Azure servicesMicrosoft Entra ID

Entra ID Entitlement Management –3-stage approval process for access packages

In an organization, users are required access to many different groups, applications, and sites to do their day-to-day tasks. Sometimes there can be external organizations that also required access to these various resources. As access requirements change frequently, it is quite challenging for IT administrators to manage access. As a solution to this problem, we can use Entra ID access packages to govern access for internal users as well as external users. Each Access package can contain applications, and permissions required to perform specific tasks. In one of my previous blog posts, I explained how we can set up access packages. You can access it by using the following link https://www.rebeladmin.com/2020/02/step-step-guide-azure-ad-access-package/#more-4735

With the access package, we also can define the approval process. When the user request access to the package, the approver will get a notification, and then he/she can approve or deny the access request. This approver can be an internal or external user/group. So far, we were able to use a two-stage approval process but now access packages can have a three-stage approval process. This is quite important especially if you required a review from security personnel. In this blog post, I am going to demonstrate how to set up a three-stage approval process for the existing Entra ID Access package. To start the configuration process,

Update Entra ID Access Package

1) Log in to the Azure portal as a Global administrator, Identity Governance administrator, User administrator, Catalog owner, or Access package manager.

2) Then click on Entra ID | Identity Governance

Entra ID Identity Governance

3) Next, click on Entra ID Access packages and then the access package we need to edit.

Selecting already existing Entra ID access package

4) On new page click on Policies and then click on the existing policy

existing Entra ID access policy

5) Then in policy details, click on Edit

edit Entra ID access policy settings

6) It will open the policy settings, click on Requests, and then set the Require approval toggle to Yes

enable approval process for Entra ID access package

7) To enable three-stage approval process, Set the How many stages to the number three.

enable three-stage approval process for Entra ID access package

8) To set the First approver, go to First Approver section and from the drop-down select the relevant option. In this demo, I am going to use Choose specific approvers option. If the access policy is set to For users not in your directory option the list here will change. In there we can define external or internal sponsors.

9) After that click on + Add approvers to select the First approver.

add first approver

10) It will list down the users from the directory. Select the relevant approver from the list. In this demo, I also like to capture approver justification. To enable that set the Require approver justification toggle to Yes.

require approver justification setting

11) Repeat steps 8 to 10 to set the Second approver and Third approver.

add second and third approvers

12) After settings are in place click on Next and go to the Custom extension tab and then click on Update to apply policy changes.

update access policy for the access package

This completes the policy configuration and the next step is to see new settings in action.

Testing

To verify the three-stage approval process, I log in to https://myaccess.microsoft.com/ as an end-user and there I can see the relevant access package. I went ahead and click on Request.

request access to access package

completing access request process

After the request is submitted, First approver received notification.

notification to first approver

The First approver went ahead and approve the request via myaccess portal.

first approver's pending approval request

approver justification

As expected, second and Third approvers also got the relevant notification. They also follow the same steps and approved the access request.

In the end, the user receives a notification about approved access package access.

access granted to access package

Then the user logged in to myaccess portal and as expected now the access package status is set to active.

Active access package

As we can see the three-stage approval process is working as expected. I hope now you have a better understanding of how we can three-stage approval process with access packages. This marks the end of this blog post. If you have any further questions about this feel free to contact me at rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Related posts
Cyber SecurityMicrosoft Entra IDMicrosoft Technologies

Step-by-Step Guide : Process Entra ID Entitlement Management Access Package on-behalf of another user (preview)

Entra ID Entitlement Management access packages enable administrators to offer a self-service…
Read more
Cyber SecurityMicrosoft Entra ID

Step-by-Step Guide: Configure Entra ID lifecycle workflow to use Custom Security Attributes

In my previous blog post, I explained how to use Entra ID lifecycle workflow to trigger actions…
Read more
Azure servicesMicrosoft Entra IDMicrosoft Technologies

Step-by-Step Guide: Configure Entra ID lifecycle workflow to trigger mover task on user profile changes

The Entra ID lifecycle workflow is a feature of Microsoft Entra ID identity governance and Microsoft…
Read more
Newsletter
Become a Trendsetter

Sign up and get the best of RebelAdmin, tailored for you.

Leave a Reply

Your email address will not be published. Required fields are marked *