Skip to content

New Feature in Microsoft Entra: Step-by-Step Guide to Assigning Roles via Access Packages

Published by lazy-admin on Jun 18, 2024

New Feature in Microsoft Entra: Step-by-Step Guide to Assigning Roles via Access Packages

Microsoft Entra now supports a new public preview feature that allows administrators to assign roles using access packages. This addition is particularly beneficial for organizations that require efficient role management across various resources, such as applications, SharePoint sites, groups, and teams. This feature ensures that users gain the necessary permissions to utilize organizational resources effectively, like managing org-wide metrics on Power BI dashboards through the Power BI Administrator role.

Scenarios for Using Microsoft Entra Role Assignment

Consider a scenario where an organization needs to onboard 50 new employees for its Support team. Traditionally, assigning roles and access individually could be laborious and time-consuming. However, with Microsoft Entra’s new feature, you can create an access package that bundles necessary resources and roles, and simply share a link with the new hires for them to request access. This process not only simplifies management but also scales efficiently as the organization grows.

Prerequisites

To use this feature, ensure that you have the Microsoft Entra ID Governance licenses. The user setting up these configurations should have the Global Administrator role.

Step-by-Step Guide to Configuring Role Assignments Adding a Microsoft Entra Role to an Access Package

  1. Sign in to Microsoft Entra Admin Center: Ensure you have the Identity Governance Administrator role.
  2. Navigate to Identity Governance: Select ‘Entitlement Management’ followed by ‘Access Packages’.
  3. Select the Access Package: Choose the package you want to modify and click on ‘Resource roles’.
  4. Add Microsoft Entra Roles: Click on ‘Microsoft Entra roles (Preview)’ to open the selection pane.
  5. Choose the Role Type: You can select either ‘Eligible Member’ or ‘Active Member’. ‘Eligible’ means users can activate their role when needed, while ‘Active’ grants them immediate active role assignment.

Note: For high-privilege roles, it is advisable to manage these through Privileged Identity Management and only set up eligibility through access packages.

Adding a Microsoft Entra Role Programmatically

For those who prefer automation, roles can be assigned programmatically using the

Microsoft Graph API or PowerShell:

  • Using Microsoft Graph API: Ensure your application has the EntitlementManagement.ReadWrite.All permission. You can then use the API to create an access package and assign roles.

Using PowerShell:

  • Connect using Connect-MgGraph with the appropriate scopes.
  • Retrieve the catalog ID and resource details using Get-MgEntitlementManagementCatalog and related cmdlets.
  • Assign the role using New-MgEntitlementManagementAccessPackageResourceRoleScope with parameters for the role and scope based on your earlier retrieval.

Here is a basic PowerShell script to add a role which can be found on Github:

https://github.com/thatlazyadmin/DeathStarScriptHub/tree/main/Entra%20ID/EntitlementManagement

Conclusion

The introduction of role assignments through access packages in Microsoft Entra offers a streamlined and scalable approach to resource and role management. This feature is ideal for organizations expanding their teams and needing an efficient system to manage access rights and roles. By leveraging this new capability, organizations can ensure that their governance structures keep pace with their growth and operational needs.

 

Post Views: 1,004

Sharing is caring!

Published inAzure Active DirectoryCloudEntra IDMicrosoft 365Microsoft EntraUncategorized

Be First to Comment

Leave a Reply

Your email address will not be published.