Step-by-Step : Assign access packages automatically based on user properties in Microsoft Entra ID

Microsoft Governance offers the capability to manage the access lifecycle of resources through access packages, which are organized into catalogs and define the resources available within them. Each access package includes at least one policy that outlines who can request access to it, the approval process, and access lifecycle settings such as assignment expiration and access review configuration.

For more detailed information on Access Packages, you can refer to this link: https://learn.microsoft.com/entra/id-governance/entitlement-management-access-package-create

Traditionally, during the setup of an access package, you could specify who can request access, including users and groups in the organization's directory or guest users. Now, you have the option to use an automatic assignment policy to manage access packages. This policy includes membership rules that evaluate user attribute values to determine access. You can create one automatic assignment policy per access package, which can assess built-in user attributes or custom attribute values generated by third-party HR systems and on-premises directories. Behind the scenes, Entitlement Management automatically creates dynamic security groups based on the policy rules, which are adjusted as the rules change.

To implement an automatic assignment policy, you need to meet the following prerequisites:

  1. Microsoft Governance licenses – Ensure you have the necessary licenses in place. For more information on licensing, visit https://learn.microsoft.com/entra/id-governance/licensing-fundamentals
  2. Global administrator or Identity Governance administrator account.
  3. An existing access package.

Once these prerequisites are met, you can proceed with setting up the automatic assignment policy. To do that,

1) Log in to Entra at https://entra.microsoft.com/ as a Global administrator or Identity Governance administrator

2) Select Identity governance | Entitlement management | Access package

ap1.png

3) Choose the access package and then click on Policies

ap2.png

4) Select + add auto assignment policy

ap3.png

5) Choose Edit, located on the top right of the Rule Syntax box

ap4.png

6) In the new window, you can build the rule by using operators. Once the rule syntax is defined click on Save.

ap5.png7) Once returned to the policy window select Next to proceed.

ap6.png8) On the Review page, provide the name and description for the policy. Choose Create to proceed with policy creation.  

ap7.png9) Once the policy is created, you can view it under the policies list in the access package. 

ap8.png

Please note that you can't remove the initial access package policy, as this automatic access policy is not a replacement for it. The initial policy also holds other configuration settings such as the approval process and access reviews, among others. You can adjust the user scope in the initial policy but you can't completely remove the user scope in the policy. 

Testing

After the policy is created, entitlement management automatically creates a dynamic group to match the membership rules. 

ap9.png

ap10.png

If you go to Assignments under the access package, you can see the users who have been processed by the automatic assignment policy.

ap11.png

As you can see the automatic assignment policy is working as expected and users have been assigned to access the package automatically. The article explains create an automatic assignment policy for an access package in Microsoft Governance entitlement management. An automatic assignment policy allows users to get access to resources based on their attributes or roles, without requiring any request or approval process.

Learn more:

Microsoft Entra ID Governance licensing fundamentals – https://learn.microsoft.com/entra/id-governance/licensing-fundamentals 

Microsoft Entra ID Governance service limits – https://learn.microsoft.com/entra/id-governance/governance-service-limits  

 

This article was originally published by Microsoft's ITOps Talk Blog. You can find the original article here.