Boost your identity governance lifecycle process using E-Visor Teams App + AADP.

Cristian Mora
CEO & Founder | Synergy Advisors

As I briefly mentioned in our previous June 2021 Sneak and peek post , we have introduced significant features into our E-Visor Teams App around Identity Governance. Let’s dig into the specifics about how you can get the most out of the identity governance capabilities provided in Microsoft Azure Active Directory Premium P2, right from our E-Visor Teams App.

Let me start by highlighting that since last January when our E-Visor Teams App was launched, we started introducing interactive capabilities for both security (like the ability to change MFA/SSPR authentication methods directly from our app) and productivity (like redirection to different Microsoft portals so users do not have to remember them or add them to their favorites). However, these new capabilities go beyond adding a new parameter or executing a short term action; we are providing the FULL identity lifecycle process provided by Microsoft Identity Governance inside of our app, as you will see in this blog post.

Introducing My App Packages inside E-Visor Teams App!​

In this new section, we added identity governance actions for all different roles and individuals inside your organization that they may be able to perform:

As you can see here, Microsoft AAD provides the whole workflow engine (behind the scenes) that will enable actions according to the conditions and policies that you have set for the different personas who will use the solution.  Also, this solution is not just applicable to internal employees; identity governance can help provide secure access to resources for externals, contractors, and partners that you may have using AAD B2B. The following diagram shows all the different use cases covered:

Identity governance using E-Visor Teams App and AADP

identitygovernance_step1
identitygovernance_step2
identitygovernance_step3
identitygovernance_step4
identitygovernance_step5
Previous
Next

Identity Governance – Policy Creation/Editing – Using the Azure Portal

Before showing you how our application can be used to manage user access to apps, Teams, and much more, let us briefly show you how an Identity Governance package is created:

Create a package
Pre-requisites

    • Catalog:
      •  Collection of associated resources and access packages
    • Permissions and Roles
      • Access Packages Manager: Edit and manage all existing access packages within a catalog
      • Access Packages Assignment Manager: Edit and manage all existing access package assignments
      • Approver: Authorized by a policy to approve or deny requests to access packages, though they cannot change the access package definitions
    • Licensing
      • Azure AD Premium P2

Steps

    • Name:
      • Access package name and description information
    • Resource Roles
      • Add resources and permissions associated with each resource
    • Requests
      • Define users who can request access [internal or external users] or assign directly to specific users
      • Define if approval and requestor justification is required
    • Lifecycle
      • Access package expiration information
      • Define if extended access is allowed
      • Access review settings and reviewers

 

Add Access Package
Add Access Package
Name and description
Name and description
Set Resources and associated permissions
Set Resources and associated permissions
Request
Request
requests-select-users-groups
requests-approval-enable
lifecycle
review-create
Previous
Next

Alright, once the package has been created or edited we are ready to show you how the E-Visor Teams App can help manage the remaining operational activities! 

NOTE: keep in mind we have not added the capability to create or edit access packages into the app, as we want IT admins and others to continue using the Microsoft management console for their tasks.  Our tool will optimize the next steps in a centralized experience for all different actors dealing with these access packages.

Identity Governance – Policy Assignment and Request

Once a package has been made available or assigned to users, our application presents those to the users and owners:

  • Users can see which packages have been automatically assigned and the applications and resources that the package provides access to
Avilable for request packages and assigned
Avilable for request packages and assigned
Resources Details
Resources Details
Request access
Request access
Request access details
Request access details
Expired Packages
Expired Packages
Active packages
Active packages
All Resources access
All Resources access
Previous
Next
  • Users also can interact with the packages owners or approvers, via Teams of course, for any further questions
My Request status
My Request status
Contact approver
Contact approver
Previous
Next
  • As many organizations can also enable users to request access to packages, we also provide the capability to request a package from our app. No redirects or web pages necessary; everything takes place directly from the app. Note that depending on the access package configuration, the user may have to:
          • Provide a justification
          • Get automatically approved the package
          • Respond to pre-populated questions about why they need access to this package

Once the action has taken place, our app will update users about the applications they have access to after the request is performed.

Identity Governance – Policy Approval

Individuals who have been assigned as approvers have the opportunity to approve requests made by users

Bonus capability! – Ribbon notifications
We have introduced a notification ribbon that prompts users if they have new activities that require their attention, such as packages to approve or new packages that have been approved.

Once the action has taken place, our app will update users about the applications they have access to after the request was performed.

  • In addition to the ability to approve or deny packages, the package owner has the capability to interact with the user
  • An approver can also collaborate directly with users to go beyond the potential justifications provided by the automated process.  In instances where an approver needs more information to make a decision, our goal is to accelerate the process by providing status information and a two-way communications channel, all through Microsoft Teams.
Accept Recommendations
Accept Recommendations
Approve
Approve
Deny
Deny
Don´t Know
Don´t Know
Reset decisions
Reset decisions
Teams Chat
Teams Chat
Teams Call
Teams Call
Schedule meeting
Schedule meeting
Send Email
Send Email
Previous
Next

NOTE: We are working to introduce the ability to request extensions to packages, including notifications, so you can see when access will expire and proactively request an extension.

Identity Governance – Access Reviews

Access Reviews is a capability that enables both users and approvers to, at any point in time, check that only the right people have continued access:

  • User
    Remove access to unnecessary app packages
  • Approver
    Make a decision to remove a user from app packages
Deny
Deny
Approve
Approve
My Request status
My Request status
Previous
Next

NOTE: Please consider that not all packages may be configured with these capabilities, so users or approvers may not have a way, once approved, to remove an approved package. Availability for this feature is based on your corporate policies and how you configured the access package in the first step described in this post.

In short, Microsoft provides a full 360-degree experience to see, request, remove, and approve access packages right from the E-Visor Teams App! Get your identity management and governance all under control with Identity Governance and the E-Visor Teams App.

Interested in a live demo or Production Pilot? Contact us at e-suite@synergyadvisors.biz We can show you these E-Visor and Microsoft Identity governance capabilities in a matter of minutes/hours!!!!!

Register for more here!

    Categories

    Recent Posts