SC-300 Microsoft Identity and Access Administrator – Entitlement Management

  1. Introduction to Entitlement Management and Packages

So in this section of the course, and in the sections that follow, we’re going to talk about the last objective of the exam, which is to plan and implement an identity Governance strategy that is worth 25% to 30% of the exam score. So this section of the course, we’re going to talk about this concept of entitlement management. Really interesting way to manage permissions at scale. When you have so many users. It’s sort of hard nor impossible to predetermine what the correct permissions are for people. And so this is a really cool solution to that next section, we’ll talk about access reviews. We’re going to talk about the privileged access and privileged identity management.

And finally, the last section of this course will talk about monitoring and maintenance of Azure Ad itself. So let’s start talking about this concept of entitlement management. We’re going to go into our tenant on the Homepage, and you’ll see there’s this Identity Governance section under the Manage menu. And Identity Governance has a number of things associated with it. And the first section is Entitlement Management. And so we’re going to talk about access packages, catalogs, how you can work with connected organizations. So this first concept is this concept of the access package. And it’s really interesting because what you can do is you can basically create a group of related permissions.

It could be access to a storage account. It could be access to Microsoft 365 teams or SharePoint application or some other type of access and even licenses for software. And that can be all packaged together into an access package. And then users can request themselves permissions to access that package. And then that goes through a workflow of somebody approving that request that access then has a lifetime. And at the end of it, let’s say you’re given 30 days access to this application. At the end of it, automatically those privileges are revoked. So nobody has to remember to take away access to this project once that team member is no longer on that project.

And finally, if the user is an external user, it’s a guest user. If they have no other privileges to your organization other than that one thing that they requested and they got access to, well, at the end of that period, their account will get removed as well. So you don’t even have to clean up users from your Azure Ad if they use entitlement management to request their permissions. And catalogs are basically collections of these access packages. So you create the access packages first, and if you want to arrange them, you can arrange them into catalogs. So like I said, in this section of the course, we’re going to be talking about this.

  1. Create and Manage Access Packages

So why don’t we explore access packages a little more by creating one? Before we do that, let’s create a resource that we can grant people access to on request. I’m going to create a group. I’m going to call this the security group called Team Assignment Number One. And these are people who are planning to finish the first team assignment. And let’s leave this as a regular group with no members. So it’s a completely empty security group. Now what we’re going to do is we’re going to allow people to voluntarily join this group, this team assignment, the students primarily. So we’re going to go back to Azure Ad. We’re going to go into Identity governance, and we can either create the access package right off the home page or go into access packages and say, New access package.

All right, so this package is for students requesting access to the assignment. And you can give a description of however you want. Now, we haven’t created any additional catalogs. There is one catalog that you’re given called General Catalog. We’ll leave it there for now. So in this thing is what we’re basically granting access to on request. It could be a group or team, the application or access to SharePoint in this case. So we just created this group. I’m going to see groups and teams, see all groups, and we’re going to pick this team assignment. So that’s what we’re granting access to when a student requests access to this package, now they’re going to be added to this group as a member, this particular case, not an owner.

Now who can request access? So this could be for external users, this could be for internal users. And maybe we want all users to be able to request access, even the teachers. Or we want specific users so we can say, all right, let’s go down to the students group. Actually, why not allow the teachers to have the fund as well, so students and teachers can both request access to that group. Now there is a workflow option. So if we wanted to have them request access and then to have somebody have to approve them, there is this require approval step. It will say no. And what we can do is we can enable these requests. So you can actually turn off requests of this if it’s no longer available. Now you can ask questions to people.

So if you want to say, where are you from and this and that, we can collect those, maybe their email address or the country or who their teacher is. We can skip that for now. So this is the other part of the package, which is the expiry. So how long do you get access to this assignment? So let’s say once you’ve requested access, you’re given 60 days. We haven’t talked about access reviews yet. That’s coming up later in this section. But we’re not going to enable access reviews for now. We could also expire it at the end of the school year, or we can leave it so that it never expires. So this is a brand new access package that students and teachers can voluntarily join.

And if they do join, they’ll be added to the team assignment one security group for a period of 60 days. All right, so we have now created the package. Now we can see here that there’s actually a link to sign up for this package. So if we wanted to let people know, like, hey, you want to join this assignment? Here’s the link to do that. Now, in order to test this, we are going to have to sign out of the portal, and then we’re going to go to the link and sign in as a student. All right, so I pasted the link from the portal into my browser, and I’m being asked to sign in. And so I’m going to sign in as one of the students, student one. I’m going to put the password that I chose for them here. So we do have to update the password the first time signing in.

So here’s my updated password again with the multi factor authentication being required. I’m going to skip that for now. Skip the multi factor authentication twice. Skipping multifactor again. All right. And so now I get to the point where I am requesting access to the assignment. And so I do need to justify this access. I want to join the party. I could request access if this was a manually reviewed request for a specific period, but even if I don’t, it’s only going to be for that 60 days. So I’ve now submitted the access request. And we can do this by logging out of this account and going back to the portal, as in my administrator, and seeing if this student has been added to the assignment group. So sign out. So now I log in with my global administrator account.

I do have to switch to the correct directory. So it’s the MYDev tenant directory. I need MfE for this account too. And I should be able to go under groups under team assignment members. And the student one has now been added as a member of the team assignment, exactly as we wanted them. And like I said, after 60 days, they’ll be automatically removed. So this is a way of sharing access to Microsoft 365 resources, to security resources within Azure to SharePoint sites and things like that for a short period of time. And users can request that access. And you can either have a workflow around that where people have to approve it, or it can be automatic, as the case requires.

  1. Create and Require Terms of Use

So the next requirement of the exam talks about implementing and managing Terms of Use. Now, we all live in this world. Lawyers seem to rule the world. And before you can actually do something online, often you have to accept the cookies and you have to go through a process of accepting the site’s Terms of Use. And so this is no different. Maybe for your tenant, you want users to have to click through a Terms of Use and actually read it and accept it. That’s a common requirement. This is done through conditional Access. Now, I know we talked about conditional access in the last section, but Terms of Use is hidden. Under conditional access policies, you do need to have a premium P one or higher account to deal with this. So we go in here and there’s two aspects to Terms of Use.

One is the actual terms. So under conditional Access, we’re going to get into Terms of Use and let’s create ourselves our standard terms. So these are our standard website or app Terms of Use. The lawyers are going to provide you with a document. So let’s assume you’ve got some type of content to the Terms of Use. I’ve chosen one of my study guides here, but obviously you’re going to want an actual Terms of Use. You can have multiple Terms of Use in different languages. So if you have English and French and Spanish and Portuguese, you can have the Terms of Use in those languages. We’ve all seen sites where you actually have to scroll down through the terms in order to accept them. And so we can turn that on, whether they’re using a web or an Android or iOS or any kind of device, you can require the Terms of Use on all of them and you can actually expire this.

So maybe every year on, let’s call this 101 2021, then you’re going to basically have a frequency of annually for people to have to re accept those Terms of Use. Now, the Terms of Use are one thing that will be displayed, but how do you enforce your Terms of Use policy? You do that through conditional Access. And that’s the second bit of Terms of Use. We could create a policy for the Terms of Use, or we can create it later. So we can basically go and create a conditional access policy and say accepting the Terms of Use is the condition, right? So this suddenly becomes part of something that we can do. So here’s the terms of use I’m going to hit create.

And so now I’ve uploaded these terms, I can see who’s accepted the terms, et cetera. Now, if we go back to conditional access and back to policies, so we can create a Terms of Use policy, we can say that this affects all users. We can say that this affects the signing of all apps. And no particular risk. It’s just all users, all apps and then under the grant control, we can say that we grant access, but it’s the requirement for them to have the standards terms accepted. And like I said, we’ve defined it’s a once a year thing. And so we can basically set a conditional access policy that is going to enforce our terms of use on sign in so we can see this in action when we try to log in, in this case as the student.

Again, it’s going to want us to sign it for multifactor authentication, which I will continue to skip. And now you can see the MYDev tenant terms of use. And these are the standard terms of Use. And again, this just happens to be a PDF study guide that I created. Actually, Jordy created it. When I’m ready, then I can say accept that I understand these are the terms of Use. And now the student will have been recorded that they have accepted the terms of use and they won’t have to do it for another year. That’s how you handle terms of use within your organization.

  1. External User Lifecycle Management

Alright, the last requirement of this section talks about the lifecycle of external users. So we’re in the identity governance section of Ad. This is pretty simple, so the video will be a bit short, but if we go under settings of Title and Management, we can see settings relating to external users. Select what happens when an external user who was added to your directory through access package request loses their last assignment to any access package. So by default here, we can see it’s kind of grayed out because you have to edit it, but we can see that they’re going to block people from signing in after they’ve lost access to their last access package and then they’ll be removed entirely from the directory after 30 days. And those are the default settings. You can, if you wanted to, still allow people to sign in even if they have no access to anything, or you cannot delete those users or extend that time. So that is a setting up to you. So that’s how you basically manage the lifecycle of external users using access packages.

img