Identity Governance (part 6 of 6)

By Ashwin Venugopal -

 



To read part 1, please click here
To read part 2, please click here
To read part 3, please click here
To read part 4, please click here
To read part 5, please click here








Entitlement Management

It's an identity governance feature which helps the organizations to manage identity as well as access lifecycle at scale, by automating access request workflows, access assignments, reviews, and expiration.

Why use entitlement management?

The common challenges faced by the enterprise organizations while managing employee access to resources are:
  1. Users may not know what access they should have, and even if they do, they may have difficulty in locating the right individuals to approve their access.
  2. Once users find and receive access to a resource, they may hold on to the access longer than is required for business purposes.

The above stated problems are compounded for the users requiring access from another organization like an external user from supply chain organization or any other business partners. For example, Azure AD entitlement management allows the organizations to make sure that everyone has access to the correct directories as well as all the user access is managed consistently. 

What can I do with entitlement management?

Capabilities of entitlement management includes the following:

Action

Outcome

Delegate to non-administrators the ability to create access packages.

These access packages consists of the resources that users can request, and the delegated access package managers can define policies with rules for which the users can request who must approve their access, and when the access expires.

Select connected organizations whose users can request access.

When a user who is not in your directory requests access and is approved, they are automatically invited into your directory and assigned access. When their access expires, if they have no other access package assignments, their B2B account in your directory can be automatically removed.

 

Access Packages

What are Access Packages?

Entitlement Management introduces the concept of an access package which is a bundle of all the resources with the access a user needs to work on a project or perform their task. Access package can also govern access to your internal employees as well as the users outside your organization.

What resources can I manage with access packages?

You can easily manage user access to the following resources with entitlement management:

  1. Membership of Azure AD security groups.
  2. Membership of Microsoft 365 Groups and Teams.
  3. Assignment to Azure AD enterprise applications, including SaaS applications and custom-integrated applications that support federation/single sign-on and/or provisioning.
  4. Membership of SharePoint Online sites.  

The access to the other resources that rely upon Azure AD security groups or Microsoft 365 Groups can also be controlled, for example, you can provide:

  • Licenses for Microsoft 365 by using an Azure AD security group in an access packages and configuring group-based licensing for that group.
  • Access to manage Azure resources with the help of an Azure AD security group in an access package and creating an Azure role assignment for that group.
  • Access to manage Azure AD roles with the help of groups assignable to Azure AD roles in an access package and assigning an Azure AD role to that group.

When should I use access packages?

Access packages can be readily used in the situations when:

  • Employees require time-limited access for a particular task. For example, you can use group-based licensing as well as dynamic group to make sure that all the employees have an Exchange Online mailbox, and then use access package for the situations in which the employees need additional access like to read departmental resources from another department.

  • Access requires the approval of an employee's manager or the other designated individuals.

  • Departments wish to manage their own access policies for their resources without IT involvement.

  • Two or more organizations are collaborating on a project, and as a result, multiple users from one organization will need to be brought in via Azure AD B2B to access another organization's resources.      

Configure Entitlement Management

Although there are several ways to configure entitlement management for your organization, but, if you are just getting started, then, you should also understand the common scenarios for administrators, catalog owners, access package managers, approvers, and requestors. 
  • Delegate

  1. Administrator: Delegate management of resources.
  2. Catalog creator: Delegate management of resources.
  3. Catalog owner: Delegate management of resources.
  4. Catalog owner: Delegate management of access packages.

  • Govern access for users in your organization

  1. Access package manager: Allow employees in your organization to request access to resources.
  2. Requestor: Requests access to resources.
  3. Approver: Approves requests to resources.
  4. Requestor: View the resources you already have access to.

  • Govern access for users outside your organization

  1. Administrator: Collaborate with an external partner organization.
  2. Access package manager: Collaborate with an external partner organization.
  3. Requestor: Requests access to resource as an external user.
  4. Approver: Approves requests to resources.
  5. Requestor: View the resources you already have access to.

  • Day-to-day management

  1. Access package manager: Update the resources for a project.
  2. Access package manager: Update the duration for a project.
  3. Access package manager: Update how access is approved for a project.
  4. Access package manager: Update the people for a project.
  5. Access package manager: Directly assign specific users to an access package.

  • Assignments and reports

  1. Administrator: View who has assignments to an access package.
  2. Administrator: View resources assigned to users.

Microsoft Graph can also be used to manage access packages, policies, catalogs, requests, and assignments. 





To read part 1, please click here
To read part 2, please click here
To read part 3, please click here
To read part 4, please click here
To read part 5, please click here



Comments

Post a Comment

Popular posts from this blog

Deployment (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Microsoft Monitoring Agent (MMA) MMA is used across multiple Microsoft solutions and has undergone a few name changes as its features and functionality have evolved. If it is being considered to be used, then following areas should be covered during a Microsoft Sentinel deployment project: Consider the timelines and the strategy for a migration to AMA (Azure Monitor Agent) before the MMA end-of-life.  Consider the central deployment and management methodology for MMA. Determine which endpoints are in scope for deployment as these affect the log ingestion volume significantly.  Azure Monitor Agent (AMA) Organizations with MMA as the main Microsoft Sentinel agent should start planning the migration to AMA as soon as possible to avoid a rushed migration. One of the main advantages of AMA is the ability to control the log collection policy centrally and apply different policies against different...
Read more

Deployment (Part 1)

By Ashwin Venugopal -
Image
  To read part 2, please click  here To read part 3, please click  here Azure Resources Microsoft Sentinel needs following resources to be created: Subscription (if a dedicated subscription(s) will be used) Resource group(s) Log Analytics workspace(s) Automation rules/playbook Alert rules Workbooks Microsoft Sentinel offers hundreds of alert rules, workbooks, and automation playbook templates along with hunting scripts. The templates can be used to activate/deploy schedule alerts, create customized dashboards, create automation playbooks and perform threat-hunting activities. Generally, once deployed, the resources created have to be adjusted to match the existing environment, configure local credentials, etc. Methods of deployment: Manual- Administrator can manually configures the Microsoft Sentinel resources with the help of Azure portal. Any manual process has the inherent risks of human operator error, lack of compliance with potential change control procedures, and u...
Read more

Project Resourcing (Part 2)

By Ashwin Venugopal -
Image
  To read part 1, please click  here Engineering - SIEM The SIEM engineers configures Microsoft Sentinel, including Log Analytics, Logic Apps, workbooks, and playbooks. They are also responsible for the following high-level tasks: Initial configuration of Azure tenant, including provisioning required resources, assigning access roles, and configuring workspace parameters like log retention, resource tagging, and blueprints.  Deployment and configuration of syslog/CEF log collection agents in appropriate locations to collect logs from on-premises devices. Generally, it will be joint effort of both system engineer and SIEM engineer, involving configuration and potential troubleshooting.  Working with system owners to enable log forwarding and configuring any required parsing of log data in Log Analytics.  Working with security operations to create and deploy KQL analytic rules to offer detections for SOC/Computer Security Incident Response Team (CSRIT) use. Tuning...
Read more