Using Entitlements to manage access to Web Apps

You have worked to plan and implement various aspects of security identity and access throughout the company tenant. This has included providing access to the tenant for members and external users. When adding a member or external user, you need to govern whether they have the authorization to access immediately upon authenticating them to the company tenant. Entitlement management provides this governance through the creation of catalogues and access packages that you can build for these groups of users. Entitlement management is found under Identity Governance within Azure AD. Figure 1 shows the getting started tile of this service and where Entitlement management is found in the menu.

Let’s discuss how catalogues and access packages work to provide this governance.

Planning entitlements

Before creating catalogues and access packages, you should plan and determine how these are going to be used within your company. Entitlement management can be a helpful tool for companies that have projects which utilize internal and external users, departments that utilize different and specialized resources that other departments don’t require access to, branch and global offices that have their users, groups, and partners.

As someone in charge of Identity Governance, you should work with stakeholders to plan these catalogues and access packages, as well as determine how often they will be reviewed for continued use and access. Proper planning with these stakeholders will allow them to quickly provide user access to the resources that are required for a given project or department once they are onboarded.
The important aspect of the meeting with stakeholders will be to determine the member and external users that will make up the group that will be assigned to the catalogue. This should be created before the implementation of the entitlement. Stakeholders should also provide the list of applications and SharePoint sites that the entitlement will be required to access.

The next section will go through the process of creating a catalogue and access package.

Implementing entitlements

After planning with the necessary groups required for catalogues and access packages within your company, they are ready to be implemented. To better understand how catalogues and access packages are created, let’s go through the steps to create a catalogue that identifies the users and groups with access, and the applications and SharePoint sites that they have access to. Then you will step through how to assign that catalogue through the creation of an access package.

Select the enterprise and cloud applications that will be authorized for use within this catalogue. The allowed applications will be those enterprise and cloud applications.

These applications that have been added to the entitlement catalogue can now be assigned to groups of users, either internal or external. Their access can be reviewed regularly for verification of access needed by managers to protect the company. Additional information can be found on Microsoft Docs here: https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-overview.