlements.
In the previous section, you configured your catalog and access package. Once the access package has been created and enabled, you should understand how to manage these entitlements.
After creating an access package, you are taken to the management tile for that specific access package, as shown in Figure 12.24. For users who are in the group assigned to the access package, there is a URL created for direct access to the applications and SharePoint sites in the catalog. This URL is pointed out in Figure 12.24. For administrators that need to manage the access package, you will use the Manage menu shown in Figure 12.25:
In this menu, you can adjust the configuration of the resource roles, requests, and access reviews. There are also additional management areas to configure policies, separation of duties, and assignments for the access package. If you select Policies, you will see that an initial policy is assigned to the access package. This policy is created based on the access package configuration and can be selected to view, as shown in Figure 12.26:
If you require additional policies, assignments, and separation of duties, select those sections and add them as needed for additional access policy governance. For more information on managing Identity Governance and entitlement management, see the Microsoft Docs link here: https://docs.microsoft.com/en-us/azure/active-directory/governance/identity-governance-overview.
In the next section, we will discuss implementing and managing terms of use within Identity Governance.
If your company requires particular terms of use for the applications or sites that are being accessed by member and guest users, Azure AD Identity Governance allows companies to assign these terms of use and tie them to a Conditional Access policy to allow access to the application. Figure 12.27 shows where to find the terms of use within the Identity Governance menu. You can select + New terms to add new terms:
When you select + New terms, the configuration wizard tile will open for adding the terms of use. This document is a PDF that can be in multiple languages. This is shown in Figure 12.28. At the bottom of this tile is where you can create a Conditional Access policy to enforce acceptance of the terms of use before accessing an application:
More information on how to implement and manage the terms of use can be found at this link: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/terms-of-use.
The next section will discuss managing the life cycle of external users in the Identity Governance settings.
When discussing Azure AD Identity Governance, the key concepts in managing governance are how we are managing privileged roles, access packages, and the life cycle of access. You configured access packages earlier in this chapter. This chapter will discuss managing privileged roles and access. In terms of the access life cycle, you should consider the access life cycle of your member users and your guest users. These should be handled differently as the life cycle of our member users is based on the employment within the company and the access that is required for the department or team that they belong to.
Guest users are provided access based on a partnership and external collaboration trust relationship. This access can be due to a managed services contract, a particular project, or perhaps a merger/acquisition. In any case, these relationships have a life cycle that will eventually come to an end. Therefore, you should have governance in place to manage this life cycle. Within Identity Governance, this is managed through the creation of access reviews.
Access reviews can manage the access life cycle. Azure AD Identity Governance provides an Overview dashboard showing the status of access reviews, as shown in Figure 12.29:
Under the Access reviews menu, you can select Access reviews to configure an access review for guest users. You can select + New access review to create your guest user access review. The tile will open to configure the access review for guest users. Figure 12.30 shows this tile and how to configure an access review for guest users:
The next tile is where you configure who reviews and approves access, how often access will be reviewed, and when access will expire. Guest users should not review their access. An internal member user should be assigned to review guest access. This is shown in Figure 12.31:
Finally, you will configure the settings for how the review will take place and what happens when the guest user responds or does not respond. This is shown in Figure 12.32:
Once you review and create the access review, this will show as an access review in the list. It will also show within the access review overview dashboard as a guest member review.
Next, we will provide a summary of what was discussed in this chapter.
In this chapter, we covered the areas of entitlement management and guest access life cycle management within Azure AD Identity Governance. This included creating new catalogs and access packages for providing entitlement management of users, applications, and SharePoint site access. You went through an exercise on implementing a new catalog and an access package. We then discussed how to manage entitlements and the access life cycle for access packages and guest user access. In the next chapter, we will discuss privileged identity management (PIM) within Azure AD Identity Governance.