What is the access life cycle?– Planning and Implementing Secure Access
While the identity life cycle represents an identity as it moves throughout the organization, an access life cycle is used to manage how identities have permissions granted or revoked throughout their lifetime:
Figure 8.2 – Access life cycle overview
As users take on new roles, transfer to new departments, and shift responsibilities, the applications and resources they need to access change. The access life cycle is responsible for evaluating what users need to access to perform their duties.
What is the privileged access life cycle?
The privileged access life cycle is similar to the access life cycle, except that it is responsible for governing administrative access to resources such as Exchange or Azure Active Directory. Microsoft recommends a least privilege access model, where people only have access to perform their necessary duties – ideally, only during the time they need to perform those activities. This access model is commonly described as Just in Time (JIT) and Just Enough Administration (JEA) access.
Depending on the context, the privileged access life cycle can be implemented through a policy that tracks users’ standing (permanent) access roles as they move throughout an organization, or by managing access requests via JIT and JEA to allow individuals to perform the tasks they need to do. Azure AD’s Identity Governance features, such as Privileged Identity Management (PIM), allow organizations to manage how they grant and revoke administrative rights as the individual access needs change:
Figure 8.3 – Privileged access life cycle overview
Privileged identity management can be used for dedicated administrators, as well as normal users. The privileged access life cycle can help organizations ensure administrative functions are only accessed by those who need to perform administrative functions during specified times.
Planning and implementing Identity Governance
Identity Governance can be thought of as a method that’s used to manage the identity, access, and privileged access life cycles of an organization. In the context of Azure AD, Identity Governance can include managing access to teams, groups, applications, and roles.
Note
Identity Governance features in Azure AD require Azure AD Premium P2, either as a standalone service or included in a bundled SKU such as Enterprise Mobility and Security E5.
Before we explore how to configure the features of Identity Governance, let’s review some of its terminology and components:
- Access reviews: An access review is a process that is used to validate an entity’s compliance or access to resources – whether it’s a group, team, application, or other resource.
- Entitlements: Entitlements represent resources or roles that an entity (such as a user or guest) can access. Common entitlements include membership in Azure AD security groups, membership of SharePoint Online sites, membership in Microsoft 365 Groups and Teams, or assignments to enterprise applications.
- Entitlement management: Entitlement management is the overall term that describes the process of assigning resources.
- Access packages: Access packages are bundles or groups of resources (entitlements) that are assigned to a user to complete a role or task.
- Life cycle workflows: These are automated workflows that can be configured and extended to automate user onboarding, moves, and offboarding (sometimes referred to as move/add/change or joiner/mover/leaver processes).
- Connected organization: An external organization or tenant with which your tenant has a close working relationship.
With that common understanding covered, let’s look at working with entitlement packages or access packages.