As part of the identity and access control management on Azure AD, you can now use Azure AD Entitlement (also known as Azure AD Identity Governance) (in preview) to easily and automatically manage access to your groups or applications by your users, both internal (corporate) or external (guest).
By using Azure AD Entitlement, you can create a package of resources, define rules for request and access expiration, assign the package and keep track of activities while governing the access lifecycle.
You need to have Azure AD Premium P2 or Enterprise Mobility + Security E5 (EMS).
To start evaluating and using it, connect to your Azure AD portal (https://aad.portal.azure.com) or Azure portal (https://portal.azure.com) to access the Identity Governance blade
From there you can create a package of resources (one of the listed below)
- Azure AD security groups (including the synchronized security groups if you are synching your Active Directory)
- Office 365 groups
- Azure AD enterprise applications (including application proxy)
- SaaS applications
- Custom-integrated applications
- SharePoint Online site collections
- SharePoint Online sites
Create a package
When creating a package you will define the resource(s), policy and assignment (assignment, access expiration)A as well as a package catalog (you can use the default one or create a new catalog using the Create new catalog link available in the Basic tab)
When creating a new catalog, you can define if the catalog will be also available for external users (guest) to request access
The role associated with the resource you have added to the package depend of the resource type:
- when you add a group, you can define either owner or member of the group
- when you add an application, you can define a user role
- when you add a SharePoint site you can define any of the SharePoint role defined for the site (members, owners, visitors…); you can only select a SharePoint Online site collection, access to a sub site is defined when you select the appropriate role
Enable and create a catalog
Then you need to enable the catalog (if you use the default one for the first time) by accessing the Catalog configuration blade (you can also use this blade to create new catalog)
To enable the default catalog (or any custom catalog not yet enabled), click on the catalog name and edit it using the Overview tab to enable it
Access catalog and package
You end-user will logon to https://myaccess.microsoft.com
From there they will see all package they have access to, have the history of their request (either request to access or request management if they have been defined as approver)
If you are an external user (guest) invited to a different organization you can easily switch using the Switch organization button available at the top right of the window
Advanced Settings
If you want to manage external user (blocking access, automatically deleting guest account after x days), access the Settings blade below the Entitlement Management to edit the configuration