How to update Microsoft Entra Identity Governance Access Packages after renaming Azure Active Directory groups
What do we use Access Packages for?
At ClearBank, we use Microsoft Entra Identity Governance Access Packages to give our staff access to the Azure resources they need, following the principle of least privilege.
An access package is a bundle of all the resources with the access a user needs to work on a project or perform their task. — Microsoft
The principle of least privilege means giving a user account or process only those privileges which are essential to perform its intended function. — Wikipedia
They work really well for us and enable team members to have self-service access to the resources they need. We define what a package grants access to, the approval process, and how long the access is for.
All requests are logged for auditing purposes and can be linked back to work items. Being able to have different access packages and approvals for out-of-hours requests makes incident management smoother too.
The manual alternative would be a time-consuming and error-prone manual process or giving more access than is required.
How do we set up our access packages?
We have Azure AD groups which have role-based access to specific Azure resources. Once granted, an access package provides a user temporary membership to one or more of these Azure AD groups, and therefore access to the configured resources.
A problem we faced when renaming AD groups
Sometimes the names of the AD groups underpinning the access packages change. For example, a team is renamed, or a group is renamed to better reflect its purpose.
When Azure AD groups are renamed, the old name continues to be shown in the Azure Portal when viewing the resource roles within an access package.
- Removing and re-adding the group to the access package doesn’t help. It will actually show the new name while you’re searching for the AD group, but once you click Select it will revert back to the old name.
- Leaving it for a while, e.g. 24 hours, also doesn’t help.
- This problem is not covered by the troubleshooting guide.
This makes it difficult to see which groups are really in an access package because the list you see won’t match the groups that are assigned.
The access package will give access to the correct groups, but when you’re administering them, you’ll see the old name.
The solution we found
We reached out to Microsoft Support and thankfully there is a workaround to this. If instead of looking at the access package, you go to the Catalog, then Resources, selecting the affected group, there’s a Refresh from origin (Preview) button!
A step-by-step walkthrough
We start with an access package containing the Azure AD group, “Example AD Group” …
Then we rename the AD group, perhaps because it belongs to a team that’s been renamed…
When we return to the access package, expecting to see the new name — the old one is still there…
The solution is to go to the Catalog for the access package…
The Catalog will also still show the old name. Select the AD group that needs updating. Unfortunately, you have to select each one individually…
Clicking Refresh won’t do anything, but Refresh from origin (Preview) will work…
In the Catalog we now see the correct name for the AD group we renamed…
And the access package has also been updated…
How can we make this better?
Whilst the solution works, it’s not as smooth as it could be. So we’ve created a suggestion on the Microsoft Azure feedback site.
Please add your vote and comments on the link below if you have any ideas for how to further improve this preview feature.
Automatic refreshing of Azure AD group names for access packages
When Azure AD groups are renamed, the old name continues to be shown in the Azure Portal when viewing the resource roles within an access package. Removing and re-adding the group to the access package doesn’t help. An leaving it for a while, e.g. 24 hours, also doesn’t help. This makes it difficult to see which groups are in an access package.
There is a workaround to this, which is to go to the Catalog, then Resources, selecting the affected group, and then clicking “Refresh from origin (Preview)”.
It would be useful if this button was also available on the Resources view for the access package itself.
It would also be good if this could be done automatically, e.g. on a schedule, or when an access package is opened/modified.