How to best manage access in Microsoft 365
Updated: Aug 15, 2021
To enable an effective digital workplace, access needs to be set correctly. Non-sensitive information should be accessible to enable knowledge sharing and reuse, while sensitive information should be restricted and protected. In Microsoft 365 (M365), search results will only show information that you have access to. If access is set wrong, users will not know that relevant information may exist and will be of value to them.
Some clients wants to manage access based on roles, region/country, and security classification (e.g. open, internal, confidential, top-secret). This may look like this:
Open: Accessible by all staff and contractors
Internal: Accessible by all staff - and contractors by request
Confidential: Accessible for some roles within a region/country - and others by request
Top-Secret: Membership managed by owner
Asking Microsoft Team and SharePoint owners to invite all relevant users will not work in medium and large organizations. Team and site owners will not know all the users that should have access, and they will not be able to remove access when required. If access is managed with security groups, then this will only help you manage access to SharePoint sites, but not Microsoft Teams and other Microsoft 365 Group resources. Since work happens increasingly in Microsoft Teams, it is then key to manage the Microsoft 365 Group memberships to ensure users have access to what they should have access to in M365.
How to best manage access in Microsoft 365?
Azure Active Directory (Azure AD) entitlement management is an identity governance feature that enables organizations to manage identity and access lifecycle at scale, by automating access request workflows, access assignments, reviews, and expiration. It is included in the E5 and E5 Security license, or you buy it on top of your E3 license.
Entitlement management introduces to Azure AD the concept of an access package. An access package is a bundle of all the resources with the access a user needs to work on a project or perform their task. Access packages are used to govern access for your internal users, and also users outside your organization. Here are the types of resources you can manage user's access to with entitlement management:
Membership of Azure AD security groups
Membership of Microsoft 365 Groups and Teams
Assignment to Azure AD enterprise applications, including SaaS applications and custom-integrated applications that support federation/single sign-on and/or provisioning
Membership of SharePoint Online sites
Here are some of capabilities of entitlement management:
Delegate to non-administrators the ability to create access packages. These access packages contain resources that users can request, and the delegated access package managers can define policies with rules for which users can request, who must approve their access, and when access expires.
Select connected organizations whose users can request access. When a user who is not yet in your directory requests access, and is approved, they are automatically invited into your directory and assigned access. When their access expires, if they have no other access package assignments, their B2B account in your directory can be automatically removed.
Leverage API to ensure newly provisioned O365 group/site will be added to existing access package(s) to ensure access to designated users. This means access is set correctly based on the purpose and security classification of the Microsoft Teams and corresponding SharePoint site.
Self-service access request is available out-of-the-box for users to see existing accesses and apply for new accesses with approvals.
Feel free to contact us if you need help ensuring access is managed correctly in M365. You may also want to check out some of the below blog posts.