4 tools for Azure AD identity governance (with explanations)

Managing user identities and access is a struggle for many organisations. One of the ways to ensure the security of your resources is to implement identity governance. Today, we will share with you a few guides on the key mechanisms in Azure AD (now Microsoft Entra ID) that will allow you to execute it. Note that these functionalities are only available at the Azure AD Premium P2 license level. We have several important features for Identity Governance in AAD. They are:

• Entitlement Management – with it you can manage External and Internal user access to groups, teams, applications, and SharePoint sites.
• Access Reviews – this will help you with timeboxed repeatable reviews (manual and automatic) for your users' group membership.
• Terms of Use – it is a small tool but very useful when it comes to collaboration with external partners or contractors.
• Privileged Identity Management – you can use Just-In-Time access for your high privileged directory roles and resources (that's right, PIM is not only for Azure AD roles but also for resource roles).

There are also two more features that are related to AIG:

• Azure AD B2B– If you want to invite external users, you have to use Azure AD B2B. Remember there is a licensing limitation – 5 guests per one user from your tenant (if you have 100 users, you can invite up to 500 external users)
• Conditional Access – without a CA policy, you cannot use Terms of Use for external users.

But let's dive into the key features today.

How to enforce Terms of Use?

This is a simple but useful and often necessary feature that you can use when working with guests or external users. After all, you want all your users to be aware of the rules applicable to your environment. As a feature, it's quite simple and boils down to a PDF file uploaded to Azure. It will require all guests to review and accept terms of use when accessing the environment for the first time. The file can be uploaded by a user with Identity Governance and Conditional Access rights. All it takes is uploading the files under Terms of Use. Then you can configure a Conditional Access policy. The magic starts when we connect it with Azure AD Conditional Access. It's because CA allows us to configure a policy specifically for external users.

When a Guest/External user tries to access our application hosted in our Azure AD tenant, they trigger a Conditional Access policy. The user is redirected to the Terms of Use document which they need to read and accept to access your environment. When done, access to the environment is granted, and the Guest/External user can access every application where they have access. For step-by-step instructions on how to configure a policy for Terms of Use, visit this page.

How does Entitlement Management work?

Entitlement Management in Azure AD allows you to automate IAM processes, so you can manage identities at scale. It has 5 key components:

• Catalog – including Groups/Teams, Applications, and SharePoint Sites that can be used for Access Packages. It allows RBAC control.

Note: For non-Global Administrator / User Administrator users, resources have to be part of a Catalog.

• Access Package – a package that can be requested by internal or guest/external users that has specific resources and roles assignment already configured.
• Connected Organisations – organisations that can be issued with access packages.
• Reports
• Settings.

Inside the Resource Directory, we have Catalog 1 meant for sharing. It contains Group 1, Group 2, App 1, and Site 2. These resources are available for access packages.In the example, we have two access packages based on Catalog 1 resources:

• Access Package 1 (for internal use)
• Access Package 2 (for internal and external use).

There is also an Access Package Manager role assigned (using RBAC).We can share Access Package 1 with internal requestors. Access Package 2 has defined access policies for internal and external users, which means we can share it with requestors from inside and outside the organisation. Using Entitlement Management, you can share the same set of resources in many different ways, with many different users. Do this by creating individual Access Packages specifying resources you wish to share and assign them with the appropriate policies for your selected users. It is important to monitor access and permissions. You can view all actions in Azure AD and Log Analytics workspace workbooks. See this guide with detailed instructions on how to configure a catalog like this and how to manage user lifecycles for it.

How to set up Access Reviews?

When you share multiple resources with users within and outside of your organisation, it is good practice (and often a requirement) to conduct periodical access reviews. Their purpose is to determine whether the users still need access they have, and revoke it if not. Enforcing access reviews on a regular basis helps keep your environment protected. You'll also be removing the risk of having hundreds of people with unnecessary admin privileges. Using the Access Reviews feature in Azure AD you can check active permissions for:

• Access packages
• Teams and Groups
• Applications integrated with your Azure AD.

You can either enforce them at the access package level (using Entitlement Management) or set them up (as a recurrent or one-off event) in the Azure Portal by accessing the Identity Governance tab. The review process is cyclical, which means it doesn't really end. Just as your environment changes with each new user or resource, so do the required permissions. The access review cycle is a 5-step process.

The workflow is as follows:

1. Request notification– the reviewer receives an email with information that the review process started for a specific resource type (group, application, access package).
2. Membership review – based on the knowledge and recommendations, the reviewer decides for each user whether their access should be kept or revoked.
3. Membership confirmation – a double-check that the group of users that were reviewed should keep their access to a resource.
4. Stale membership removal – revoking access for users who no longer need it or haven't used a resource in X days (or based on another recommendation).
5. Status report – once the process round is complete, the system admin is informed of the results.

Who can be a reviewer? This depends on the resource and your organisation's policy. There are, however, some predefined options that you can choose from:

• Group Owners– as assigned in your Azure AD
• Selected users or groups– here you can add individuals who will perform the review, regardless of role
• Self-review– users can check and verify their own access permissions
• Managers of users (in Preview)– based on the Manager attribute from Azure AD.

To find out how to set up an Access Review, follow the step-by-step instructions featured in my earlier post.

What is Privileged Identity Management?

PIM is designed for managing access to critical assets. It can make your environment more secure by limiting the time when highly privileged roles are active and limiting them to a specific group of users. PIM is a great tool that you can use to enable Just-in-time (JIT) model for:

• Directory roles management– limit directory roles to a timeframe
• Resource roles management– limit resources roles to a timeframe
• Privilege access groups management (in Preview)– limit group membership to a timeframe.

Privileged Identity Management also protects your resources by enforcing additional requirements, such as:

• Approval requirement
• Multi-factor authentication usage
• Justification
• Notifications
• Audit history
• Access reviews.

All of these requirements can be set in the Azure Portal, in the Identity Governance tab. As a Global Administrator, you can also specify which users will be able to use this function. To assign a privileged role, a user needs to request it. The process looks as follows:

The Exchange Admin role is first assigned to a user. The user then requests this role and once it's approved by a Global Admin, they're assigned temporary privileged access.

1. To enable it, they need to open the PIM panel and request the role providing the required information.
2. The request is then moved to the Global Admin user for approval. As a part of the configuration, you can set other users than GAs to approve the roles.
3. The Global Admin decides if they want to accept the request or reject it.
4. If the decision was to accept the request, PIM starts the assignment process for User1.
5. User1 receives the requested role for a specific time (configured within the Exchange Administrator role).
6. When the assignment expires, User1 will be removed from the role.

PIM is quite an elaborate – and important – feature, so it warrants its own article. The good news is, we've already written one. Click here to read about Privileged Identity Management in detail.

More on Azure Active Directory identity governance

This was just a brief introduction to identity governance functionalities in Azure AD. Ensuring people can access what they need, when they need it, without compromising security, is key to employee productivity. It is also essential for collaboration with partners or subcontractors."