An Introduction To Access Package

Introduction

Access Package is a new feature provided by Azure AD Identity Governance. Using this feature, the admins can manage access to the following applications dynamically.

• SharePoint online site
• Azure AD Application
• Cloud services
• Teams

An access package allows to do a one-time setup and configuration of resources and policies that automatically manages the access to the resources.

All Access Package should be kept in a container called catalog. A catalog defines what resources can be added to Access Package.

In this article, we are going with a business use case. Here the ‘Contoso’ organization wants to manage access to the SharePoint online site by following guidelines

• Each access request should be done by end-user
• An Approval request must be sent to the owner
• On Approval, User should get time bound access
• The access to the site should be revoked after certain time period.

Pre-requisites

In order to use the Access Package, the tenant should be having one of the following subscriptions

• Azure AD Premium P2
• Users with M365 E5

Steps

As a first step, we will set up the M365 group with members who can request access to SPO site. For this demo, I will name it as ‘Team.App.SPO.Marketing.Users’.

Setting up Azure AD Group

Step 1

Login to azure AD portal https://aad.portal.azure.com as a global administrator.

Step 2

Go to Azure AD from the favorites. If you cannot find search for service ‘Azure AD’

Step 3

Click on Groups -> New Group

Step 4

Enter the details, select an owner for this group from the list of current users.

Add the members to this group. In this case, I have following test users for which I would like to add them to group.

Click on ‘No members selected’ and add the members.

Once the owners and members are added, click on ‘Create group’.

The above steps conclude the creation of Azure AD group.

Note: Access Package supports Office 365 Groups and Azure AD groups for managing the access to resources. It will not support the AD groups originated from on-premise.

Setting up Catalog

Step 1

Go to azure AD portal, https://aad.portal.azure.com and click on the ‘Azure Active Directory'.

Step 3

Click on ‘Identity Governance’ and then click on ‘Catalog’. You should see built-in catalog called ‘general’.

Step 4

Click on ‘New Catalog’, give some name and description and leave the rest as default. In this case, I have given as marketing.

The above steps complete creating the catalog.

Creating Access Package

The idea here is to configure access to a group of users using the latest features provided by Azure AD.

As shown in picture, the user group is given access to SharePoint online site using the ‘Access Package’ feature. Now we will see how to create ‘Access Pacakge’.

From the ‘Marketing Catalog’ section from previous steps click on ‘Access Package’ -- > New Access Package.

Step 2

In the ‘Basics section’ enter the name and description and now proceed to ‘Resource Roles’

Step 3

In the ‘Resource Roles’ select ‘SharePoint site’. Search for ‘Contoso’ as I want to give Contoso Marketing sites access to user group ‘Team.SPO.Marketing.Users’.

Step 4

Select the role ‘Members’ as I am planning to give the users contribute access.

Step 5

In the ‘Requests’ section, first select ‘Users in your directory’

Step 6

Now select for specific users and groups, and in the search option select the required group, In this case, I have chosen ‘Team.App.SPO.Marketing.Users’.

Now in the ‘Approval section’ toggle the required selection to ‘Yes’ and leave the rest as default.

Also, make sure that there is at least one fall back user. If the system is not able to find approver, then it will fall back to this user.

Step 7

Now under the ‘Enable’ select ‘Enable new requests’ option to ‘Yes’.

If you observed in the screenshot, the first approver shows, ‘Manager as approver’, which means when a user requested access to site, his manager will be sent a request for approval. Once the manager is approved, the user would be granted access. We will see this in next section.

Now go to ‘Requestor Information’. For simplicity, I am leaving the default options and moving to next ‘Lifecycle’ section.

Step 8

In the ‘Lifecycle’ section, I have updated the number of active days from 365 to 30. You can change it to your needs accordingly. I have selected ‘Access Requests’ to ‘No’. If selected yes, you will have more options like how frequently the active access needs to be reviewed and by whom, whether it is self-reviewed or Manager reviewed.

.

Step 9

Next go to ‘Rules’ and here I left as default, and finally click on ‘Review and create’.

Step 10

Validate the access package and make sure it is in correct catalog. Always check that the access package that is newly created is not going to ‘General’ catalog.

Requesting Access

Step 1

Now as an end user, in this case, sptestuser1, click on view account - My Access

Step 2

Check the access packages and you would see ‘Marketing Member Access’ access package.

Before requesting access, check whether this account has access to marketing site. In this case, it is https://cts229051.sharepoint.com/sites/ContosoMarketing

You would see access denied as the access is not set up.

Step 3

Under ‘Available’ access packages section, select access package and click on ‘Request’.

Step 4

Enter the justification and click on ‘Submit’.

Step 5

In this case, the user manager will be sent an email like below and has to do a series of steps for approving request.

Step 6

After Manager approval, then the requested user should be receiving following email.

Step 7

Now validate the access to site, by clicking on get started or directly going to URL,

Manager Steps to Approve Access Request

Step 1

Go to the outlook and look for email with subject line ‘Action Required: Approve or Deny request’

Step 2

Once clicked on the actionable button ‘Approve or deny request’ it will take to Approval Dashboard where you can see ‘Approve’ and ‘Reject’ options. On selection ‘Approve’ you will be asked for justification again.

Pros

• Managing the users in Azure AD will be easier at Tenant level rather than at site level.
• End users no need to remember the URL, they can access the URL from ‘My Access’ in Office Portal (https://portal.office.com)
• Users will be able to request and revoke access by themselves and no admin help is needed.
• Easy to automatically set and revoke access to group of users dynamically with the help of Access Package policies.
• Users will have option to request JIT (Just in time) / time bounded access to a specific sites.

Cons

• This feature is premium plan and requires Azure AD Premium P2 or all the users should be having M365 E5 subscription which adds a little subscription cost. But if you balance the features provided by premium plans, it is worth trying and implement.

Conclusion

Thus, in this article, we have seen how to set and configure Access Package feature in Azure AD Identity Governance, to manage access to SharePoint onlinesites.

References

• https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/where-object?view=powershell-7.2
• https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-access-package-create
• https://goodworkaround.com/2020/04/04/birth-right-permissions-using-azure-ad-entitlement-management-access-packages/