In this post I will explain the purpose of Microsoft Entitlement Management and a step by step set up guide.
What is Entitlement Management?
An employee joins a company or a new team and has no idea what groups, applications, and SharePoint Online sites they require access to perform their job. When the employee finally figures out what access is required, they face difficulty locating the right individuals to approve their access. Furthermore, the employee may not have been able to locate all the resources they require access to. But it gets worse because once users find and receive access to a resource, they may hold on to access longer than is required. The end result is that a lot of time is wasted and can cause frustration when an employee is not able to be productive in their role.
Entitlement management can help address these challenges. This service can control who can gain access to applications, groups, Teams and SharePoint sites, with multi stage approval, and ensure users don’t retain access indefinitely through time limited assignments and recurring access reviews. You can give users access automatically to those resources, based on the user’s properties like department or cost centre, and remove a user’s access when those properties change. You can delegate to non-administrators the ability to create access packages. These access packages contain resources that users can request.
When a user who isn’t yet in your directory requests access, and is approved, they’re automatically invited into your directory and assigned access. When their access expires, if they have no other access package assignments, their B2B account in your directory can be automatically removed. We need to ensure that we grant employees the right level of access they need to be productive and remove their access when it’s no longer needed.
Pre-requisites
To use entitlement management, you must have one of the following licenses:
- Microsoft Entra ID P2 or Microsoft Entra ID Governance licenses (Entra Governance provides additional capabilities compared to Entra ID P2. Visit the following link for a comparison. Entra ID Licenses Comparison
- Enterprise Mobility + Security (EMS) E5 license
Prerequisite role:
- Global administrator or Identity Governance Administrator
Configuring Entitlement Management Step by Step
Now that we have a basic understanding of Entitlement Management, let’s go through and create an access package and allow a user to access the package.
- Login to entra.microsoft.com or access portal.azure.com. For the purpose of this post, I will be using entra.microsoft.com
- From the left pane, expand Identity > Identity Governance > Click Entitlement Management
3. We first create a catalog but what is the purpose of a catalog? Let’s find out.
A catalog serves as a container for resources and access packages. When you want to group related resources and access packages together, you create a catalog. The person who creates the catalog becomes its initial owner. The resources we will add later in this post must exist inside a catalog. Let’s create an empty catalog for now and cover the rest later.
Click Catalogs and Click +New Catalog
4. I’ll be creating a catalog for the Sales team
I will be enabling this catalog and enabling access for internal and external users so users from external directories can also request access. You could also disable this catalog until you are ready to publish. This will ensure that it’s not visible to users until you are ready.
5. Click Create and an empty catalog will be deployed in a few seconds. The catalog includes no access packages and resources for now.
6. Now we add resources to the catalog. The resources can include applications, SharePoint sites and Groups. There is a new addition coming soon at the time of writing this post, and that’s the capability to add Microsoft Entra Roles. Access the Sales Catalog created earlier.
7. From the left pane, click resources
8. Click + Add Resources
9. For the purpose of this demo, I’ll be adding a Group, Application and a SharePoint site.
Note: Groups synced from on-premises can not be added as a resource
10. When done, click the Add button found towards the left bottom corner.
11. Allow the resources to be added. This takes a few seconds
12. Now that I have added the resources to the catalog and because I was the one who created the catalog, I become the owner by default. I will now add another owner to the catalog so I can share the responsibility with a group of owners.
From the left pane, click Roles and Administrators
13. I have the options to add different admins to a number of roles, including, catalog owner, catalog reader, add access package manager and add access package assignment manager.
I’ll be adding another catalog owner, click + Add catalog owner
14. For the purpose of this demo, I’ll be adding an existing group of users
15. If there is a need to disable or enable the Catalog so it is not visible to users, or if you wish to change the description, click the overview option available in the left pane.
Create Access Package
16. Now we need to advertise and make our catalog available to users. This is where we introduce an access package. From the left pane, click Access package and + New access package
17. Give your access package a name, for the purpose of this demo, I’ll be naming the access package Sales Access Package.
18. Give the access package a suitable description
19. Click Next: resource roles
20. Next, I click Groups and Teams and the one group I added to the catalog should be visible. At this point you can set the role for the group. For example, a user who requests access to this package will become an owner of the group or member. I’ll be selecting Member.
Note: if you only see the option of owner, you may have selected a dynamic group. The member option is not available by design.
We are also able to configure permissions for the other resources, SharePoint sites and Apps as shown in the image below.
21. Click applications and the one App I added to the Catalog earlier is visible. Finally I add the SharePoint site from the catalog, as you can see the Catalog includes resources I can select. Similar to going through and shopping for clothes in a catalog. 🙂
Note: if you wish to add more resources at this point, you can enable the option to see all groups and Teams, or all apps, or all SharePoint sites. Below is an example where I can enable a check box to view all Groups and Teams which were not originally added to the Sale Catalog.
21. When ready, click next to move onto the Request tab
22. This is where we configure who in our organisation can request this package, as in access to the SharePoint site, a group and one application. This is known as the policy.
- For users in your directory
This option only allows users in your Entra ID to request access. - For users not in your directory
You add a connected organisation for the Microsoft Entra directory or domain you want to collaborate with. A connected organisation is another organisation that you have a relationship with. In order for the users in that organisation to be able to access your resources, such as your SharePoint Online sites or apps, you’ll need a representation of that organisation’s users in that directory. Because in most cases the users in that organisation aren’t already in your Microsoft Entra directory, you can use entitlement management to bring them into your Microsoft Entra directory as needed. - None (administrator direct assignments only)
Administrators will need to verify that the users are eligible for that access package based on the existing policy requirements. Otherwise, the users won’t successfully be assigned to the access package.
23. I select For users in your directory
24. After enabling the option in step 23 above, a further option to select users or groups who can request this package becomes available. As shown in the image below.
25. Click the option + Add users and groups
26. Select a group of users who will be allowed to request access to this package. This could include groups created in Entra ID or synced from on-premises. You can also configure whether guests are allowed or excluded from requesting this package.
27. Next, I configure require approval to Yes, which makes further approval options visible. When users request for this package, someone in the organisation can review and approve/deny access. I’ll be configuring approvals as per the below,
- Require approval: Yes
- Require requester justification: Users must provide a justification to request an access package. Justification is visible to other approvers and the requestor.
- How many stages: How many people in your organisation need to approve before the package/resources are made available to the user requesting access. I could have one, two or three people approve access before the package is made available to the user.
28. For the purpose of this demo, I require one approver and that approver will be me. It is recommended to add a group instead of an individual user as an approver.
We could also select the user’s manager to approve access. A manager must be added to the users account for this to work.
29. The next option is, Decision must be made in how many days? this is set to 14 days by default.
The approver must review and make a decision within 14 days. If a request is not approved within this time period, it will be automatically rejected. Minimum is one day and maximum 14 days. Feel free to lower the days as needed.
30. Next option: Require approver justification – The approver must provide a justification for their decision. Justification is visible to other approvers and the requestor.
31. Click Show advanced request setting
A further option: If no action taken, forward to alterative approver
This option allows the approval request to be forwarded to an alternative approver if the original approver does not respond on time.
32. Finally, we have the choice to enable or disable new requests. When disabled, no new requests can be made using this policy. Select Yes to enable this access package to be requested as soon as it’s created.
Required Verified IDs: this is a feature which requires a Microsoft Entra ID Governance license. Sometimes you may want users to present additional identity proofs during the request process such as a training certification, work authorisation, or citizenship status. As an access package manager, you can require that requestors present a verified ID containing those credentials from a trusted issuer. Approvers can then quickly view if a user’s verifiable credentials were validated at the time that the user presented their credentials and submitted the access package request. As an access package manager, you can include verified ID requirements for an access package at any time by editing an existing policy or adding a new policy for requesting access. I published a post about Verified ID at the following link, What is Microsoft Entra Verified ID? | Cloud Build
33. Next, we move onto the Requester information tab. If needed we can ask questions to collect more information from the requestor and specify whether the question is mandatory or optional.
34. Click next to move to the lifecycles tab.
On the Lifecycle tab, you specify when a user’s assignment to the access package expires. You can also specify whether users can extend their assignments and if further approval is required. In the Expiration section we have the following options.
- Access package assignments expire
We can set to number of days, number of hours, a particular date or never expires. - Assignments expire after number of days.
Depending on the option set above, this field changes. I selected Number of days, therefore, I need to specify the number of days before access expires for the user. - Users can request specific timeline
If enabled, users requesting this access package will be able to submit a custom start or end date for their access. Their request cannot extend beyond the timeline defined in the policy for the access package. - Allow users to extend an access
When enabled, users will be able to request extension of their access to this package before their access expires. - Require approval to grant extension
If an extension is requested, same approval settings used to approve initial access will apply. - Require access reviews
When switched to Yes, further options are visible as shown in the image below. To reduce the risk of stale access, you should enable periodic reviews of users who have active assignments to an access package in entitlement management. You can enable reviews when you create a new access package or edit an existing access package assignment policy. Microsoft Entra ID P2 or Microsoft Entra ID Governance licenses are required for all approvers. Approvers can include Global administrator, Identity Governance administrator, Catalog owner, or Access package manager.
I have set access reviews to no for the purpose of this demo
35. Finally, we move to the last tab, Custom Extensions
Custom extension are part of the Entra ID Governance license.
Custom extensions allows the use of Logic Apps to automate certain tasks. For example, you could use custom extensibility and an Azure Logic App to automatically send notifications to end users on Microsoft Teams when they receive or are denied access to an access package. Or a user is sent a custom email, for example a company wants to send an email to the sales team when a user is granted the sales team access package, so they are aware that a new sales member has joined the team. Or when a new user is approved for access to the Sales team Access Package, a Logic App is automatically triggered which also assigns that person to the appropriate deals and contacts within Sales Force. Likewise, when someone is removed from the Access Package, a different Logic App is automatically triggered and does the reassignment for the Salesforce artifacts they were responsible for. Automating these processes allows the team to focus more on getting actual work done rather than managing access. And more!
36. Click Review and Create.
Review your choices and click create.
In the next post we will go through the process of requesting the access package as a user and go through the approval process. Click the following link to continue, Microsoft Entitlement Management – Request Access to an Access Package | Cloud Build.