In today’s digital age, protecting your organization’s resources is more important than ever. With the rise of cyber threats and data breaches, it’s crucial to have the right tools in place to manage access and enforce security policies. Microsoft Entra ID (Azure Active Directory (Azure AD)) offers a range of powerful features to help you do just that, including access packages, conditional access, and privileged identity management. In this blog post, I will explore these features and show you how to use them to maximize the security of your organization’s resources.
Access Packages
Access packages in Microsoft Entra ID (Azure AD) allow administrators to manage access permissions to groups, applications, and SharePoint sites in a more efficient way. An access package consists of resources and policies that automatically administer access for the life of the access package. Users can request access to an access package and may need approval depending on the policies. This allows administrators to easily manage access to resources without having to manually grant or revoke permissions. Access packages can be used to assign access to roles of multiple resources that are in the catalog, making it easier to manage access for teams or projects.
Conditional Access
Conditional Access is a powerful tool in Microsoft Entra ID that allows administrators to enforce organizational access policies for resources. Conditional Access policies are like if-then statements that can block access, require multifactor authentication, or restrict the user’s session based on signals such as user, device, and location. This allows administrators to protect their organization’s resources by limiting users’ access based on specific conditions. For example, a Conditional Access policy could require multifactor authentication for any user accessing privileged resources, adding an extra layer of security.
Most of the conditional access should be set on a management group level or the entire Microsoft Entra ID tenant. But sometimes you need to add some more specific conditional access for certain groups.
Privileged Identity Management (PIM)
Privileged Identity Management (PIM) is a service in Microsoft Entra ID that enables administrators to manage, control, and monitor access to important resources in their organization. These resources include resources in Microsoft Entra ID, Azure, and other Microsoft Online Services such as Microsoft 365 or Microsoft Intune. With PIM, administrators can provide as-needed and just-in-time access to Azure resources, Microsoft Entra resources, and other Microsoft online services. PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources.
Using these three features in combination can greatly increase the security of your organization’s resources. Access packages make it easier to manage access permissions, while Conditional Access allows you to enforce organizational access policies for resources. Privileged Identity Management provides an extra layer of security by allowing administrators to manage, control, and monitor access to important resources. By using these features together, you can ensure that your organization’s resources are protected and that users have the appropriate level of access they need to be productive.
IaC
Using IaC to control features such as access packages, conditional access, and privileged identity management in Microsoft Entra ID can provide several benefits. For example, you can use IaC to automate the deployment of access packages, making it easier to manage access permissions for groups, applications, and SharePoint sites. You can also use IaC to automate the deployment of Conditional Access policies, allowing you to enforce organizational access policies for resources more efficiently. Similarly, you can use IaC to automate the deployment of Privileged Identity Management (PIM), making it easier to manage, control, and monitor access to important resources in your organization.
Overall, using IaC to control these features in Microsoft Entra ID can help you to increase security, improve efficiency, and reduce the risk of human error. By automating the deployment and management of these features through code, you can ensure that your infrastructure is always configured according to best practices and that changes are made in a consistent and controlled manner.
I have used some time to create an terraform module that can set up access packages, conditional access and PIM for Microsoft Entra ID groups. By using this module it is easy to ensure that every group is configured with some generell rules and track changes to the permissions. Check out the terraform module here: GitHub – hlokensgard/az-ad-groups:
I have created the module with the Azure Landing Zone reference architecture as a starting point. In the ALZ architecture it is common to create Microsoft Entra ID groups for subscription level scope. Based on this the PIM scope is also set to the subscription level.
Example for configure an Microsoft Entra ID Group
Using the terraform module it is easy to set up an Microsoft Entra ID group with the following elements:
- Access Packages:
- Conditional Access
- Priviliged Identity Management (PIM)
Using the following configuration for the module will deploy the following security features:
- PIM
- Owner on the subscription level for the Microsoft Entra ID Group
- Conditional Access
- Not activate. Bast practice is to create it and see if it works in your tenant before enabling it. Turns on MFA.
- Change the users to those you want it to affect. It automatically will apply it to the Microsoft Entra ID Group that is created
- Access Packages:
- A new catalog with an access package included.
azure_ad_group_configuration = {
display_name = "testing-az-ad-groups-module"
security_enabled = true
members = ["testuser@somedomain.com"]
}
enable_conditional_access = true
conditional_access_configuration = {
display_name = "testing-module"
conditions = {
application = {
included_applications = ["All"]
}
client_app_types = ["browser"]
users = {
included_users = ["None"]
}
}
state = "disabled"
grant_controls = {
operator = "OR"
built_in_controls = ["mfa"]
}
}
enable_access_package = true
access_packages_configuration = {
create_new_package_catalog = true
access_package_catalog = {
display_name = "testing-catalog"
description = "A testing catalog"
}
access_packages = {
display_name = "Testing package"
description = "A testing package"
}
access_package_assignment_policy = {
description = "A testing policy"
display_name = "Testing policy"
approval_settings = {
approval_required = true
approval_required_for_extension = true
approval_stage = {
approval_timeout_in_days = "14"
primary_approver = {
backup = true
object_id = "ObjectId of the user"
subject_type = "singleUser"
}
}
}
assignment_review_settings = {
enabled = true
review_frequency = "weekly"
duration_in_days = 3
review_type = "Self"
access_review_timeout_behavior = "keepAccess"
}
duration_in_days = "90"
question = {
choice = {
actual_value = "Yes"
display_value = {
default_text = "Yes"
}
}
text = {
default_text = "Do you want to request access?"
}
}
}
}
enable_pim = true
pim_configuration = {
subscription_id = var.subscription_id
role_definition_display_name = "Owner"
schedule = {
expiration = {
duration_days = 8
}
}
}Summary
In this blog post, I have some of the features of Microsoft Entra ID that can help you to manage access and enforce security policies within your organization. These features include access packages, conditional access, and privileged identity management. I also discussed how using Infrastructure as Code (IaC) can help you to automate the deployment and management of these features, increasing security, improving efficiency, and reducing the risk of human error. By using these tools in combination, you can ensure that your organization’s resources are protected and that users have the appropriate level of access they need to be productive. I also provide an terraform module to help you get started.
Håvard Løkensgard 
Legg igjen en kommentar