Working with access packages– Planning and Implementing Secure Access


In this section, we’ll cover how to plan and implement an access package in Azure AD.

An access package, as previously stated, is a collection of resources and policies that can be assigned to users as a whole. Resources (groups, teams, sites, roles, and applications) are stored in a catalog. Someone who has been granted the access package manager role can create and administer packages with resources that already exist in the catalog. See Figure 8.4 for details:

Figure 8.4 – Access package hierarchy

Before we begin the access package planning process, let’s look at some configuration settings around Identity Governance.

Configuring Identity Governance settings

Identity Governance has various settings and support options in a few areas that can be managed.

To launch Identity Governance, navigate to the Azure portal (https://portal.azure.com), select Azure Active Directory, and then choose Identity Governance under the Manage section.

  1. You’ll notice that Identity Governance has five nodes under Entitlement management:

Figure 8.5 – The Identity Governance blade

  • The main feature areas we’re going to look at are Catalogs, Connected organizations, and Settings.

Catalogs

The Catalogs page contains a list of available catalogs in your organization. By default, every organization has a built-in catalog called General. You can use this catalog to manage your resources and access packages or create others as needed:

Figure 8.6 – Identity Governance – the Catalogs page

By selecting an existing catalog, you can view what Resources, Access packages, and Custom extensions (Logic Apps) are associated with the catalog. You can also view and assign delegated administrative Roles for the catalog and view Reports that include information on who has requested or been assigned access packages.

Connected organizations

Connected organizations are those Microsoft 365 or Azure AD tenants with which your organization works closely together. Similar in concept to an Active Directory trust relationship, connected organizations allow external users to access resources located in your tenant:

Figure 8.7 – Identity Governance – the Connected organizations page

When configuring a connected organization, you simply enter the name of the organization and one of the verified domains. Once you have added a connected organization, users from all verified domains in the external directory are recognized as part of the relationship.

Leave a Reply

Your email address will not be published. Required fields are marked *