Azure AD Azure

Using Azure AD Entitlement Management for Automated Access

cubesys
Share this blog post on Twitter Share this blog post on Facebook Share this blog post on LinkedIn

Azure Active Directory (Azure AD) has been updated to include a new preview in Entitlement Management of automatic assignment policies. With this feature, Azure AD dynamically changes users’ access across various groups, Teams, SharePoint sites, and apps based on any user attributes modifications. This can include switching between departments, going on leave, or leaving/joining the company.

The benefit of having such a policy is that it streamlines the process of managing at scale, removing the need for administrative involvement whenever an alteration is required to a user’s access. Better yet, it removes the need for users to manually send in requests; this means that their access won’t remain any longer than necessary while also ensuring they can access the new content without waiting for admin approval.

Automating access based on user attributes

Say you wanted to create an access package in Azure AD Entitlement Management for members of a specific department at your company. In this package, you may put two different policies in place:

  • Employees request access and, upon approval, have it reviewed every 60 days
  • External members request access and, upon approval, have it reviewed every 30 days

With automatic assignment policies, you can add a third policy to this package. Employees of this department are provided access automatically so long as they’re there by looking at the user’s “department” attribute.  

First, sign into your Azure Portal and select Azure Active Directory. Then, click on the Identity Governance blade followed by the Access packages blade.

Access Packages blade in Entitlement Management.

Then, pick the group you’d like to use and click Add auto assignment policy.

Adding auto assignment policies in the Access Package blade.

You simply need to specify a rule for how these users will be selected, and this rule is usually based on the user’s attributes. These attributes are typically extracted from your company’s HR system.

Creating dynamic membership rules.

After the policy has been made, Azure AD will step in and begin automatically assigning resources for users that comply with that rule. This means that users needing access to the specific department can gain it automatically and won’t need to submit any requests.

Some other uses for automatic assignment policies include:

  • Controlling access across multiple resources
  • Controlling access with multiple policies to contain both rules and exceptions, allowing exceptions to be automatically reviewed at a regular frequency
  • Running automated workflows upon users receiving or losing assignments

Leave a Comment

Related Articles

Azure Virtual Desktop Windows Virtual Desktop

Azure Virtual Desktop – You can now use Azure Active Directory

As you know if you are deploying and managing Azure Virtual Desktop (aka AVD, aka Windows Virtual Desktop, aka WVD) you have (had) the requirement to use either an...

cubesys
Read More
Security

Windows – LDAP signing going to be mandatory in March 2020

In March 2020, Microsoft is going to release a security update for Windows which will require that all LDAP (Lightweight Directory Access Protocol) request to be signed,...

cubesys
Read More

About

  • Menu Item One
  • Menu Item Two
  • Menu Item Three

Services

  • Menu Item One
  • Menu Item Two
  • Menu Item Three

News

  • Menu Item One
  • Menu Item Two
  • Menu Item Three
Follow us on Facebook Follow us on LinkedIn Follow us on Twitter Follow us on Instagram