Indent for Entra ID and Azure AD: Temporary Access

7 months ago
Written by
Indent
@indent

Microsoft Azure recently announced Microsoft Entra ID would be the new name for what is currently Microsoft Azure Active Directory (Azure AD). While the reasoning for this change might leave us scratching our heads, Azure remains an excellent choice as a cloud provider, combined with Microsoft 365.

The name change is scheduled for October 1, 2023 and applications will start migrating to the new name in the coming months.

Let's go through what you need to know about what comes included with Entra ID and how to augment those offerings with on-demand access control for extensible least privilege across your entire stack.

Microsoft Entra ID is a powerful identity and access management solution. It is designed to simplify identity and access management for organizations operating in the cloud. It serves as a central hub to manage user identities, enforce authentication and authorization policies, and control access to various resources.

What’s Included in Entra ID

Here are some of its key access control features:

  • Identity Governance
    • Entra ID enables organizations to create and manage user accounts.
  • Authentication
    • Entra ID supports various authentication methods, including username and password, multi-factor authentication (MFA), and integration with external identity providers.
  • Authorization and Role-Based Access Control (RBAC)
    • RBAC is a fundamental aspect of access control in Entra ID. It allows organizations to define fine-grained access policies by assigning users to different roles and associating those roles with specific permissions.
  • Delegatable Admin Roles
    • Built into Entra ID are admin roles that can be delegated to give temporary admin permissions to users.
  • Reporting
    • Entra ID comes with basic security and usage reports that track who had what permissions in Azure.
  • Password Management
    • The password management functionality allows you to Centralize and secure passwords across the organization.

On-Demand Access Control

The security features included in Microsoft Entra ID gives you a solid foundation to build off to complete your access control.

The last step for a solid access control system is to make it reactive to your organization. Without it, you take on unnecessary risk by creating more opportunities for your systems to be compromised by phishing, viruses, and social engineering.

Take for example engineering interns. You might get a few interns for the summer who are working on a project where they’ll occasionally need read access to your production database.

Are you going to add those interns to your regular engineering group? Doing that gives them a lot of access to some of your most valuable IP. Or are you going to make the interns their own group? This is a little better, but it requires you to know ahead of time the exact access they’re going to need.

Now replace interns in that example with contractors. Or really just any engineer who can be pulled onto new projects.

In order to reduce risk, access needs to be dynamic and precise rather than static and broad.

Entra has a lot of what you need to make that happen, and the user-facing workflows can be filled in with on-demand access with Indent.

  • Time-Bound Access for Employees
    • With time-bound access, organizations can minimize the attack surface by granting access to resources only when needed.
    • This approach reduces the risk of prolonged exposure and minimizes the potential for misuse of privileges.
  • In-Workflow Approvals with Automatic Provisioning and Revocation
    • Users can request access to specific resources from Slack, Web, or CLI. After approval, temporary access is granted for the requested duration.
    • Creating a way for engineers to request access without opening a new window allows them to maintain their focus and the ease of getting access disincentivizes holding onto access longer than necessary.
  • On-Call Auto Approvals
    • Break glass accounts are a primary target by hackers for their elevated level of permissions.
    • With an on-demand access system, break glass and on-call access can be granted automatically after verification through an on-call provider. That access gets automatically logged for later review.
  • Compliant-by-Default Access
    • With on-demand access you can encode your security policies and controls within the system as rule to ensure access requests always route to the correct approvers.
    • This makes maintaining compliance simpler and reduces uncertainty on the part of the requester. These rules can be applied to multiple workflows, streamlining configuration and reducing time to value for the system.
  • Temporary Access Contractor Access
    • When collaborating with external partners, contractors, or temporary employees, on-demand access allows you to grant auto-expiring access.
    • By using on-demand access for third party organizations, teams can collaborate without leaving the door open for persistent access.
  • Automatic Logging for Compliance and Security
    • Detailed logs can help with incident investigation, compliance audits, and accountability.
    • In an on-demand access system like Indent, all the relevant access metadata is captured for later review.

Temporary Access for Entra ID / Azure

Once you've installed an on-demand access control system like Indent into your Entra tenant (formerly Azure AD tenant) teams will be able manage access in a way that's time-bound, audit logged — perfect for security and compliance.

Here are some examples of what Indent enables:

  1. Temporary Administrator Access: A developer needs temporary Azure AD admin rights to debug an issue. They request access through Indent, which is then approved by their manager for a specific time frame.
  2. Project-Based SharePoint Access: A contractor needs access to a specific SharePoint site for the duration of a project. They get time-bound access via Indent, which automatically revokes the permissions when the project ends.
  3. Audit Trail for Access: To maintain compliance and security, the IT team uses Indent's audit logs to track all temporary access permissions granted in both Azure AD and SharePoint.
  4. Access during Employee Absence: An employee is on vacation, and their colleague needs access to certain Azure AD and SharePoint resources. Indent grants temporary access that ends when the absent employee returns.
  5. Offboarding: When an employee leaves the company, Indent can ensure their access to Azure AD and SharePoint is revoked immediately, reducing security risks.
  6. Emergency Access: In case of an emergency, a team member can be given immediate temporary access to crucial resources in Azure AD and SharePoint through Indent.

Conclusion

With Entra ID you get a robust identity and access management solution, offering a wide range of access control capabilities to protect organizational resources.

Shifting toward on-demand access control allows you to easily implement the principle of least privilege, and reduce risk from unauthorized access, strengthening your cloud security and helping you meet your compliance goals.

Ready to get started? You can either get a personalized demo and onboarding from our team or get started on your own: indent.com/setup

Try Indent for free.