Extending Automation into Entra Entitlement Management

Looking to further extend automation and want to leverage Fresh service with Entra Entitlement Management?

What is Entra Entitlement Management

Entra Entitlement Management is a feature of Microsoft Entra ID (formerly Azure AD) that helps organizations govern access to resources efficiently and securely. It allows IT and security teams to manage user access at scale, automating entitlement workflows and approvals while ensuring compliance with company policies.

Key Features of Entra Entitlement Management:

1. Access Packages:
   • Create bundled access permissions for specific roles, including apps, groups, and SharePoint sites.
   • Users can request access to these packages based on defined policies.
2. Self-Service Access Requests:
   • Users can request access without IT intervention.
   • Requests can go through approval workflows to ensure proper oversight.
3. Automated Access Reviews & Expirations:
   • Periodic reviews of user access to ensure only authorized users retain permissions.
   • Set access expiration to prevent unnecessary prolonged access.
4. Lifecycle Management:
   • Automatically grant, update, or remove access based on role changes (e.g., new hires, job changes, or departures).
   • Supports temporary access assignments for external users (B2B collaboration).
5. Policy-Based Governance:
   • Define rules for who can request access, who approves it, and how long it lasts.
   • Enforce least privilege access to improve security posture.
6. Multi-Tenant Access Governance:
   • Supports cross-organization collaboration with entitlement governance for partner or guest users.

Interfacing with Entitlement Management

This is relatively straight forward as Entitlement management has webhook API endpoints that can be leveraged.

Pre-requisite:

• Create an App Registration with the rights to perform Entitlement Requests, create a client secret and use these for an OAuth credential
• Create your Access Package to perform the resource entitlement
  • Add any resource roles / groups required
  • Create the policies, multiple policies can exist as you can declare the choice of policy in the Fresh request - Each of these will have their own PolicyID
• Enable the chosen Policies

Configuring the Workflow

• Making use of this is simple, add a web request to your workflow by calling a POST to https://graph.microsoft.com/v1.0/identityGovernance/entitlementManagement/assignmentRequests
• Add a sprinkling of JSON (below)
• AdminAdd allows submission via a service / automation like this one, without user interaction.

{
  "requestType": "AdminAdd",
  "assignment": {
    "targetId": "{{A1.id}}",
    "assignmentPolicyId": "{{R2.entra_policyid}}",
    "accessPackageId": "{{R2.entra_packageid}}"
  },
  "schedule": {
    "startDateTime": "{{E1.result}}"
  }
}

• Submit this, handle it with some condition logic (looking for status code 200 for success) and you have successfully submitted and fully automated Entitlement via Fresh Service
• Wrap this with an approvals process, your IT department no longer needs to worry about Entra permissions for users, or complicated options on the interfaces.

Extending this Further

So you'll see from our example above that it contains variables from lookups, the recommendation here is to create a custom object table and perform Entra lookups: 

• Use AzureAD Orch Application to get the User Details by Username of the Requested For identity - this will return the important Azure User ID that is required for Entitlement submission
• Populate a Custom Object Table with the available with the Policy options and their associated Policy ID and Package ID, this can be embedded into the Service Catalogue Item, then be used to extract the required policy ID for submission
  • This table contains the Package ID (for the Access Package) and the various Policy ID, in this example we are requesting to become a member of the Teams Recording group for a set number of hours
  • The scope field allows filtering of the Record to be achieved easily within the Service Item Catalogue, meaning multiple SI can use the same custom table without free format text.
  • The requestor would see the Name to select.

Understanding the Complete Workflow

This picks up post the approvals process:

• Get the User details from EntraID using the AzureAD Orch App (we will use the User ID from this later)
• Read from the Custom Object Table for the chosen Time Allowance
• As it takes time for the Teams policies to apply, the next step is to take the requestor chosen start time and roll it back 2 hours (this will provide a scheduled start time for the entitlement)
• Add a note into the ticket explaining the progress
• Use a web request above to POST the JSON payload into Entra Entitlement Management
• Condition Logic: Check for successful submission (Code 200)
  • If Success, Add an note to the ticket and set to resolved
  • If not Success: Parse the Error message
  • Check the Error for "existing open request" (this means that a previous entitlement request is already scheduled for that time and another one cannot be made) - Set a Note and resolve ticket
  • Else raise the ticket as an issue has occurred back to the team that would need to deal with the request manually.