Using Azure AD Entitlement Management for Automated Access

Azure Active Directory (Azure AD) has been updated to include a new preview in Entitlement Management of automatic assignment policies. With this feature, Azure AD dynamically changes users’ access across various groups, Teams, SharePoint sites, and apps based on any user attributes modifications. This can include switching between departments, going on leave, or leaving/joining the company.

The benefit of having such a policy is that it streamlines the process of managing at scale, removing the need for administrative involvement whenever an alteration is required to a user’s access. Better yet, it removes the need for users to manually send in requests; this means that their access won’t remain any longer than necessary while also ensuring they can access the new content without waiting for admin approval.

Automating access based on user attributes

Say you wanted to create an access package in Azure AD Entitlement Management for members of a specific department at your company. In this package, you may put two different policies in place:

  • Employees request access and, upon approval, have it reviewed every 60 days
  • External members request access and, upon approval, have it reviewed every 30 days

With automatic assignment policies, you can add a third policy to this package. Employees of this department are provided access automatically so long as they’re there by looking at the user’s “department” attribute.  

First, sign into your Azure Portal and select Azure Active Directory. Then, click on the Identity Governance blade followed by the Access packages blade.

Access Packages blade in Entitlement Management.

Then, pick the group you’d like to use and click Add auto assignment policy.

Adding auto assignment policies in the Access Package blade.

You simply need to specify a rule for how these users will be selected, and this rule is usually based on the user’s attributes. These attributes are typically extracted from your company’s HR system.

Creating dynamic membership rules.

After the policy has been made, Azure AD will step in and begin automatically assigning resources for users that comply with that rule. This means that users needing access to the specific department can gain it automatically and won’t need to submit any requests.

Some other uses for automatic assignment policies include:

  • Controlling access across multiple resources
  • Controlling access with multiple policies to contain both rules and exceptions, allowing exceptions to be automatically reviewed at a regular frequency
  • Running automated workflows upon users receiving or losing assignments