Surprisingly Simple - Identity Governance in Azure AD
One of my client had several requirements related to Identity and Access management for users belonging to their organization , users belonging to their partner organization and users synchronized from on-premises Active Directory Domain Services (aka Windows Active Directory.
In this post I will take each of the above requirement and explain the solutions offered by Azure AD as well as show you how to implement them.
Scenario-1 : Application and User access management for cloud identities (users belonging to client's own organization)
The client had several Enterprise Applications, User Groups, and SharePoint Online sites.
The client wanted to provide access to the above mentioned applications, user groups and SP Online site without the intervention of IT team and on-demand ( aka access request) .
For certain applications and SP Online sites client wanted to implement approval workflows for some of them automatic approval.
Client had 250 users who shall be managed using Entitlement Management via Identity Governance feature.
Prerequisites for Scenario-1
The client need to have Azure AD premium P2 or Enterprise Mobility + Security E5 license
License and registration of SaaS / Custom Applications in Azure AD
As many licenses as required for
Member users who can request an access package.
Member users who request an access package.
Member users who approve requests for an access package.
Member users who review assignments for an access package.
Member users who have a direct assignment or an automatic assignment to an access package.
What will you need to develop a Proof Of Concept (PoC) for scenario-1
Global Administrator privileges for Azure AD tenant
License as mention above ( You can use the trial version of Azure AD P2 license - watch the video below)
Applications you want to include in Access Package
Test User Account in Azure AD
Test Group in Azure AD
For this scenario we will see an example to register a SharePoint online site in the Access Package and then configure the access package so that it can be requested (in other words a user may request access through access package).
Create and Configure Catalog & Access Package using Azure AD Identity Governance
Watch the video below to know how to create and configure
Testing Identity Governance feature - Access Package
After we have configured the access package we want to test it to confirm that it works as expected.
Request Access via My Access Portal link
Access the application (in our case SharePoint Online Developer Site)
Conclusion - Scenario-1
We can create access package to automate identity governance and configure role assignment, group access, and application access.
We have granualr control over the several features of Access package .
Multiple Access Packages can be created for specific scenarios and put in a catalog