Let's explore the identity governance tools enabling greater levels of security and control for Azure AD administrators.
Azure Active Directory (AAD) provides many opportunities for consolidating access around your users’ identities, provisioning your staff onto AAD-aware applications (and ultimately your organisation’s data), and granting access to external users (partners, suppliers, etc.) too.
At the same time, granting access to individuals comes with risks to that data – particularly where, for example:
Azure AD’s Identity Governance tools can help get all of this under control, giving you the control you need to liberate your users.
There are some key areas that make up the governance suite within Azure AD. Let’s look at how each of these enable greater control over your identities and their levels of access.
Entitlement management in Azure Active Directory gives you the ability to create ‘access packages’ to group together sets of resources that you would normally provide to many users. Resources can be security or Office365 groups, applications, or SharePoint sites.
Managers can define how the access packages are rolled out – for example:
This means that entitlements can be grouped into manageable sets, simplifying employee onboarding, but also reducing the number of ‘loose ends’ produced by mover and leaver processes.
Access reviews allow you to periodically review membership of a group or access to an application.
The process can provide automated access removal if users do not respond to the access review emails.
This mitigates against unchecked growth of security groups or access to other resources.
Over time, the membership of a group can become bloated or diffuse. An example of this could be a group based around a specific project. The original group is set up following a request to the service desk and is populated with the relevant users.
However, this type of group does not have a static membership. Over time, additional users will be added to the group as and when they join the project. It is very likely that users who leave the project remain in the group as there is not normally a request for people to be removed.
This type of growth leaves access in place for people who do not need it anymore.
An access review does exactly what you think it should do. The group owners – for example, the project or application manager – are asked to review the membership of the group and mark those who should no longer be members. These can then be automatically removed from the group.
Access reviews can be applied to groups or applications and can be set to repeat on a regular basis allowing for ongoing governance.
Discover how you can get a powerful blend of provisioning, governance, and compliance capabilities. We'll show you:
When we look at the administration of cloud services, particularly Azure, many organisations create multiple accounts for their administrative users. These accounts are given the relevant roles in Azure to accomplish their job.
While this seems straightforward, the administration user should have access to email (for alerts and information) and so will require a full license. It also means that the user has another ID and password to remember and gives an attacker another account to attack.
Rather than give a user access all the time, the relevant users should be allowed to use Privileged Identity Management (PIM). This allows a user to request elevation to a specific role from a list that is available to them. This is then approved, and the user granted the relevant permissions.
The acceptance can then be expired on a regular basis (annually, bi-annually, quarterly or monthly).
This will then ensure that all of the users must accept the terms before they can use the Azure services.
Using the identity governance tools within Azure AD will enable you to automate more of your lifecycle processes whilst affording you a greater degree of control and security to ensure that only those users eligible for access have it.
If you have, or are considering using Azure AD, it’s well worth factoring in and applying the governance options available to you, as it will ensure that you make the most of your investment while streamlining and consistently improving the health of your identities and IT infrastructure.
You can even take these controls a step further, watch our identity governance webinar on-demand to discover how you can take your Azure AD governance to the next level.
Keep your finger on the pulse of identity and Microsoft technology. Submit your business email to get the latest content and event invites straight to your inbox.
Marcus Idle is our Head of Customer Identity and Access Management and IP Development at ThirdSpace. He is responsible for projects involving external identities. Expert in Microsoft’s Azure AD B2B...
READ AUTHOR'S FULL BIO
Discover a powerful blend of provisioning, governance, and compliance capabilities.Watch now
Send us your questions or feedback.
Friendly folks are standing by!
Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, and Security and Compliance.
You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:Windows
Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.