Managing user identities and access is a struggle for many organizations. One of the ways to ensure the security of your resources is to implement identity governance.
Today, I will share with you a few guides on the key mechanisms in Azure AD that will allow you to execute it. Note that these functionalities are only available at the Azure AD Premium P2 license level.
We have several important features for Identity Governance in AAD. They are:
But from my point of view, there are two more features that are related to AIG:
But let’s dive into the key features today.
This is a simple but useful and often necessary feature that you can use when working with guests or external users. After all, you want all your users to be aware of the rules applicable to your environment.
When done, access to the environment is granted, and the Guest/External user can access every application where they have access.
Entitlement Management in Azure AD allows you to automate IAM processes, so you can manage identities at scale. It has 5 key components:
Note: For non-Global Administrator / User Administrator users, resources have to be part of a Catalog.
Here’s how it works:
Inside the Resource Directory, we have Catalog 1 meant for sharing. It contains Group 1, Group 2, App 1, and Site 2. These resources are available for access packages.
In the example, we have two access packages based on Catalog 1 resources:
There is also an Access Package Manager role assigned (using RBAC).
We can share Access Package 1 with internal requestors. Access Package 2 has defined access policies for internal and external users, which means we can share it with requestors from inside and outside the organization.
Using Entitlement Management, you can share the same set of resources in many different ways, with many different users. Do this by creating individual Access Packages specifying resources you wish to share and assign them with the appropriate policies for your selected users.
It is important to monitor access and permissions. You can view all actions in Azure AD and Log Analytics workspace workbooks.
See this guide with detailed instructions on how to configure a catalog like this and how to manage user lifecycles for it.
When you share multiple resources with users within and outside of your organization, it is good practice (and often a requirement) to conduct periodical access reviews. Their purpose is to determine whether the users still need access they have, and revoke it if not.
Enforcing access reviews on a regular basis helps keep your environment protected. You’ll also be removing the risk of having hundreds of people with unnecessary admin privileges.
Using the Access Reviews feature in Azure AD you can check active permissions for:
You can either enforce them at the access package level (using Entitlement Management) or set them up (as a recurrent or one-off event) in the Azure Portal by accessing the Identity Governance tab.
The review process is cyclical, which means it doesn’t really end. Just as your environment changes with each new user or resource, so do the required permissions.
The access review cycle is a 5-step process.
The workflow is as follows:
Who can be a reviewer? This depends on the resource and your organization’s policy. There are, however, some predefined options that you can choose from:
To find out how to set up an Access Review, follow the step-by-step instructions featured in my earlier post.
PIM is designed for managing access to critical assets. It can make your environment more secure by limiting the time when highly privileged roles are active and limiting them to a specific group of users.
PIM is a great tool that you can use to enable Just-in-time (JIT) model for:
Privileged Identity Management also protects your resources by enforcing additional requirements, such as:
All of these requirements can be set in the Azure Portal, in the Identity Governance tab. As a Global Administrator, you can also specify which users will be able to use this function.
To assign a privileged role, a user needs to request it. The process looks as follows:
In this case, User1 was assigned an Exchange Administrator role.
PIM is quite an elaborate – and important – feature, so it warrants its own article. The good news is, I’ve already written one. Click here to read about Privileged Identity Management in detail.
This was just a brief introduction to identity governance functionalities in Azure AD. Ensuring people can access what they need, when they need it, without compromising security, is key to employee productivity. It is also essential for collaboration with partners or subcontractors.
You can find more information on Azure AD identity governance in the articles linked in this post. If you have any questions, or if there’s anything else you’d like to read about, feel free to contact me.
We talk a lot about perimeter security, zero trust, etc. And there’s a good reason for it. Malware attacks don’t jus...
MIM (formerly Forefront Identity Manager, and Identity Lifecycle Manager before that) is a widely used service for manag...