Azure AD identity governance — Part 5 — Govern access lifecycle

The blog series

Part 1 — The basics

Part 2 — Govern identity lifecycle

Part 3 — Govern resource lifecycle

Part 4 — Govern Azure AD B2B

Part 5 — Govern access lifecycle

Part 6 — Reach back to on-premises

If you are thinking about authorization management with Azure AD it is important to understand what options are available. There has been a lot of hype lately about features like access reviews and entitlement management, but let’s not forget the basics.

Automation is king.

Would you rather that an employee has to request an access package on the first day of work or that based on Human Capital Management (HCM) information they already have enough permissions for their core tasks?

In this blog post I won’t go into detail about the implementation of the individual features, but I would like to show you which features are available so that you can choose the right feature for your use case.

Access lifecycle features

1. Dynamic groups

In Azure AD, you can use rules to determine group membership based on user or device properties[Source]. This is a very powerful function that should not be forgotten. As soon as Azure AD is filled with good data from an HCM system, dynamic groups can be used to build up groups for the organizational units of the company as well as functional roles in the company.

Certainly there are many other use cases in which dynamic groups can be helpful. The big advantage is that these groups are automatically maintained on the basis of the master data and thus no additional end user effort is required for the maintenance of the groups. However, there may be some effort involved in maintaining master data, which may not be accurate enough for the use cases or may not be updated in time. Furthermore, you may have to think about the automated creation of these groups, the organizational structure of a company is usually changing constantly. Once again, automation is king, so if the use case can be mapped with dynamic groups, it is usually the right choice.

Tip: You can also have Teams based on dynamic groups.

We must also be aware that it takes a great deal of organizational effort to initially model your permissions in organizational and functional roles, but there can also be simple use cases such as assigning licenses and company-wide permissions.

Marius Solbakken published a script for generating Azure AD dynamic groups, it’s a good starting point for automation. Thinking further, the script could regularly access the org / functional structure of the company and create the groups e.g. via Azure Automation or an on-prem IAM system.

2. Self-service / delegated group management

You can enable users to create and manage their own security groups or Office 365 groups in Azure AD. The owner of the group can approve or deny membership requests, and can delegate control of group membership [Source].

This is a simple solution for the assignment of permissions which has the following configuration options.

• Group requires owner approval
• Group is open to join for all users
• Only the owners of the group can add members

Only an approval workflow by the group owners is possible here, should your use case require multi-step approval workflows, manager approval or expiration, Entitlement Management can help.

3. Self-service application assignment

The self-service application assignment is very similar to the self-service group management, however it is focused on applications and would be accessed via https://myapplications.microsoft.com instead of https://mygroups.microsoft.com / https://account.activedirectory.windowsazure.com/r#/groups

3. Access reviews

Access reviews offers the possibility to carry out a re-certification of authorizations, often also called attestation. Our public documentation goes into detail about when to use them, but I want to at least show that Access Reviews can be used in many areas, understanding it as a tool that can be helpful at various points.

• Privileged roles
• Exclude groups e.g. in your Conditional Access policies
• Normal groups / teams
• Access packages from entitlement management
• …

4. Entitlement management

Entitlement management is the evolution of group self-services, it extends the capabilities of group self-services with functionalities like manager approval, multi-step approvals, time dependent assignments with start and end date.

Furthermore, access packages can be created in Entitlement Management, which bundle multiple permissions [groups, applications, SharePoint sites]. The modeling of these access packages can be delegated directly to the business.

Currently, it is not yet possible to automatically assign Access Packages, e.g. based on dynamic groups. However, this can be very helpful for the permissions of an employee on the first day of work (Birth right permissions). Marius Solbakken published a solution that can help with this.

Finally, Entitlement Management can also take over the B2B user lifecycle, those who have followed this blog series already know this.

5. Service and custom solutions

Finally, there is also the possibility that services using the Azure AD Identity stack provide their own functions for access management, e.g. direct permissions on SharePoint which are not based on a group or complete in-house developments. I generally recommend to use Azure AD groups to be able to use functions like Entitlement Management and Access Reviews in the long run.

The nuisance

As great as these Azure AD governance features may be, there is one big problem. Many customers are in a hybrid environment and need these governance features for their on-premises systems. Unfortunately, there is currently no out-of-the-box functionality to use these functions for on-premises systems or on-premises AD groups. In my next blog article I will show a way to use the governance functions mentioned here for on-premises.