Using the hidden gems in Entra ID Governance access packages, all you need to know! – Part 4

Posted on by Pim Jacobs Posted in IdentityTagged , , , , , , , , , , , , , , , , , , , , , ,

A warm welcome to my next blog in the Identity Governance series, which is the fourth and last one about the ‘Hidden gems’ in Entra ID Governance access packages. In the first blog, second blog and third blog we already looked at features on how to configure, use and customize your access packages for your end users and guests. In this last part we specifically will look at the delegation and reporting functionalities within Access Packages.

As you know now already, you can go nuts on access packages, for that (as mentioned above) I wrote 4 blogs to walk with you through the hidden gems in access packages with some amazing examples:

  • In the first blog we looked at the hidden gems of the Access package catalogs In which I showed you some great features which you need to enable from your catalog to make use of them within your Access Package.
  • In the second blog we looked at the hidden gems of assignments in Access Packages In which I showed you how you can dynamically assign an Access Package to end users matching specific criteria. And more important how this co-operates together with separation of duties.
  • In the third blog we looked at the hidden gem of using a custom extension in Access Packages – In which I showed how to create a single access package which, after approval of the manager, will send the user a temporary access pass to enroll for Multi-Factor Authentication or Password less methods.
  • In this last blog, we will look at the power of delegation and reporting for Access Packages In which I will end the story around Access Packages with the options you have to delegate some management within the business to more experience IT users.

As mentioned, this fourth part of the ‘hidden gems’ in Entra ID Governance Access Packages will look at how we can delegate some access package management from IT to the business or stakeholders so IT can focus on what really matters: ‘Adding new features and empower the business to do more themselves’. At last, we will look at the different reports which are available with regards to Access Packages and which you could use as an IT administrator to improve the process for the business and your end users.

Now, time to dive into the use of ‘Delegation and Reporting’ within Entra ID Governance Access Packages!

The power of delegation and reporting for Access Packages

Step 1 – Delegation your way through Access Packages

Within Microsoft Entra ID we have the following directory roles by default available which will allow you to manage everything related to access packages in your tenant:

  • Global Administrator
  • Identity Governance Administrator

These roles are great if you are an Identity & Access Administrator and are in need to configure the Microsoft Entra ID Governance product in general, build Access Packages from the ground up or add new catalogs to setup additional delegation. However, you should never provide these kinds of permissions to persons who aren’t a part of the Identity & Access Management team in your organization.

NOTE: For least privilege always use the Identity Governance Administrator role and never the Global Administrator role.

There are however enough examples where we sometimes want to delegate management for some of the Identity Governance tasks, some examples are:

  • Combine all resources of a specific country within a catalog so the responsible IT person for that country is able to create access packages on his/her own, without the need of the Identity & Access Administrator.
  • Combine all resources of project within a catalog whereby the project lead is an access package manager for that catalog.
  • Provide project leads to create catalogs on their own whereby they will automatically become a catalog owner of the catalogs they create.
  • And much more….

Now let’s have a look at which five additional delegation options are available apart from the directory roles when we look at Access Packages in Microsoft Entra.

#1 Catalog Creators

The first role is ‘Catalog creators’, which can be assigned to users within your directory by going to the Microsoft Entra Admin portal hitting Identity Governance section, going to Entitlement Management and open the ‘Settings’ pane and hit ‘Edit’.

Once you’ve hit the ‘Edit’ button, you’re able to hit ‘Add catalog creators’.

In here, make sure you add the user which you want to provide ‘Catalog creator’ permissions and hit ‘Select’.

Once you’re ready and have added all users which you want to provide the ‘Catalog creator’ role hit ‘Save’.

If we now look at the user behavior, we can see that the ‘Catalog creator’ user is able to add a ‘New Catalog’.

The user is also able to configure all the desired settings on the catalog.

And once the catalog is created the user automatically becomes the owner of the catalog.

#2 Catalog Owners

As the user which we have given the ‘Catalog creator’ role now suddenly becomes a ‘Catalog owner’, let’s have a look at what we can do with these permissions. First of all, once you’re are catalog owner, you’re able to create and manage or delete Access Packages yourself and add or remove resources from the catalog.

Important to know however is that to be able to add resources you need to be an ‘Owner’ of the resources itself as well. So, for instance if I want to add a security group I need to be set as the ‘Owner’ of the catalog AND the group.

At last, the ‘Catalog owner’ can delegate control to other users within the business, this so other users can become a catalog owner, catalog reader, access package manager or access package assignment manager.

#3 Catalog Readers

Now let’s look at the options of the ‘Catalog reader’ role. So, let’s add my test user to another catalog and provide the user the ‘Catalog reader’ role on the ‘IT’ catalog. This all to provide the user insights to show what’s already available and to prevent multiple access packages which provide the same functionality.

Now if we look at the user behavior, the user can see the catalog and all contents of the catalog of which the access packages which I did create in my earlier blogs. The ‘Catalog reader’ only has read permissions to these catalogs, so the user won’t be able to change or create access package or add / remove resources, the ‘Catalog reader’ just has insights and can look at the existing configuration.

#4 Access Package Managers

Now let’s look at the options of the ‘Access Package Manager’ role, for that I did change the role of Johny Bravo from ‘Catalog owner’ to ‘Access Package Manager’ on the ‘Project X’ catalog.

Now as you can see the user is able to create, change or delete access packages within the ‘Project X’ catalog. Including policies and separation of duty changes.

The user however is now only able to use the actual resources which are available within the catalog. New resources cannot be added, even though the user could be an owner of these resources.

At last, the user which has the ‘Access Package Manager’ role assigned can manage the assignments and requests as well.

#5 Access Packages Assignment Managers

The latter can also be managed via the ‘Access Package Assignment manager’ role, which is the last role which needs to be explained when it comes to delegation of Access Packages. For that I did change the role of Johny Bravo from ‘Access Package Manager’ to ‘Access Package Assignment Manager’ on the ‘Project X’ catalog.

As you can see now the user is only able to manage assignments and requests and is not able to make additional configuration changes which aren’t related to the assignment and requests tab.

With that the ‘Access Package Assignment Manager’ can add users to the access package, which could even be users who don’t have a B2B guest account (yet) within your tenant.

With that we have walked through all the options for delegation when it comes to access packages. If you however did configure ‘Restricted access to the Microsoft Entra ID administration center’ within the ‘User settings’ of Entra ID, as shown below, additional action is required.

This as it’s important to know that the above 5 roles should be combined with the ‘Directory Reader’ role, otherwise these users won’t be able to access the Entra ID Administration portal and with that won’t be able to make changes to catalogs or access packages.

Now we know which roles are available for delegation when looking at Access Packages in Microsoft Entra, let’s have a look at the reporting functionality for Access Packages.

Step 2: Using the access package reporting functionality for troubleshooting or improvements.

When going to the Microsoft Entra Admin portal, hitting the Identity Governance section and navigating to Entitlement Management we can see that default reports are available under the ‘Reports’ tab as shown below.

NOTE: This tab only works for users with the Global Reader, Identity Governance Administrator role or the Global Administrator role.

Once we open the ‘Reports’ tab we can see that there are three different kinds of access package reports available, which are:

  • Access packages for user report.
  • Resource assignment for a user report.
  • Insights and reporting (Preview) report.

If we look at the first report ‘Access packages for a user’ we can simply check what access packages can be requested by the end user or look at the access packages which are already assigned to the end user. To get report results, we can simply hit ‘Select user’, select a user within your tenant, and see which ‘Access Packages’ the user is able to request, and for each access package you can see which access packages policy would be applied if the user would request access to the access package.

Also, we can see which access packages the user currently is assigned to on the ‘Assigned’ tab. This overview could be very helpful for troubleshooting, but also to verify your policy configuration of an Access Package.

If we look at the second report ‘Resource assignments for a user’ we can simply check which resources were provided access to via access packages for a user. To get report results, we can again hit ‘Select user’, select a user within your tenant, and check which resources were provided access to via which access package.

In the example below you can see that the application ‘Slack’ and the security group ‘SG-IdentityMan-WindowsInsider-ReleasePreview-Channel’ are both added to my test account via two individual access packages.

In the third and last report available within this section called ‘Insights and Reporting (Preview)’ we can see all activities from a selected access package in your environment. So, if you need to know why a user is removed or added to an access package, or who did approve the actual request of an end user, the ‘Insights and Reporting (Preview)’ report can easily help you out.

As you can see below, one user has been removed from the access package ‘Request Temporary Access Pass’, this as the assignment within the access packages simply expired. Again, this report could be very helpful when troubleshooting access which got revoked.

With that we looked at all three reports available around access packages, which is great if you’ve got the Identity Governance Administrator role or Global Administrator role assigned. However, what about if we applied delegation as mentioned in step 1 on this blog?

In that case the users with the Catalog Creator, Catalog Owner, Catalog reader, Access Package Manager or Access Package Assignment Manager roles can go to the catalog which they got access to and are able to open the ‘Reports’ tab.

At the ‘Reports’ tab we can run one single report which is the ‘Access Packages for a user’. This provides the exact same overview as explained earlier however limited to the access packages in the selected catalog.

Now we’ve walked through all the reporting functionalities in Entitlement Management is there anything more to add here when it comes to reporting? Well, yes there is as Microsoft recently launched the Entra ID Governance dashboard which is still ‘under construction’. This dashboard can be found when going to the Microsoft Entra Admin portal, going to the Identity Governance section and hitting ‘Dashboard’.

As you can see the dashboard today provides an overview of what you’re using today in your tenant which has or could have a relation to Entra ID Governance. As you can see my environment contains 11 access packages which I created.

Also, the dashboard reports on applications with direct user assignments which you should rather put into an Access Packages. However, hitting the ‘Create access package’ button today doesn’t have the intelligence to build one for the applications, who for instance, do have a direct user assignment applied. Instead, it brings you to the Access Packages overview where you can create a new access package without any kind of predefined input yourself.

Is this the case for all the knobs on the Entra Identity Governance dashboard? No, there is actually one very valuable dashboard available in here called ‘View inactive guests’.

This dashboard gives you an actual insight into the use of guest identities in your tenant. And will report which identities have been inactive for 90 days (as they didn’t have a sign-in).

Let’s hope that Microsoft will bring more and more reports to this dashboard as reporting, gaining, and providing insights is a crucial part in the Entra ID Governance process.

Now we have walked through te reporting part as well, let’s wrap up to the conclusion of the final blog of the hidden gems in Azure AD Access Packages.

Conclusion

Now we’ve walked through the above two steps, you now know the power of delegation and reporting in Entra ID Governance Access Packages. With that you know how you can delegate based on directory level but also are able to delegate on access package catalog level with five additional roles within Identity Governance. Besides you have seen all the reporting functionalities which are available within Microsoft Entra ID Governance and you’re able to use these reports to either troubleshoot the access package process or verify the policy configuration.

With this we can conclude that by delegating permissions on Access Package catalogs, to the right users like project leads, IT persons or other delegates, gives the ability to these delegates to easily manage access packages themselves.

Furthermore, we can conclude that once you’re using Access Packages on scale, reporting is extremely handy. Especially when it comes to policy evaluations to see whether the policy is configured correctly and if the user is matching the right policy. On the other hand, from a troubleshooting perspective the reporting part adds value to check whether permissions were given by an Access Package and eventually even if, and when these permissions will expire.

With that being said, I hope you enjoyed reading this new blog within the Azure AD Identity Governance series! Stay tuned for my next blog which will be all about the power of Access Reviews in your environment, whereby we will take a closer look in the possibilities of Access Reviews and how to manage these at scale.

Leave a comment