How to Set Up and Use Azure Access Packages

Setting up Azure Access Packages is a straightforward process that requires some basic configuration. You can create an access package in the Azure portal by selecting "Access packages" under the "Security" section.

To use an access package, you need to assign it to a user or a group. This can be done by selecting the user or group from the Azure portal and assigning the access package to them.

Access packages can be used to grant users temporary or permanent access to Azure resources. They can also be used to restrict access to specific resources.

To get started with Azure Access Package, you'll need to sign in to the Microsoft Entra admin center as at least an Identity Governance Administrator. You can also use other least privilege roles like Catalog owner or Access Package manager.

First, you'll need to browse to Identity governance > Entitlement management > Access package. From there, select New access package to start the creation process.

You'll need to specify a catalog for your access package, which defines what resources you can add to it. If you don't specify a catalog, your access package will go in the general catalog.

Here are the high-level steps to create an access package:

As you create the access package, you'll need to specify an initial policy for users who can request access. This policy will also determine approval and lifecycle settings.

Resource management is a crucial aspect of Azure Access Packages. You can add resource roles to an access package by clicking on '+Groups and Teams' and choosing the desired groups and teams from the list.

To do this, you'll need to select the groups and teams you want to include, then click on 'Select'. You can also add resource roles to applications, SharePoint sites, and even assign Microsoft Entra roles (Preview) in access packages.

Here's a step-by-step guide to adding resource roles:

You can create access packages in a catalog, which allows users to request the package and receive the necessary resources and roles.

To create a catalog, you can select resources such as groups, teams, applications, and SharePoint sites. You can also add dynamic membership groups to a catalog, but you can only select the owner role when managing a dynamic group resource in an access package.

If you're creating an access package in an existing catalog, you can select any resource that's already in the catalog without needing to be an owner of that resource. However, if you're at least an Identity Governance Administrator or catalog owner, you can select resources that you own or administer but that aren't yet in the catalog.

To add resources to a catalog, click on the '+' button next to the resource type you want to add, and then select the desired groups and teams from the list. You can also select applications and SharePoint sites, and assign Microsoft Entra roles (Preview) in access packages.

Here are the steps to add resource roles to an access package:

By following these steps, you can create a structured hierarchy of resources and roles in your access package, making it easier to manage and assign access to users.

To manage resources effectively, you need to understand the license requirements for Azure Access Packages. You'll need a Microsoft Entra ID P2, Microsoft Entra ID Governance, or Microsoft Entra Suite license to create access packages in entitlement management.

In addition to creating access packages, having a Microsoft Entra Suite license also grants you access to Microsoft Entra roles (Preview), Verified IDs, custom extensions, and sponsors as approvers.

To determine which license meets your needs, consider the specific features you require for your resource management setup.

To manage access requests for your Azure access package, you need to specify who can request the package and who can approve the requests. You can choose to allow all users in your directory to request the package, or select specific users or groups.

To enable requests, move the Enable new requests and assignments toggle to Yes. This will make the access package immediately available for users to request.

You can also configure approval settings, such as requiring approval and justification from the requestor, and specifying stages of approvers. You can choose up to 3 stages of approvers, and select the number of days within which the approver should act on the request.

To start creating an access package, you'll need to sign in to the Microsoft Entra admin center as an Identity Governance Administrator. Tip: Other least privilege roles that can complete this task include the Catalog owner or Access Package manager.

You can create an access package by using Microsoft Graph, which allows a user in an appropriate role with the delegated EntitlementManagement.ReadWrite.All permission to call the API to create an access package.

To create an access package by using Microsoft Graph, you'll need to list the resources in the catalog, create an accessPackageResourceRequest for any resources that aren't yet in the catalog, retrieve the roles and scopes of each resource in the catalog, and create an access package.

Alternatively, you can create an access package in PowerShell using the cmdlets from the Microsoft Graph PowerShell cmdlets for Identity Governance module. This involves retrieving the ID of the catalog, and of the resource in that catalog and its scopes and roles, that you want to include in the access package.

To create an access package in PowerShell, you'll need to use a script similar to the one provided in the example, which includes listing the resources in the catalog, creating an access package, assigning the resource roles to it, and creating the policies.

To start the creation process in the Microsoft Entra admin center, browse to Identity governance > Entitlement management > Access package and select New access package.

Here's a step-by-step guide to creating an access package in the Microsoft Entra admin center:

1. Sign in to the Microsoft Entra admin center as an Identity Governance Administrator.

2. Browse to Identity governance > Entitlement management > Access package.

3. Select New access package.

Note: By default, the ‘General’ catalog will be selected in the dropdown. If you don’t specify any catalog, the access package will be included in the ‘General’ catalog.

To allow users to request access, you need to define a request policy. You can specify individual users or groups of users, such as an "All employees" group, to be able to request access.

You can choose from three options: Specific users and groups, All members (excluding guests), or All users (including guests). If you select Specific users and groups, you can add users and groups by selecting Add users and groups on the Select users and groups pane.

To enable requests, move the Enable new requests and assignments toggle to Yes. This makes the access package immediately available for users in the request policy to request.

You can also add requestor information to an access package by going to the Requestor information tab and selecting the Questions tab. Here, you can enter a question that you want to ask the requestors, such as their reason for requesting access.

To specify who can request access, you can choose from the following options:

Here's a table summarizing the options:

You can also configure the request policy to require approval and justification from the requestor. This can include specifying the number of days within which the approver should act on the request, and whether the approver justification is required.

The approval process for Azure access packages is designed to ensure that requests are thoroughly reviewed and approved by the right people. In a single-stage approval, only one of the selected approvers or fallback approvers needs to approve a request.

You can specify whether an approval is required by setting the Require approval toggle to Yes or No. If the policy allows external users from outside your organization to request access, it's a good idea to require approval to ensure oversight.

To add approvers, you can select Manager, Sponsors, or Choose specific approvers. If you select Manager, you can add a fallback approver to receive the request if entitlement management can't find the manager for the user who's requesting access.

Here are the different types of approvers you can select:

For two-stage approval, you need to add a second approver, and for three-stage approval, you need to add a third approver. You can also specify alternate approvers to ensure that requests are approved or denied before they expire.

Two-stage approval is a common approach in the approval process. It requires two approvers to review and approve a request before it's granted.

In a two-stage approval, you need to add a second approver. This is done by following these steps:

Add the Second Approver information, specify the number of days the second approver has to approve the request in the Decision must be made in how many days? box, and set the Require approver justification toggle to Yes or No.

The second approver can be a manager, a sponsor of a user, an internal sponsor, or an external sponsor, depending on access governance for the policy. Entitlement management finds sponsors by using the Sponsors attribute in the user's profile in Microsoft Entra ID.

Here are the key steps to add a second approver:

Remember, the second approver has the same My Access site to approve or deny the pending request as the first approver.

To add a verified ID requirement to your access package policy, you need to be a Global Administrator. This role is required to add verified ID requirements to an access package in a request policy.

Select + Add issuer from the Microsoft Entra Verified ID network to choose an issuer that will verify user credentials. This can be a pre-existing issuer in the network or one that you create yourself.

You can select multiple credential types from one issuer, but users will be required to present credentials of all selected types. Similarly, if you include multiple issuers, users will be required to present credentials from each of the issuers.

To give users the option of presenting different credentials from various issuers, configure separate policies for each issuer or credential type you'll accept.

Here are the steps to add a verified ID requirement in more detail:

After adding the verified ID requirement, you can verify all the settings are specified properly in the access package and click on ‘Create’ to create a new access package in Microsoft Entra entitlement management.

To allow users in your directory to request an Azure Access Package, you can specify who can request access in the Requests tab. You can choose from options such as For users in your directory, which allows all member users to request access, or Specific users and groups, which allows you to select individual users or groups.

If you choose For users in your directory, you can further refine who can request access by selecting All members (excluding guests) or All users (including guests). Guest users are external users who have been invited into your directory via Microsoft Entra B2B.

To require approval for requests, set the Require approval toggle to Yes in the Approval section. You can also require users to provide a justification for their request by setting the Require requestor justification toggle to Yes. The approval settings work in a single-stage or two-stage approval process, where only one approver needs to approve a request for single-stage approval, and one approver from each stage needs to approve a request for two-stage approval.

Here are the options for specifying who can request access:

To configure the basics of a request setting, you need to give your access package a name and specify which catalog to create it in. You can do this by entering a display name and description for the access package.

In the Catalog dropdown list, select the catalog where you want to put the access package. You see only catalogs that you have permission to create access packages in. This means you must be at least an Identity Governance Administrator, or a catalog owner or access package manager in that catalog.

If you want to create your access package in a new catalog that's not listed, you can select Create new catalog. Enter the catalog name and description, and then select Create. This will add the access package and any resources included in it to the new catalog.

You'll then need to select Next: Resource roles. This will allow you to specify the roles that users will need to have in order to request the access package.

To specify approval settings for your access package, you can require approval from selected users. This means only one of the approvers needs to approve a request for single-stage approval.

Approval can be based on the manager, a sponsor of a user, an internal sponsor, or an external sponsor, depending on access governance for the policy.

You can choose to have requests automatically approved or require users to provide a justification to request the access package.

To add approvers, you can select a manager, a sponsor, or choose specific approvers, and add fallback approvers in case the system can't find the first approver.

You can also specify the number of days that an approver has to review a request for this access package, after which it will be automatically denied.

Here are the options for specifying approval settings:

You can also specify alternate approvers to ensure that requests are approved or denied before they expire. Alternate approvers can be added for the first and second approvers for two-stage approval.