Azure AD – You can now use automatic assignment with Access Package

If you have an Azure AD P2 or Enterprise Mobility + Security E5 license, you are probably aware about the Identity Governance capabilities which allows you to control identity and access lifecycle at scale.

One of these capabilities is Access Package which allows you to create packages of content (groups, Teams, SharePoint sites) and application permission which can be requested by your end-users (either internal or external [guest]).

Such packages are then made available using policies which automatically trigger a review process every 90 days for internal users or 60 days for external users.

While this help ensuring access to assigned resources is no longer granted when no longer needed, the delay to trigger the review increase unnecessary risk; plus the users have to first request access to the package, which can delay their access to the resources they need.

Well, good news, this no longer the case: you can now use automatic/dynamic assignment to the Access Package which will trigger immediately grant or revoke the access package to the user when their attributes are updated.

It works the same way than Dynamic Group Membership.

So, you now have 3 ways to define Access Package policies.

To start using this new automatic’/dynamic Access Package assignment, connect to your Azure AD portal (https://aad.portal.azure.com/) or Entra portal (https://entra.microsoft.com/) to access the Identity Governance blade

image  image

Then you need to access the Access Package blade

image  image

You can now edit the policies assigned to your Access Package to use the Auto assignment policy

image  image

Leave a Comment

Your email address will not be published. Required fields are marked *