Identity Governance (part 6 of 6)

By Ashwin Venugopal -

 



To read part 1, please click here
To read part 2, please click here
To read part 3, please click here
To read part 4, please click here
To read part 5, please click here








Entitlement Management

It's an identity governance feature which helps the organizations to manage identity as well as access lifecycle at scale, by automating access request workflows, access assignments, reviews, and expiration.

Why use entitlement management?

The common challenges faced by the enterprise organizations while managing employee access to resources are:
  1. Users may not know what access they should have, and even if they do, they may have difficulty in locating the right individuals to approve their access.
  2. Once users find and receive access to a resource, they may hold on to the access longer than is required for business purposes.

The above stated problems are compounded for the users requiring access from another organization like an external user from supply chain organization or any other business partners. For example, Azure AD entitlement management allows the organizations to make sure that everyone has access to the correct directories as well as all the user access is managed consistently. 

What can I do with entitlement management?

Capabilities of entitlement management includes the following:

Action

Outcome

Delegate to non-administrators the ability to create access packages.

These access packages consists of the resources that users can request, and the delegated access package managers can define policies with rules for which the users can request who must approve their access, and when the access expires.

Select connected organizations whose users can request access.

When a user who is not in your directory requests access and is approved, they are automatically invited into your directory and assigned access. When their access expires, if they have no other access package assignments, their B2B account in your directory can be automatically removed.

 

Access Packages

What are Access Packages?

Entitlement Management introduces the concept of an access package which is a bundle of all the resources with the access a user needs to work on a project or perform their task. Access package can also govern access to your internal employees as well as the users outside your organization.

What resources can I manage with access packages?

You can easily manage user access to the following resources with entitlement management:

  1. Membership of Azure AD security groups.
  2. Membership of Microsoft 365 Groups and Teams.
  3. Assignment to Azure AD enterprise applications, including SaaS applications and custom-integrated applications that support federation/single sign-on and/or provisioning.
  4. Membership of SharePoint Online sites.  

The access to the other resources that rely upon Azure AD security groups or Microsoft 365 Groups can also be controlled, for example, you can provide:

  • Licenses for Microsoft 365 by using an Azure AD security group in an access packages and configuring group-based licensing for that group.
  • Access to manage Azure resources with the help of an Azure AD security group in an access package and creating an Azure role assignment for that group.
  • Access to manage Azure AD roles with the help of groups assignable to Azure AD roles in an access package and assigning an Azure AD role to that group.

When should I use access packages?

Access packages can be readily used in the situations when:

  • Employees require time-limited access for a particular task. For example, you can use group-based licensing as well as dynamic group to make sure that all the employees have an Exchange Online mailbox, and then use access package for the situations in which the employees need additional access like to read departmental resources from another department.

  • Access requires the approval of an employee's manager or the other designated individuals.

  • Departments wish to manage their own access policies for their resources without IT involvement.

  • Two or more organizations are collaborating on a project, and as a result, multiple users from one organization will need to be brought in via Azure AD B2B to access another organization's resources.      

Configure Entitlement Management

Although there are several ways to configure entitlement management for your organization, but, if you are just getting started, then, you should also understand the common scenarios for administrators, catalog owners, access package managers, approvers, and requestors. 
  • Delegate

  1. Administrator: Delegate management of resources.
  2. Catalog creator: Delegate management of resources.
  3. Catalog owner: Delegate management of resources.
  4. Catalog owner: Delegate management of access packages.

  • Govern access for users in your organization

  1. Access package manager: Allow employees in your organization to request access to resources.
  2. Requestor: Requests access to resources.
  3. Approver: Approves requests to resources.
  4. Requestor: View the resources you already have access to.

  • Govern access for users outside your organization

  1. Administrator: Collaborate with an external partner organization.
  2. Access package manager: Collaborate with an external partner organization.
  3. Requestor: Requests access to resource as an external user.
  4. Approver: Approves requests to resources.
  5. Requestor: View the resources you already have access to.

  • Day-to-day management

  1. Access package manager: Update the resources for a project.
  2. Access package manager: Update the duration for a project.
  3. Access package manager: Update how access is approved for a project.
  4. Access package manager: Update the people for a project.
  5. Access package manager: Directly assign specific users to an access package.

  • Assignments and reports

  1. Administrator: View who has assignments to an access package.
  2. Administrator: View resources assigned to users.

Microsoft Graph can also be used to manage access packages, policies, catalogs, requests, and assignments. 





To read part 1, please click here
To read part 2, please click here
To read part 3, please click here
To read part 4, please click here
To read part 5, please click here



Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more

Threat Hunting in Microsoft Sentinel (part 1)

By Ashwin Venugopal -
Image
  To read part 2, please click  here To read part 3, please click  here Introducing the Microsoft Sentinel Hunting Page Threat hunting is a series activities performed while investigating and as there are no guidelines to perform it, the available tools on the Microsoft Sentinel can be introduced to perform better in your investigations. Firstly, you have to choose the Hunting link in the Microsoft Sentinel navigation menu to get to the Hunting page which is divided into the following sections: The header bar- It is located at the top of the page as usual and contains Refresh as well as timespan drop down menu. The New Query button can help you with creating a new query and the Run all queries button can run all the hunting queries in the background while also updating the hunting query list section with the number of results found.  The summary bar- Here, you can view the total number of queries available to run, the total number of bookmarks, the number of results from running live
Read more