a little bit of security goes a long way
when we move into the cloud our
identities become the new edge of our
networks and we need to protect
our identities and all that go along
with them we're going to start a micro
series around azure identity governance
and we're kicking it off today with
entitlement management
i'm Dean Cefola and this is The Azure Academy!  Microsoft across all of its
products and services has a philosophy
called least privilege and that's where
we say that you don't need more
permissions than you need to do what you
have to do
and in the cloud this is where azure
active directory identity governance
comes in
identity governance allows you to
balance your organization's need for
security and productivity it's where we
can
ensure that the right people have the
right access to the right resources
at the right times and when they don't
need them we take that access away
which increases our security by reducing
our risk footprint but that's only half
the story because the other side of this
comes in where we need to review all of
these accesses and processes
to make sure that they're all still
valid right now
and this starts off with creating access
packages
so to understand access packages let me
set the stage
for you think about when you got your
new job you just got hired you're super
excited you get there for your very
first day
and you get brought down to the security
office they take your picture they give
you a badge
and then they give you a computer i know
it may feel like you get this
old piece of junk but usually it looks
kind of more like this
then usually sit down with somebody
who's your onboarding buddy
and they're going to help you to learn
the ropes and your manager would submit
a workflow
that would then give you all of the
access to the applications and groups
that you need to be a member of to do
your job
and this is where access packages come
in so think about
contractors coming in to do work in your
organization
or people are going to join a group for
a project and then
after that project is over they don't
need that access anymore
of course you can make this more of a
long-term function
and we'll get into the pros and cons of
that in our next video on
access review so be sure that you're
subscribed so you don't miss that
so let's go over to the azure portal and
at the top search bar we're gonna look
for identity governance
and we'll click on that and you can see
identity governance has three different
sections today is entitlement management
next we'll be doing access review and
privileged identity
management which is where we control all
of the keys to the kingdom
and just one thing before we get started
identity governance
is one of those things that requires a
azure ad
p2 license and if you're unfamiliar with
how to get that we have covered that in
a previous video which i'll have linked
up here on the top right
let's click to create an access package
and we have to give it a name
and we'll just call this our onboarding
package and
it's a general package for all users to
give them all the basic things that they
need
and this third item here is around the
catalog and we're gonna skip that for
now we'll come back to that in a minute
right now let's click next to add our
resource roles now there are
three kinds of resources that we can add
to an access package
sharepoint sites applications and groups
and teams
now i have all my basic stuff here and i
have to now
select roles for each of these items and
the type of role permission
that you get here is going to be
determined on if it's a sharepoint site
application or group
and with all my appropriate access
selected i'll hit next
and this is where we can determine if
our access package is for those
inside or outside our directory think
about like
b2c type models or where you have guests
coming into your environment maybe
short-term contractors that kind of
thing
or you can just skip all of that and do
direct assignment so for this one i'll
just pick
users inside my directory then we get
further options where we can specify
users or groups so i'll select all
members excluding
my guests and now we have the choice of
whether or not we want to require
approval so i'll select
yes for this and here we can force the
requester to give us a justification
which i'm not going to do in this case
because this is just a new user
onboarding
and we can select multiple stages of
approvers if we want but again i'll just
stick with one and then we have
the approver themselves we can have that
be a
manager which is what i'll do and this
could be maybe someone who's in charge
of your project
and i'll click to add an approver and
we'll add the user superman for this
and then we have the number of days
superman will have
to decide whether or not to grant access
default here is 14
but because this is for a new user
onboarding we'll say
five days and then does superman have to
give us a justification for granting
this access in this case i will select
no then there are some
advanced options that you could do and
that would be things like if
no action was taken in five days by
superman should we forward this to
somebody
else and in this case i'll say yes and
that'll be adam warlock and we'll hit
select for that
and then we'll forward that over to him
in four days but i'm ready to go so i'll
say
yes and hit next for my life cycle now
this has to do with the life cycle of
the access
package and you can have it expire on a
specific
date on the calendar or after a certain
number of days or
make it indefinite which is what i'll do
because this is for my new users to be
onboarded and i will be requiring access
review on this and we'll leave these
settings as
is so we don't spoil our next video and
we'll click next
and we can review everything that we
have set up here and when we're ready we
hit create
and our package is complete and i've
also got another one here for a
marketing campaign
let's take a look inside our onboarding
package and on the left here we have the
resources and of course you can edit
anything here that you need to
and under policies we've got the initial
policy that we created here and this
shows who can
modify this package the approver when it
expires all of that information
then the other things on the left are
our assignments requests and
access review which we'll come back to
in our next video
now let's go back to the overview once
you get all of this stuff
set up the only thing you need to do for
that brand new user on their first day
they log on to that wonderful new
computer and they use
this link to access the package we'll
open this in a private browsing window
so you can see the experience
and here is our onboarding package so
we'll check the box here and request
access there's a field here for
justification
and now we'll hit submit and we see that
our package is being processed
and we can view the details and we can
see that this was submitted
by nova and it is pending approval so
let's flip over to superman
since superman here is the approver and
we've got a pending approval here for
nova so we'll click on the box and click
approve
and we can see our due date here any of
the requester
details from nova as well as the items
that he's going to gain
access to once i make this approval and
your justification here
will be required depending on how you
set up the package
i'll just put in some details here and
click approve so we see nova is
successfully approved so if we go back
to his experience
we can see that superman has approved
and now we are delivering the package
so you see how easy that was for nova it
was his very first day he didn't know
his way around he didn't know who to ask
for
all of the things that he needed he
didn't even really know what he needed
all he had to do was go through that one
link
and click submit for his access request
it went through the approval process
superman approved it as the hr manager
our packages have been delivered and
notification
sent to our user and there you go now
we've got access to our internal stuff
so we can start
our job i've got another access package
here for the marketing campaign
and i'm going to click on that and then
click the plus again to request
access i'll put in my justification and
this one will have a specific date
and we'll be done with this campaign by
the end of september so i'll click
submit for that
and the request is now being processed
and we see that our approval is pending
and superman is going to take care of
that so let's go back to the azure
portal and see what's inside this
campaign
but before we take a look at the access
package we want to go back to that idea
of catalogs on the left here
and i do have a catalog for marketing
you can see that there is one access
package and
seven resources associated with this
catalog so a catalog
is a way to group things together ahead
of time so you could make something or
all marketing campaigns could be inside
a catalog
with multiple access packages and we're
going to go and create one of these in
just a moment but i want you to see what
it all looks like first
so under the resources we have every
single resource related to
marketing and then we have our single
access package
and inside this package we've also got
those
similar kinds of resources now why would
we have the same thing in both places
to explain that let's start from the
beginning of a catalog
so go to create a new catalog and we'll
call this windows virtual desktop
resources
and since today wvd does not allow
external or guest users i'll turn that
feature off and we'll hit create and
now we've got our catalog so let's see
what we can put in here we'll go under
our resources and click to add resources
and i'm going to add
multiple azure ad groups and i've got
several of them here that all start with
wvd so i'll click select for that and
these are all security groups which
we'll add
and then under the access packages we'll
go to create a new package
and we'll give it a name and description
of wbd personal desktop then we'll go to
add our groups
and over here on the top right there's a
check box to see
only groups and teams that are in our
catalog
so i'll check that box and that reduces
the entire list of everything in my
domain
down to just the groups in title around
this particular catalog
so i'll click to add my particular group
for personal desktops
and hit select that's the only thing i'm
going to add here and we'll click
next now first of all see that the four
users not in your directory is grayed
out and this is because
we checked that no flag earlier that
this is
not a catalog for external users this is
one
for users in our directory and we want
this for specific
users and groups not just anybody in our
environment so we'll scroll down a
little bit and we'll add a specific
group and i'll add my wvd users group
for this these are all the people in my
organization who are entitled for wvd
access
this group i'm not going to require
approval and we will set this
to enabled and go next for our life
cycle this package will have
a expiration date of never but it will
need access
review on a monthly basis and this will
be reviewed
by a specific reviewer which will be
the wvd admin next and create
and here's another group i'll create for
remote application
access for windows virtual desktop and
we'll go basically through the same
process that we did before we'll just
add
the specific group or wbd remote app
marketing and now we have several
packages inside this catalog
now before we go through the approval
process i want to show you the windows
virtual
desktop app groups and i've got a group
here for
teams and if we look at the assignments
i've got a group
called wbd remote apps for marketing and
over in azure active directory if we
look at the groups
there is my marketing group and at the
moment there are
no members in this group so going back
to identity governance
we've got our access package here for
marketing
and our remote app so i'll copy that
link
and we'll go through our approval and
we'll add our business justification
and we'll set our request date period of
time and we'll hit submit
and by now the workflow completed so we
can go to our azure active
directory take a look at our wbd remote
marketing group under
members and nova has been added
automatically and
inside the wvd client we can see the
apps that we have been
enabled for so there's one more thing
that we'll cover today and
that is how we can invite third parties
or someone that we're partnering with to
do a project how can we invite them
into our environment securely let's
return to identity governance
over here on the left in the blade we
have connected organizations
we'll click on that link now you see i
don't have one at the moment but we can
just add one here at the top and i've
entered the name of the company and a
brief description about them and we'll
click
next and then we'll click to add their
directory and this would be the last
part of their
upn we'll click add for that and click
select
now we'll click next and we do need an
internal sponsor who's authorizing this
and we'll make that superman and you can
also
add an external sponsor if you want to
but we'll just click next
and then click create now that we've got
the organization set up let's create a
new package for them
and we'll name this package caf
accounting and we'll click
next and i've added the roles one here
for a group called guest accounting and
the other is
servicenow and we'll click next and here
we want to choose the middle option
for users not in our directory then when
we scroll down we have the choice of
picking a specific organization or
enabling this for
all we'll go ahead and add our directory
that's the ignite
cloud and we will be requiring approval
and
the user will have to provide
justification and here we have
the choice of the internal or external
sponsors that we had selected earlier or
we could select a particular user i'll
just use the internal
sponsor since i've got that and we'll
select yes to enable and click next for
our life cycle and we'll have this
package expire
after 30 days and we will set up our
access review
and this will be done by adam warlock
and we'll click next
and then click create and that is now
created now we can either send this link
over to our friends at caf accounting
or they can open their browsers to
myaccess.microsoft.com
slash the organization name and now they
need to log in using their own
credentials
so i'll log in with jane doe at ignite
caf demo
and click next and now we can see the
access package and if we click the drop
down
none of the contents are visible until
we are approved so
let's go ahead and do that we'll add our
justification and because this is from
another organization we have to check
the box here basically granting consent
and we'll click submit for that and
now we can like before see the approval
process
flipping over to superman who's the
approver for this package we can click
on that
and hit approve and we have to provide a
justification as well
and then we'll click approve on that
back in jane's portal we can see that
superman approved and our access was
delivered
so if we go now under access packages
we've got our package
under active here and if we click on
that then we can see that we have been
made a
member of the guest group and the
servicenow app so click to open
the guest app now jane has to consent to
ms azure academy being able to see
her name and her picture and email
address and all of that stuff so we'll
click accept for that
and now we can see any of the groups
that we are a member of
which is the guest accounting group
let's go into the azure portal
and if we go to the directories button
we can see the ms azure academy is here
which we can now
join we'll go to all resources to see
exactly what we have access to
so with just a few clicks we used
identity governance entitlement
management to be able to collaborate
with people
outside of our own organization so now
we can each do what it is that we do
best and bring those powers collectively
together
to help each one of us to continue to
grow and succeed
so hope that you've enjoyed this first
look at azure active directory identity
governance
this simple process of setting up
entitlement management
has helped us to more efficiently
onboard new employees into our company
as well as
set them up for access to projects and
applications
like windows virtual desktop taking all
of the guesswork
out of how to onboard new users and get
them access to all of their tools with
the click of a button
and this is just part one of this little
micro series because the next thing we
need to do
is govern their access going forward
making your environment more secure
by protecting the edge of your network
through your identities
so if you like this video today or learn
something new why don't you go ahead and
click that thumbs up it just lets me
know that you appreciated
our video while you're down there go
ahead and click that subscribe button
and join us here at the azure academy
the best free training on azure you will
find
anywhere and if you would like to
receive an email when our videos come
out which is roughly once a week you can
go ahead and click that notification
bell and use that comment section down
below to ask me any questions about
today's topic or
anything about azure we're all just here
to help you to learn as much as you want
to
and speaking of learning if you want to
keep on learning go ahead and watch our
latest video over here on the top right
as well as the other video at the bottom
that we picked out
just for you to help you along in your
azure journey thanks for joining us
today and we will catch you in
part two of this micro series happy
learning
