Entitlement Management

I’ve been working with Customer S lately, on an Operations document about their tenant configuration. We’ve been covering Azure AD Connect, Identity Protection (AADIP), B2B, Privileged Identity Management (PIM), Conditional Access, and Password Protection; but in this blog, I’m going to talk about Identity Governance, specifically Entitlement Management.

Microsoft defines Identity Governance as:

Azure Active Directory (Azure AD) Identity Governance allows administrators to balance your organization’s need for security and employee productivity with the right processes and visibility. It provides you with capabilities to ensure that the right people have the right access to the right resources. These and related Azure AD and Enterprise Mobility + Security features allow them to mitigate access risk by protecting, monitoring, and auditing access to critical assets — while ensuring employee and business partner productivity.

Identity Governance – Azure Active Directory | Microsoft Docs

Microsoft defines Entitlement Management as:

Azure Active Directory (Azure AD) entitlement management is an identity governance feature that enables organizations to manage identity and access lifecycle at scale, by automating access request workflows, access assignments, reviews, and expiration.

What is entitlement management? – Azure AD | Microsoft Docs

In a nutshell, administrators create a catalog that contains one or more access packages. An access package contains a list of resources (SharePoint sites, Azure Roles, Applications), policies, assignments, requests and access reviews. Users may request an access package or be given access by an administrator. Customer S is using Entitlement to provide a standard list of permissions and access to all their staff.

So lets have a look at how this works.

I log onto my tenant as a Global Administrator.
I then browse to Azure Active Directory > Identity Governance.
I then select the Catalogs. In this instance, I have created a catalog named “Gamilar Test”.
I click on that Catalog then select the Access Packages. Again you can see my test package.
I’m going to edit the package to show the settings. To create a new package, you can click “New Access Package”
I give it the following details:
  • Name: Test Gamilar GA
  • Description: Test Gamilar GA
  • Resource Role: PMI-Global_Admin_Eligible (Azure Global Admin Role for group)
  • Requests: For users in your directory, All members (excluding guests), Require approval, Require requestor justification
    1 stage request, First Approver: Manager, Fallback: MOD Administrator
  • Lifecycle: Access package assignments expire 365 days, Require access reviews Quarterly, Reviewers Manager, MOD Administrator
Once completed, a user may request the access package through https://myaccess.microsoft.com


As you can imagine, this is quite a powerful tool. We are developing a baseline configuration within risual, to be available to our customers as part of our portfolio of services.

About the author