Azure AD entitlement management and access reviews
In this tutorial, we will get an overview of Azure AD entitlement management and Azure AD access reviews.
What is Azure AD entitlement management?
Entitlement management in Azure Active Directory (Azure AD) is an identity governance capability that allows enterprises to manage the identity and access lifecycle at scale. This is accomplished by automating the procedures for access requests, access assignments, reviews, and expiration. Employees at organizations, on the other hand, require access to a variety of groups, applications, and websites in order to do their jobs. It’s difficult to keep track of this access when regulations change.
Further, Azure AD entitlement management can help you more efficiently,
- Firstly, manage access to groups, applications
- Secondly, manage SharePoint Online sites for internal users
- Lastly, manage users outside your organization who need access to those resources.
Why use entitlement management?
Enterprise organizations often face challenges when managing employee access to resources such as:
- Firstly, users may not know what access they should have, and even if they do, they may have difficulty locating the right individuals to approve their access
- And after users find and receive access to a resource, they may hold on to access longer than is required for business purposes
These issues are exacerbated for external users that require access from another company, such as supply chain companies or other business partners. Consider the following scenario:
- Firstly, no one person may know all of the specific individuals in other organization’s directories to be able to invite them
- And, even if they were able to invite these users, no one in that organization may remember to manage all of the users’ access consistently
What can I do with entitlement management?
Here are some of the capabilities of entitlement management:
- Firstly, delegate to non-administrators the ability to create access packages. These access packages contain resources that users can request. And, also the delegated access package managers can define policies with rules for,
- which users can request
- who must approve their access
- when access expires.
- Secondly, select connected organizations whose users can request access. When a user who is not yet in your directory requests access, and is approved. Then, they automatically invite you in to your directory and assigned access. When their access expires, if they have no other access package assignments, their B2B account in your directory can be automatically removed.
What are Azure AD access reviews?
Access reviews in Azure Active Directory (Azure AD) help enterprises manage group memberships, access to enterprise apps, and job assignments more efficiently. You may check user access on a regular basis to ensure that only the appropriate persons have access.
Why are access reviews important?
Azure Active Directory allows you to collaborate with both internal and external users. Users may create groups, invite visitors, connect to cloud apps, and work remotely from their office or home computers. The ease of self-service has necessitated the development of improved access management tools.
- Firstly, as new employees join, how do you ensure they have the access they need to be productive?
- Secondly, as people move teams or leave the company, how do you make sure that their old access is removed?
- Then, excessive access rights can lead to compromises.
- After that, Excessive access rights may also lead audit findings as they indicate a lack of control over access.
- Lastly, you have to proactively engage with resource owners to ensure they regularly review who has access to their resources.
When should you use access reviews?
- Firstly, too many users in privileged roles. It’s a good idea to check how many users have administrative access, how many of them are Global Administrators. And, if there are any invited guests or partners that have not been removed after being assigned to do an administrative task. You can recertify the role assignment users in Azure AD roles such as Global Administrators.
- Secondly, When automation is not possible. You can create rules for dynamic membership on security groups or Microsoft 365 Groups. Moreover, you can then create a review on that group to ensure those who still need access should have continued access.
- Thirdly, When a group is used for a new purpose. If you have a group that is going to be synced to Azure AD. Or, if you plan to enable the application Salesforce for everyone in the Sales team group. Then, it would be useful to ask the group owner to review the group members earlier to the group in a different risk content.
- Then, Business critical data access. It might be necessary to ask people outside of IT to regularly sign out and give a justification on why they need access for auditing purposes.
- Lastly, have reviews recur periodically. You can set up recurring access reviews of users at set frequencies such as weekly, monthly, quarterly, or annually, and the reviewers will be notified at the start of each review.
Reference: Microsoft Documentation, Doc 2