In a previous Linkedin article, Khaled Laghrour has shared with you how you can combine Privileged Identity Management and Entitlement Management to manage Microsoft Entra administrative roles. But when you start using Entitlement Management, you will notice that you have to configure different components and settings, and sometimes you do repetitive tasks such as adding a user to an access package or a resource to an existing catalog and this is why admins often prefer not using Entitlement Management for them, it adds complexity to their daily work.
So, in this article, Khaled Laghrour will share with you how we can automate entitlement management using Azure AD entitlement management API and integration with businesses applications or your IAM solution.
Why do you need to automate Entitlement Management?
Manual actions lead to errors, such as adding the wrong user to an access package assignments or granting an unauthorized user access to a Microsoft 365 or group or business app. This why we recommend using automation, which can save you time and effort and avoiding management errors leading to data loss or security breach. Moreover, you will make the most of the solution because the implementation and management will be easier.
Understanding Licensing Requirements for Microsoft Entra Identity Governance
Before delving into the deployment of PIM with Identity Governance features, it’s essential to understand the licensing requirements for Identity Governance. For more detailed information, refer to the provided link.
What can you do with Azure AD entitlement management API?
After testing the Azure AD entitlement management API, we can say that you have all that you need to automate your entitlement management, here is a list of available resources types :
- accessPackage: Defines the collections of resource roles and the policies for how one or more users may obtain access to those resources.
- accessPackageAssignmentPolicy: Specifies the policy by which subjects may request or be assigned an access package via an access package assignment.
- accessPackageAssignmentRequest: Created by a user who wishes to obtain an access package assignment.
- accessPackageAssignment: An assignment of an access package to a particular subject, for a period of time.
- accessPackageCatalog: A container for access packages.
- accessPackageResource: A reference to a resource associated with an access package catalog.
- accessPackageResourceRequest: A request to add a resource to an access package catalog.
- accessPackageResourceEnvironment: A reference to the geolocation of the resource. Applicable to Multi-Geo SharePoint Online sites.
- connectedOrganization: A connected organization for external users who can request access.
- entitlementManagementSettings: Tenant-wide settings for Azure AD entitlement management.
- approval: represents the decisions associated with an access package request.
In addition to the list above, you can manage access reviews, lifecycle workflows, PIM, and terms of use.
Source of the list above : Working with the Azure AD entitlement management API.
What options do you have to design your automation solution?
Depending on your environment (cloud-based or Hybrid) and requirements, you can design your Entitlement Management automation solution. You must look for a solution that allows customization to adapt to your specific workflows and processes and can seamlessly integrate with existing systems, applications, and third-party tools. Additionally, make sure the solution can scale as your organization grows and automation needs change.
Khaled is currently in the process of crafting a sample design, and once it is completed, we will share it with you. He believe it will provide a tangible representation of the concepts and ideas under consideration. Upon completion, he look forward to presenting this sample design for your review and feedback.
Redaction by Khaled Laghrour – M Cloud – Cloud Services | Technology Manager – Modern Work