Implementing access packages– Planning and Implementing Secure Access


You can create access packages through the Identity Governance blade of the Azure portal. To configure a new access package, follow these steps:

  1. From the Identity Governance blade of the Azure portal, select Access packages under Entitlement management. Then, click New access package:

Figure 8.9 – Identity Governance – the Access packages page

  1. From the Basics tab, enter Name and Description details, and select which Catalog the access package will be created in (or select Create new catalog to create a new catalog that will contain this access package). Click Next:

Figure 8.10 – New access package – Basics

  1. From the Resource roles tab, click Groups and Teams to add Microsoft 365 Groups or Teams. Click Applications to add enterprise applications configured in your directory, and click SharePoint sites to add sites to be associated with this package. For each resource, select a Role. Click Next:

Figure 8.11 – New access package – Resource roles

  1. From the Requests tab, select who can request access to this access package. You can select For users in your directory, For users not in your directory, or None. Depending on your selection, you may have additional options for managing the scope (users, groups, and guests, as well as connected organizations).
  2. Also from the Requests tab, you can configure Approval options. You can choose to Require approval or Enable new requests, as well as choose whether you require Entra Verified IDs. Click Next:

Figure 8.12 – New access package – Requests

  1. From the Requestor information tab, you can enter additional questions for the requestor to answer, as shown in Figure 8.13:

Figure 8.13 – New access package – Requestor information

  1. Click Next to proceed.
  2. From the Lifecycle tab, you can configure an Expiration date for the assignment, as well as whether Access Reviews will be required (and their frequency). Click Next:

Figure 8.14 – New access package – Lifecycle

  1. From the Custom extensions (Preview) tab, if desired, choose a Stage option (such as Request is approved) and a workflow under Custom Extension. You must have configured a logic app as a custom extension ahead of time to use this feature:

Figure 8.15 – New access package – Custom extensions (Preview)

  1. Click Next.
  2. Review the settings and click Create.
    Once an access package has been created, depending on your package settings, users may be able to request it (or it may be assigned by an administrator).
    To manually add an assignment, follow these steps:
  3. From the Identity Governance blade, select Access packages and then choose the access package to assign.
  4. Under Manage, select Assignments.
  5. Click New assignment:

Figure 8.16 – Assigning an access package

  1. Select a policy, select a target (either User already in my directory or Any user), set start and end dates, and click Add.
  2. After the assignment is complete, the status will be Delivered. See Figure 8.17:

Figure 8.17 – Verifying access package assignment
FURTHER READING
You can learn more about common entitlement management scenarios and processes here: https://learn.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-scenarios.

Leave a Reply

Your email address will not be published. Required fields are marked *