Step-by-Step Guide : Process Entra ID Entitlement Management Access Package on-behalf of another user (preview)

Entra ID Entitlement Management access packages enable administrators to offer a self-service experience for users, granting access to groups, applications, and sites. With access packages, we can automate the processes of access assignment, reviews, and expiration for the aforementioned resources. Previously, I have written detailed blog posts explaining how to set up access packages. You can access them using the following link https://www.rebeladmin.com/2020/02/step-step-guide-azure-ad-access-package/#more-4735

Access packages are typically assigned to individuals or groups of users. Users can then request access to the package, which grants access according to predefined targets and policies. It is crucial for end users to understand where to log in, how to request an access package, and what happens afterwards. Generally, this requires training to educate users about the technology and process. This can be particularly challenging for new employees, as arranging the necessary training takes time. To mitigate this, direct managers can now request access packages on behalf of users. This allows users to gain critical access without going through the access package request process themselves. However, behind the scenes, the general access package process still applies.

In this blog post, I will demonstrate how on-behalf requests work with access packages.

Prerequisites

To enable on-behalf requests, we can use new access package or existing access packages. In this demo I already have access package setup. This access package is for Sales and Marketing team and it is used to manage access to a security group.

Configuration

1. Log in to the Entra admin portal (https://entra.microsoft.com/) as an Identity Governance Administrator or higher.
2. Navigate to Identity Governance > Entitlement Management > Access Packages.

3. Select the relevant access package and go to Policies.

4. You can either add a new policy or edit an existing one. In this example, we will edit an existing policy. Select the policy and click on Edit.

5. Go to the Requests tab.

6. Under the Enable section, select Yes for “Allow managers to request on behalf of employees (preview)“.

7. There is an additional option to “Bypass approval stage if manager is the requester and approver (preview)“. This allows managers to skip the approval process if they are also the approver for the same access package. In this demonstration, we will not use this option.

8. Click Next until you reach the Custom Extensions tab, then click on Update.

This completes the configuration of the access package. Next, let’s see how the access process works.

Testing

For testing, I have selected a user who is part of the Sales and Marketing team and already has a manager assigned.

1. Log in as the Manager to https://myaccess.microsoft.com/.
2. Go to Access Packages. You will see the access package allocated to the Sales and Marketing team, even if the manager is not part of the access package target group.

3. Click to request access. You will see the option for “Someone else“. Using this, you can select the user you want to request access on behalf of.

4. Select a test user from the list and click on Continue. Provide a business justification and submit the request.

5. As expected, the approver receives the notification.

6. The approver can review the request and grant access. The access request clearly indicates who is requesting it and who it is for.

7. When you log in as the end user, you will see that they have the active access package.

As we can see the on-behalf request process with Entra ID Entitlement Management Access Package is working as expected. This marks the end of this blog post. If you have any further questions about this feel free to contact me at rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.