Cyber SecurityMicrosoft Entra IDMicrosoft Technologies

Step-by-Step Guide : Process Entra ID Entitlement Management Access Package on-behalf of another user (preview)

Entra ID Entitlement Management access packages enable administrators to offer a self-service experience for users, granting access to groups, applications, and sites. With access packages, we can automate the processes of access assignment, reviews, and expiration for the aforementioned resources. Previously, I have written detailed blog posts explaining how to set up access packages. You can access them using the following link https://www.rebeladmin.com/2020/02/step-step-guide-azure-ad-access-package/#more-4735

Access packages are typically assigned to individuals or groups of users. Users can then request access to the package, which grants access according to predefined targets and policies. It is crucial for end users to understand where to log in, how to request an access package, and what happens afterwards. Generally, this requires training to educate users about the technology and process. This can be particularly challenging for new employees, as arranging the necessary training takes time. To mitigate this, direct managers can now request access packages on behalf of users. This allows users to gain critical access without going through the access package request process themselves. However, behind the scenes, the general access package process still applies.

In this blog post, I will demonstrate how on-behalf requests work with access packages.

Prerequisites

To enable on-behalf requests, we can use new access package or existing access packages. In this demo I already have access package setup. This access package is for Sales and Marketing team and it is used to manage access to a security group.

Entra ID Entitlement Management Access Package for sales team
Entra ID Entitlement Management Access Package target

Configuration

  1. Log in to the Entra admin portal (https://entra.microsoft.com/) as an Identity Governance Administrator or higher.
  2. Navigate to Identity Governance > Entitlement Management > Access Packages.
Entra ID access package plane
  1. Select the relevant access package and go to Policies.
Policies of existing access package
  1. You can either add a new policy or edit an existing one. In this example, we will edit an existing policy. Select the policy and click on Edit.
Edit existing policy
  1. Go to the Requests tab.
access package request tab
  1. Under the Enable section, select Yes for “Allow managers to request on behalf of employees (preview)“.
allow on-behalf of access
  1. There is an additional option to “Bypass approval stage if manager is the requester and approver (preview)“. This allows managers to skip the approval process if they are also the approver for the same access package. In this demonstration, we will not use this option.
  1. Click Next until you reach the Custom Extensions tab, then click on Update.
update access package

This completes the configuration of the access package. Next, let’s see how the access process works.

Testing

For testing, I have selected a user who is part of the Sales and Marketing team and already has a manager assigned.

test user manager properties
test user group membership
  1. Log in as the Manager to https://myaccess.microsoft.com/.
  2. Go to Access Packages. You will see the access package allocated to the Sales and Marketing team, even if the manager is not part of the access package target group.
Access package allocation
  1. Click to request access. You will see the option for “Someone else“. Using this, you can select the user you want to request access on behalf of.
on-behalf request
  1. Select a test user from the list and click on Continue. Provide a business justification and submit the request.
access package business justification
  1. As expected, the approver receives the notification.
approver notification
  1. The approver can review the request and grant access. The access request clearly indicates who is requesting it and who it is for.
access request details
  1. When you log in as the end user, you will see that they have the active access package.
active access package

As we can see the on-behalf request process with Entra ID Entitlement Management Access Package is working as expected. This marks the end of this blog post. If you have any further questions about this feel free to contact me at rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Related posts
Cyber SecurityMicrosoft Entra ID

Step-by-Step Guide: Configure Entra ID lifecycle workflow to use Custom Security Attributes

In my previous blog post, I explained how to use Entra ID lifecycle workflow to trigger actions…
Read more
Azure servicesMicrosoft Entra IDMicrosoft Technologies

Step-by-Step Guide: Configure Entra ID lifecycle workflow to trigger mover task on user profile changes

The Entra ID lifecycle workflow is a feature of Microsoft Entra ID identity governance and Microsoft…
Read more
Cyber SecurityMicrosoft Entra IDMicrosoft Technologies

Step-by-Step Guide: How to setup Entra ID Restricted management Administrative Units ?

In my previous blog post, I discussed what Entra ID Administrative Units are and how they can be…
Read more
Newsletter
Become a Trendsetter

Sign up and get the best of RebelAdmin, tailored for you.

Leave a Reply

Your email address will not be published. Required fields are marked *