Open in app

Sign in

Write

Sign in

How to update Microsoft Entra Identity Governance Access Packages after renaming Azure Active Directory groups

Tom Robinson
ClearBank
Published in
5 min readMar 9, 2023
A kitten in a ClearBank branded cardboard box
Photo credit: Kristen Augurati

What do we use Access Packages for?

At ClearBank, we use Microsoft Entra Identity Governance Access Packages to give our staff access to the Azure resources they need, following the principle of least privilege.

An access package is a bundle of all the resources with the access a user needs to work on a project or perform their task. — Microsoft

The principle of least privilege means giving a user account or process only those privileges which are essential to perform its intended function. — Wikipedia

They work really well for us and enable team members to have self-service access to the resources they need. We define what a package grants access to, the approval process, and how long the access is for.

All requests are logged for auditing purposes and can be linked back to work items. Being able to have different access packages and approvals for out-of-hours requests makes incident management smoother too.

The manual alternative would be a time-consuming and error-prone manual process or giving more access than is required.

How do we set up our access packages?

We have Azure AD groups which have role-based access to specific Azure resources. Once granted, an access package provides a user temporary membership to one or more of these Azure AD groups, and therefore access to the configured resources.

A problem we faced when renaming AD groups

Sometimes the names of the AD groups underpinning the access packages change. For example, a team is renamed, or a group is renamed to better reflect its purpose.

When Azure AD groups are renamed, the old name continues to be shown in the Azure Portal when viewing the resource roles within an access package.

  • Removing and re-adding the group to the access package doesn’t help. It will actually show the new name while you’re searching for the AD group, but once you click Select it will revert back to the old name.
  • Leaving it for a while, e.g. 24 hours, also doesn’t help.
  • This problem is not covered by the troubleshooting guide.

This makes it difficult to see which groups are really in an access package because the list you see won’t match the groups that are assigned.

The access package will give access to the correct groups, but when you’re administering them, you’ll see the old name.

The solution we found

We reached out to Microsoft Support and thankfully there is a workaround to this. If instead of looking at the access package, you go to the Catalog, then Resources, selecting the affected group, there’s a Refresh from origin (Preview) button!

A screenshot showing the “Refresh” and “Refresh from Origin” buttons

A step-by-step walkthrough

We start with an access package containing the Azure AD group, “Example AD Group” …

A screenshot of the Azure Portal showing an access package containing an Azure AD group named “Example AD Group”

Then we rename the AD group, perhaps because it belongs to a team that’s been renamed…

A screenshot of an Azure AD group called “Example AD Group WITH NEW NAME”

When we return to the access package, expecting to see the new name — the old one is still there…

A screenshot of the Catalog, showing the old Azure AD group name “Example AD Group”

The solution is to go to the Catalog for the access package…

A screenshot showing the link to the “Example Catalog” catalog

The Catalog will also still show the old name. Select the AD group that needs updating. Unfortunately, you have to select each one individually…

Clicking Refresh won’t do anything, but Refresh from origin (Preview) will work…

A screenshot showing the “Refresh” and “Refresh from Origin” buttons

In the Catalog we now see the correct name for the AD group we renamed…

A screenshot of the Catalog, showing the new Azure AD group name “Example AD Group WITH NEW NAME”

And the access package has also been updated…

A screenshot of the access package, now showing the new Azure AD group name “Example AD Group WITH NEW NAME”

How can we make this better?

Whilst the solution works, it’s not as smooth as it could be. So we’ve created a suggestion on the Microsoft Azure feedback site.

Please add your vote and comments on the link below if you have any ideas for how to further improve this preview feature.

Automatic refreshing of Azure AD group names for access packages

When Azure AD groups are renamed, the old name continues to be shown in the Azure Portal when viewing the resource roles within an access package. Removing and re-adding the group to the access package doesn’t help. An leaving it for a while, e.g. 24 hours, also doesn’t help. This makes it difficult to see which groups are in an access package.

There is a workaround to this, which is to go to the Catalog, then Resources, selecting the affected group, and then clicking “Refresh from origin (Preview)”.

It would be useful if this button was also available on the Resources view for the access package itself.

It would also be good if this could be done automatically, e.g. on a schedule, or when an access package is opened/modified.

Security
Microsoft Azure
Governance
Identity Management
Access Management

--

--

Tom Robinson
ClearBank

Written by Tom Robinson

1 Follower
Writer for

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams