Boost your identity governance lifecycle process using E-Visor Teams App + AADP.
As I briefly mentioned in our previous June 2021 Sneak and peek post , we have introduced significant features into our E-Visor Teams App around Identity Governance. Let’s dig into the specifics about how you can get the most out of the identity governance capabilities provided in Microsoft Azure Active Directory Premium P2, right from our E-Visor Teams App.
Let me start by highlighting that since last January when our E-Visor Teams App was launched, we started introducing interactive capabilities for both security (like the ability to change MFA/SSPR authentication methods directly from our app) and productivity (like redirection to different Microsoft portals so users do not have to remember them or add them to their favorites). However, these new capabilities go beyond adding a new parameter or executing a short term action; we are providing the FULL identity lifecycle process provided by Microsoft Identity Governance inside of our app, as you will see in this blog post.
As you can see here, Microsoft AAD provides the whole workflow engine (behind the scenes) that will enable actions according to the conditions and policies that you have set for the different personas who will use the solution. Also, this solution is not just applicable to internal employees; identity governance can help provide secure access to resources for externals, contractors, and partners that you may have using AAD B2B. The following diagram shows all the different use cases covered:
Identity governance using E-Visor Teams App and AADP
Identity Governance – Policy Creation/Editing – Using the Azure Portal
Before showing you how our application can be used to manage user access to apps, Teams, and much more, let us briefly show you how an Identity Governance package is created:
Create a package
- Collection of associated resources and access packages
- Permissions and Roles
- Access Packages Manager: Edit and manage all existing access packages within a catalog
- Access Packages Assignment Manager: Edit and manage all existing access package assignments
- Approver: Authorized by a policy to approve or deny requests to access packages, though they cannot change the access package definitions
- Azure AD Premium P2
- Access package name and description information
- Resource Roles
- Add resources and permissions associated with each resource
- Define users who can request access [internal or external users] or assign directly to specific users
- Define if approval and requestor justification is required
- Access package expiration information
- Define if extended access is allowed
- Access review settings and reviewers
Alright, once the package has been created or edited we are ready to show you how the E-Visor Teams App can help manage the remaining operational activities!
NOTE: keep in mind we have not added the capability to create or edit access packages into the app, as we want IT admins and others to continue using the Microsoft management console for their tasks. Our tool will optimize the next steps in a centralized experience for all different actors dealing with these access packages.
Identity Governance – Policy Assignment and Request
Once a package has been made available or assigned to users, our application presents those to the users and owners:
- Users can see which packages have been automatically assigned and the applications and resources that the package provides access to
- Users also can interact with the packages owners or approvers, via Teams of course, for any further questions
- As many organizations can also enable users to request access to packages, we also provide the capability to request a package from our app. No redirects or web pages necessary; everything takes place directly from the app. Note that depending on the access package configuration, the user may have to:
- Provide a justification
- Get automatically approved the package
- Respond to pre-populated questions about why they need access to this package
Once the action has taken place, our app will update users about the applications they have access to after the request is performed.
Identity Governance – Policy Approval
Individuals who have been assigned as approvers have the opportunity to approve requests made by users
Bonus capability! – Ribbon notifications
We have introduced a notification ribbon that prompts users if they have new activities that require their attention, such as packages to approve or new packages that have been approved.
Once the action has taken place, our app will update users about the applications they have access to after the request was performed.
- In addition to the ability to approve or deny packages, the package owner has the capability to interact with the user
- An approver can also collaborate directly with users to go beyond the potential justifications provided by the automated process. In instances where an approver needs more information to make a decision, our goal is to accelerate the process by providing status information and a two-way communications channel, all through Microsoft Teams.
NOTE: We are working to introduce the ability to request extensions to packages, including notifications, so you can see when access will expire and proactively request an extension.
Identity Governance – Access Reviews
Access Reviews is a capability that enables both users and approvers to, at any point in time, check that only the right people have continued access:
Remove access to unnecessary app packages
Make a decision to remove a user from app packages
NOTE: Please consider that not all packages may be configured with these capabilities, so users or approvers may not have a way, once approved, to remove an approved package. Availability for this feature is based on your corporate policies and how you configured the access package in the first step described in this post.
In short, Microsoft provides a full 360-degree experience to see, request, remove, and approve access packages right from the E-Visor Teams App! Get your identity management and governance all under control with Identity Governance and the E-Visor Teams App.