AZ-305 Designing Microsoft Azure Infrastructure Solutions Exam

Leverage Azure AD Entitlement Management

Azure AD Entitlement Management is a comprehensive solution for managing identity governance within an organization. It allows administrators to streamline access management processes using catalogs, access packages, assignment policies, and approval workflows. This ensures that users have the appropriate access levels according to their roles and departmental requirements.

Configuration and Deployment

Entitlement Management begins with configuring catalogs, which are collections of resources that users may request access to. Within these catalogs, admins create access packages that define the specific permissions and roles available. Assignment policies specify how users are assigned to these packages, either manually or automatically based on user attributes. Custom workflows can be set up using Azure Logic Apps to automate approval processes and lifecycle tasks such as expiration and periodic reviews.

The main tasks required for deployment of entitlement management include:

• Entitlement Management: 1 hour
• Automatic Assignment Policy: 1 hour
• Custom Extensions: 2 hours
• Access Reviews: 2 hours

Separation of Duties

To enforce separation of duties, policies are configured to prevent users from accessing incompatible roles. This is achieved by defining checks that disable requests if users belong to certain groups or already have specific roles. Monitoring and alerts are set up to notify admins of incompatible access rights and generate reports for review.

Approval Workflows

Administrators can enable multi-stage approval workflows for self-service access requests, ensuring compliance with governance frameworks. Policies can enforce separation of duties, recurring access certifications, and custom workflows managed through Azure Logic Apps. Additionally, access packages can be configured for time-limited requests to uphold least-privilege access principles.

Automated Assignment

Automatic assignment policies apply birthright assignments, granting access based on user properties like department or role. This ensures users automatically receive the necessary permissions without manual intervention. Users who need special assignments can be directly assigned by administrators or through automated scripts using PowerShell.

Custom Workflows

Custom workflows with Azure Logic Apps help in extending governance capabilities. They automate various stages of entitlement management:

• Access package requests: Created or approved
• Access package assignments: Granted or removed
• Expiration: Notifications sent fourteen days before and one day before assignment autoexpires

Examples of custom workflows include sending notifications via email or Microsoft Teams, interacting with external systems through APIs, and creating task sets in Microsoft Planner.

Conclusion

Azure AD Entitlement Management provides a structured framework for identity governance by automating access lifecycle tasks, enabling multi-stage approval workflows, enforcing separation of duties, and integrating with Azure Logic Apps for custom workflows. It ensures least-privilege access while maintaining high compliance standards with regulatory frameworks.