Microsoft this week announced a couple of previews for IT pros using the Azure Active Directory identity and access management service.
One preview lets IT pros control the frequency of sign-ins by end users. The other preview is a governance enhancement that automates employee and partner access to Software-as-a-Service (SaaS) applications and network resources. Both will require Premium Azure AD licensing to use.
Authentication Session Management Preview
The Azure AD sign-in control capability is called “authentication session management.” It provides a graphical user interface-based set of controls that IT pros can use to set things like “Sign-in frequency” and “Persistent browser session” for end users when they access browser-based applications.
Organizations can change Microsoft’s default settings used in the authentication session management interface when they need greater control for some sign-ins. Microsoft generally doesn’t advocate enforcing frequent sign-ins, though.
“Asking users to frequently sign-in may not make sessions more secure and can hinder a productive user experience,” Microsoft’s announcement explained. “So it’s important to consider if changing the default configuration is necessary for your environment.”
Authentication session management is actually a replacement for Microsoft’s “configurable token lifetimes” Azure AD capability, which was previewed way back in 2016. The configurable token lifetimes capability required the use of PowerShell, and it seemed like a somewhat more complex scheme to use.
When commercially released, the authentication session management capability will require having an Azure AD Premium 1 subscription in place.
Entitlement Management Preview
The other preview announced this week, “entitlement management,” adds some automation when organizations need to share access to SaaS apps and network resources, provided that they are managed under Azure AD.
The entitlement management scheme works by creating an “access package,” which specifies who can access certain applications and for how long. There’s a graphical user interface for setting things up. Approvals for granting access can be specified using the interface. It’s also possible to set time limits on the access to apps and resources.
The automation aspect happens after these access packages are set up.
“When an employee requests an access package, and their request is approved, the employee is automatically provisioned access to the groups, apps, and other resources in the access package,” Microsoft’s announcement explained.
The Azure AD entitlement management capability, accessible via the Azure Portal, works with the Azure AD B2B (Business to Business) service, which is used by organizations to collaborate with business partners. Microsoft’s early adopter on this feature was Avanade, which currently uses entitlement management for its client and business partner collaborations.
When commercially available, the entitlement management capability will require an “Azure AD Premium P2 feature as part of Enterprise Mobility + Security (EMS) E5” suite, Microsoft’s announcement indicated.