Identity Governance – People, Access, and Resources

Identity Governance in Azure
Let’s talk about Identity Governance in Azure. Microsoft helps organizations with their Identity needs through the capabilities available in Azure AD. It provides you with abilities to ensure that the “right people have the right access to the right resources.”

What is Identity Governance? And Why is it important?

“Azure Active Directory (Azure AD) Identity Governance helps you to protect, monitor, and audit access to critical assets while ensuring employee productivity.”

As we know, cyber attackers seek to gain unauthorized access to your organization’s resources. Employees, vendors, partners are their number one target as they possess the permissions required to access and control your resources and therefore own to your data. 

A Restrictive approach in this hyperconnected world is not an option; we have to find a balance.

“The goal is to govern access to your company resources in this hyperconnected world” Joseph Dadzie Principal Group PM Azure AD at Microsoft.

Employers interact with business partners everywhere; it is impossible to restrict their access; however, organizations, regulators, and auditors need to know who is accessing their resources. Identity Governance will help you verify their users’ Identity and cross-reference it with their authorization profile.

There are two concepts that we need to learn as we set up our Identity Governance on portal.azure.com

1) Entitlement Management

This feature allows your company to automate the access lifecycle. Entitlement management reduces the overhead and allows your organization to efficiently manage access to your defined groups and applications for both internal and external users.

For example

  • Office 365 Groups and Teams
  • Azure AD Applications
  • SharePoint Sites

One of the first steps is the creation of access packages; this is nothing but a set of resources that users can request, approve, and revoke when access expires.

For example, Imagine you work with a vendor that requires access to one of your SharePoint sites.
With Entitlement Management, you can create a package to grant specific vendor access to SharePoint.

One of the most important use cases of access packages is the ability to give users access to manage specific Azure Resources, for example, an Azure Application. All you need to do:

  • Create a catalog
  • Select a resource (Your Azure Application)
  • Use an Azure AD Security Group
  • Create an Azure Role Assignment for that group.
  • Create an assignment to a specific user or a connected organization
To view all the steps to create an access package follow this link

Ideally, use access packages in situations that require time-sensitive/temporary access to specific resources.

2) The second important concept is the Access Reviews

Sometimes automation is not feasible, either because some users were added manually and forget about them or because we granted higher privileges than needed.

Access review is the process of periodically review your users to make sure they still require the same permissions and modify them if needed.

To see the steps required to create an access review, please visit the following link

Note: This feature requires an Azure AD Premium license 

Competitor’s products:
Note: I’m loyal to Microsoft, but I always add this section to understand the offering of the competitors
Google IAM – Cloud Identity and Access Management
AWS Identity and Access Management (IAM)

Tags:

— Fernando Medina