In a previous post, I’ve explained how “Entitlement Management” works and how we can use it to streamline permissions and access for users. That said, it is just one part of Azure Active Directory Identity Governance.
Microsoft has a good explanation about Identity Governance (see here). It consists of tools and processes that allow administrators to manage user access in line with company processes for Joiners, Movers, and Leavers.
The processes are separated into three types:
- Identity Management
- Access Management
- Privileged Access for Admins
Identity Management
Every person in a business or organisation has an identity. In terms of Azure and IT, they each have a unique digital identity.
JOINER:
When a person joins an organisation, the IT team must create this digital identity for the new employee. This can be manually created through AD-provisioning or automatically created through HR-based provisioning software like SAP or Cloud HR.
MOVER:
As employees go from role to role, either through promotions or through changing departments, their digital identity changes as their accesses are modified or realigned.
LEAVER:
Eventually, an employee’s journey through a business will end, either through retirement or through moving to a new business. The IT Team will remove all accesses to keep the resources secure and the digital identity removed (unless there is a need for archiving).
Access Reviews are used to monitor the digital identity, and that the business confirms it is still required.
Access Management
As we’ve seen, every person in an organisation has a digital identity, but without access rights, that identity is meaningless. Access rights are just a list of permissions and privileges that an employee needs to carry out their duties. The IT team would arrange them, but with Azure AD and Identity Governance, we can semi-automate the process through Access Packages.
Access Reviews are used to monitor the access or entitlement, and that the business confirms it is still required. We can use a different life-cycle for this: for example, the Identity Review can require an annual review, whilst the Access Review can be every quarter.
Have a look at the details in the blog post “Entitlement Management” for the details.
Privileged Access for Admins
Administrators must have a separate layer of security; their accounts can potentially cause a lot of damage. Administrators may have a separate account that they log into when they complete their work, or they have a single account with PIM configured so that the account can elevate itself to allow tasks to be completed.
Administrators can be given a specific Access Package that will grant them eligibility to elevate certain Azure AD roles.
Again, Access Reviews are used to monitor the eligibility. We can use a separate life-cycle to require that a PIM Review is completed every month.