#24 - Jan Bakker and Pim Jacobs about Microsoft Entra - Identity Governance - podcast episode cover

#24 - Jan Bakker and Pim Jacobs about Microsoft Entra - Identity Governance

Oct 12, 202222 min
--:--
--:--
Listen in podcast apps:

Episode description

An episode of Talking Security about Microsoft Entra. In this one Jan Bakker en Pim Jacobs have joined me to talk about Microsoft Entra - Identity Governance. They delivered a session about this topic on ExpertsLive Netherlands 2022 and we talked about it. The new feature - LifeCycle Workflows - has been discussed.

Transcript

Welcome to the Talking Security Podcast. We will talk about items related to Microsoft Security. So there are we again, welcome back listening to a new episode of the Talking Security Podcast. My name is Frans Oudendorp and in this recording I will talk to some guys about Microsoft Entra and especially Identity Governance. Today we are at ExpertsLive in the Netherlands. On the venue we have a special podcast room so we can record stuff, we and others also.

Because of this I have invited Pim Jacobs and Jan Bakker to talk about Identity Governance. There's new stuff coming up and they will talk about it later on on ExpertsLive. But first guys do we have a little introduction, who do I have on the table Jan? Hi Frans, thanks for having us. My name is Jan Bakker, I'm based in the Netherlands and I'm a Microsoft 365 consultant and a Microsoft MVP and I'm focused on identity and access management and security.

So I guide my clients to get the best out of those products and how to implement them properly. And maybe the security staff who will hit some stuff later on. And on the other side of the table we have Pim, who are you? Pim Jacobs, Principal Consultant at InSpark, Microsoft MVP, focusing on the full Entra portfolio so from Azure AD, permission management, a little bit verified ID and with that of course Identity Governance as well.

And I help my clients guiding them into the right direction and properly implementing those products as well. We add today the topic is Microsoft Entra, especially Identity Governance. Identity Governance, what is it and what can we do with it? The short story. Okay, the short story and we will show that in the presentation which we have this afternoon as well is that it exists of five different pillars.

So lifecycle management with lifecycle workflows, which is brand new and which has been released four weeks ago, provisioning to users to third party apps and deprovisioning them. That's a little bit attached to lifecycle management of the accounts. We got access packages and access reviews, which is there within the interface today, privilege identity management and terms of use. This is the short story.

So, yeah, maybe we will dive in on the specific topic in the next few minutes because access packages and access reviews, I think that is the common things that we can use within Identity Governance, Jan? Yeah, correct. And today we're also going to take a look to that because access packages is really important in the mover phase.

If we look at the joiner, mover, lever process, access packages, that's where they come in in the mover phase because you want when folks get promotion or change department, their access changes and you want to guide that, you want to govern that especially. Yeah. And if we look at access packages, access reviews, then we have an application or a group where we can get access to on the short term on a yearly basis or monthly basis.

You can do an access review to see if someone needs still access that specific group or application. If we look at lifecycle management, identity life cycles, is that related to this? Yeah, I think so. And it's funny that you say that you need to review the access, but there is a brand new feature where you can automatically assign policies based on attributes. So you can hand out those packages dynamically. So that there's no longer a case to review them because you manage them yourself.

So if a user changes department, they will automatically get off boarded from one package and onboarded to the next one. Okay, nice. Are there any other enhancements within lifecycle workflow, Pim? Well lifecycle workflow is a total new feature within identity governance. And today that's working for the joiner and the lever scenario. Is that not related to identity life cycles? It is related to identity life cycles.

You go account lifecycle management, which is actually why you need to work closely with HR and why you connect your HR as the source of your identity and let that provision to your AD or Azure AD, which can today from the Azure AD portal be natively done with SAP success factors and workday. That's actually the first part. But if you don't have those products, you could use different tools as well. And I'm not going to name them because that's a little bit of my allergy, to be honest.

But there are different ways to get those accounts provisioned. What is really important, however, is of course that those credentials, the access, the birth access rights of an account are configured correctly. And that's something we can today do with lifecycle workflows in the joiner scenario. And if we look at the access packages and access reviews and that sort of thing, is that related to this stuff? Not particularly to lifecycle workflows.

But as Jan just mentioned, it's more related to the mover process. So lifecycle workflows is something you can use in your joiner process. And you can define based on the employee hire date. And if the user is working in department sales, those are the tasks I'm going to execute on the day you start your job at the company, like adding them to the sales group, sending the temporary access pass to the manager of the user and doing XYZ. And Jan's famous topic is in the logic apps.

So I will leave that to him to name an example. That's the joiner thing. And you can have 50 workflows per tenant. And each workflow can have 25 tasks. That's the maximum today. Those run each three hours. And when we look at the lever scenario, we can of course off board the user correctly in removing the licenses of the user, removing the user from all the groups, all the teams where it's a member of. And we do that based on the employee leave date time.

So it's automatically triggered in a smart way. And so you don't need to do those things yourself anymore as an IT admin. It's managed for you. But it's configured by you. Yeah, so the workload from an IT admin perspective is lower because we can automate stuff. But automate, Pim already mentioned, Power Apps. How does it integrate, Jan, with Power Apps and that sort of stuff? Yeah, that's a great bridge to my favorite topic. It extends actually to logic apps.

We all know that Power Automate is the little brother or the little sister from logic apps. But yeah, you can create extensions, for example, to do tasks that are not in the default task settings. So you can do stuff like, hey, add this user to this team or remove from this team, enable account. Those are the basic tasks. But you can also do extensive tasks. For example, you want to create a temporary access pass and not send it to the manager, but directly to the end user, for example.

That's not in the default template, but you can do it. So the sky is the limit there. You can do whatever you want. So you can even talk to third-party applications. Maybe what's important to mention as well is that specifically in this case for the joiner scenario, because for Lever, the employee leave date time cannot be synchronized yet.

But for the joiner scenario, you could also execute actions in the on-prem AD by using logic apps and Azure Automation with hybrid workers so that you can execute those scripts in your on-prem AD to, for example, add the user to a group, whatever you would like to do there. So we have access packages, access reviews. That's the old stuff that is still many years in identity governance already. And that is not completely your way. And we still need that.

But new functionality has been added to identity governance, like identity lifecycle and lifecycle workflows. And with that, we can use access packages, for example, to automate stuff and do things automatically. Exactly. Automating is the key word there. So as Ben mentioned, joiner and Lever can be processed with lifecycle workflows. And we've got the gap in the middle there, the mover part, and that we can do with access reviews, but with the addition that we can do dynamically now.

So a user does not have to go into the portal and request those access packages, but they are dynamically assigned to the user based on their attributes. So also automating that part now. Yeah. And that is good for, I think, 50, 75% of the groups. But there are still probably groups in an organization where you need to get access based on requests. So access packages can still be used afterwards. Correctly.

So if there is any approval needed or a multi-stage improvement or auditing features or whatsoever, you can also use access packages the way it's supposed to work with also an access review because it's still really important. But for the mover part, you can do a lot of automation these days. Yeah. Temporary access parts, you already mentioned, Pim. But also, privilege identity management is part of identity governance.

Is privilege identity management also part of the workflows and the lifecycle things that we have spoken about? Is that a relation with that? Not by default. Because with lifecycle workflows, you cannot, for example, add a role assignable group, a privilege access group. That's grayed out. But if you want so, use logic apps. So the sky is literally the limit here. So once we, I'm in this preview already for a long, long, long, long time.

And we tried something internally because we have a labs tenant where we test stuff. And the problem we have is deep provisioning and deep provisioning on that end as well. So what we are using right now is literally a logic app, which is triggering via a web book, a workbook in another tenant. So to provision the account because you receive those account details from the lifecycle workflow.

So literally, that's whatever you would like, you can call an API from a particular app to provision accounts with a logic app. How far your imagination goes and can go, that's what you can do right now. Everything can happen with the use of logic apps, a power automate and that sort of thing. Correct. So we talked about in the beginning, you mentioned security. What does this identity governance stuff, what does that make sense in relation to security?

What does me as an organization, what does it help? Well, that's a good question. The typical thing that we see in organizations is that when a user goes through the period of working for a company, they build up privileges, access to applications, roles that they need for their jobs. But as they never get reviewed, let's say over 10 years, you get a bunch of stuff that shouldn't be attached to your account anymore. And then you're going to leave the company and your replacement comes in.

And what's the typical thing that they say? Just copy his account or her account and give him all the stuff so he or she can do her job. And that's not good for security because we want lease privilege. So it can be that they also copied the administrator roles over. So, okay, you are a privileged identity administrator and the next one is also be that person. So that's related to security, something that you don't want.

You want to evaluate constantly and even better, get those access dynamically and constantly reviewed. So, yeah, based on the function, based on the role that you have, you have a specific function role where access is given based on the role and not on a person. And if you look at identity governance based on security, we have also insider risk within Microsoft 365, for example. The case that you are describing is more related to insider risks because it is more or less an insider risk.

So insider risk management and identity governance, they are they are strengthen each other. Yeah, I think that's correct. Insider risk is really good at stuff like, hey, this person resigned from his company and is doing stuff four weeks before his resumption. So that's really what we can do as well. Or we can just say, okay, this is the employee leave time. We're going to do some tasks so that you cannot do that stuff. So you're going to get read only rights or something like that.

So you can do anything to prevent that. But it really fits together. Yeah, and if I have we talked about identity governance, lifecycle management and that sort of stuff. What is needed for me if I if I am a company and I want to start with identity governance, what should I do? I always I always advise customers to to get their the source of truth correct. So what is in HR is the source of truth. If someone changes his name, changes his is resigning is coming into the company.

HR is the first to know. So get those and get that connected to your AD or your Azure AD, depending on where your source of authority is. So that that will be always my first step to advise. And that could be a simple thing where you receive data from HR, let a PowerShell script run and update and create accounts. It doesn't need to be complex and fully automated as long as you do it. And with that being said, make sure that employee hire date.

And if you're you're today working cloud only also employee leave date time are configured. And then you can start with lifecycle workflows and configure. Yeah, well, we just mentioned sky is the limit. Yeah. So it's a process in between use access packages and access reviews and my tip would be don't put an access review in anything because otherwise people get literally. Yeah, it will.

In the end, you will see that people are going to create a rule, move it to this folder because I don't care and then they lose access. So do it. You need to configure it on the things you really want to be reviewed and which cost money or are containing highly sensitive data. So that's important. Use auto auto dynamic access packages as well based, for example, on department. And then once a user leaves the company, make make the offboarding flows within lifecycle workflows.

So that is important, important for me and user perspective and an idea perspective. And on the other end, I think, and that's what I'm mentioning today as well. Payment is important and the basic security stuff. So don't do this. Don't start doing this once you don't have MFA. Literally secure first and then make it advanced step by step in a in a logical way, because we can provision accounts to up to the max. But if they don't have MFA applied, that's a bigger risk.

So from that angle, if you need to make an order, that's the most important thing to do first. And this would then be your next step. Think of defense and depth and do it on all places and not just on one. In addition to that, I would say if you're going to start and you got your base right, so the source of truth is configured and you're going to start with identity governance, start small and don't build castles that you can support.

Because for example, you can start with small access packets having licenses, for example. So Power BI Pro, start with that or teams with sensitive data in it, you know, start small with less impact. So if someone, if it gets not good, that not everyone is infected on the things that you have configured. Exactly, and it's also good to experiment with it. So how does the organization react to access reviews? What is the big note from the field?

One of the topics in the slide in the session you're given, what is the big fail when companies start with identity governance, for example, from your end, Jan? Well, what we already mentioned, organizations need to prioritize stuff. So they need to focus on the stuff that matters first. So you can go into identity governance and not have your MFA in order. So that's one big thing. And what I already told, they start and they want to do everything at once. So basically that's the… Start small.

Yeah, start small. And maybe, and this is funny, in the preparation we discussed the things like self-review access. Yeah, yeah, yeah, yeah. And the group owner access reviews. In practice, you will see that if you do self-review, either the organization is not responding at all or everyone is responding and is keeping their access rights.

So my personal feeling with that, and I think that differs from Jan's experience, but it doesn't really mind, is that I would most likely use the group owners because they are the owner of the group and need to determine who is in there, yes or no. Yeah, but how is that related to guest accounts? Because I've set up guest account review within my organization and on guest accounts, we have implemented self-review and that works quite well. For guest accounts, yes.

If we're talking for guests, if we're talking for end user accounts, it's going to differ because nobody wants to lose their access. I don't have experience with that, but… Well, it depends. If your manager are fully aware of the task, that they are the guiders of their data and they're fully on board and have some adoption, it's fine. But what I see is we underestimate the power of self-service in any way.

Yeah, absolutely, but everything stands with communication, adoption, be aware and know what you're doing and why you are doing stuff. And that's where display names and descriptions are really important because if you're going to get an access review, hey, we want you to review access on this group and it has a prefix and a suffix and some IT stuff in it, they're going to say, okay, I approve because I don't know what it is, but I don't want to lose access.

I agree with Pim on that, but there's a lot of elements that come in that makes it user friendly that we as IT folks not always see. Yeah. Thanks guys for having you both in this recording. To finish up, is there one last thing about Entra or identity governance in particular what you want to share with the audience? Go to the Azure AD portal, click on identity governance and go to lifecycle workflows. If you don't see that there's a trial button where you can activate your P2 trial.

And then start with identity governance. Of course. So thank you guys. And for now, thank you for listening to this episode. Stay tuned for more new content coming in the next few months. See you in the next time. Thank you. Bye.

Transcript source: Provided by creator in RSS feed: download file