This section describes the design decisions associated with entitlement management and access to workloads and landing zones for system(s) built using ASD's Blueprint for Secure Cloud.
Estimated reading time: 2 minutes
Identity Governance encompasses:
- Entitlement Management - the automation of request and approval workflows for access to groups, applications and sites
- Access Reviews - enforcing review and expiry of continued access to these groups, applications and sites
Entitlement Management delegates the management of user permissions from the Platform Administrators to the resource owners. Access Packages provide access to Azure resources, applications, and SharePoint sites using Entra ID group membership. This method is preferred over direct group assignment as it requires that access is explicitly sought by the requester and granted by the owner on a “business need” basis.
Access Management delegates the management of continued access from the Platform Owner to the entitlement owner. This provides a review process for the assignment of users to groups, and can be carried out for directly assigned users (via Groups), Security Groups (via Entitlement Management) and Privileged Groups (via Privileged Identity Management). Access Reviews must be carried out for all group memberships on a six monthly basis.
|Used for all Security Groups
|Assignment to groups providing access to resources or services should be explicitly obtained and granted on a business needs basis.
|Maximum 6 months
|In line with an organisation’s Information Management policy.
|Privileged Role Delegation
|Where Privileged Roles are delegated by the Platform Owners
|Privileged Role delegations are explicitly obtained and granted when delegated.
|Inactive accounts automatically disabled
A base recommendation for access reviews is below. However, organisations should review and update these configurations based on their risk appetite and organisational policies.
|Privileged Access - Global Administrators
|Privileged Access - Privileged Group
|Privileged Access - Entra ID Role
|Other Security Groups
|Microsoft 365 Groups
Security & Governance
- None identified