Azure Identity Governance Discussion.ipynb

{"cells":[{"metadata":{"toc":true},"cell_type":"markdown","source":"<h1>Table of Contents<span class=\"tocSkip\"></span></h1>\n<div class=\"toc\"><ul class=\"toc-item\"><li><span><a href=\"#Requirements\" data-toc-modified-id=\"Requirements-1\"><span class=\"toc-item-num\">1&nbsp;&nbsp;</span>Requirements</a></span></li><li><span><a href=\"#Our-current-approach\" data-toc-modified-id=\"Our-current-approach-2\"><span class=\"toc-item-num\">2&nbsp;&nbsp;</span>Our current approach</a></span><ul class=\"toc-item\"><li><span><a href=\"#Scoped-Groups\" data-toc-modified-id=\"Scoped-Groups-2.1\"><span class=\"toc-item-num\">2.1&nbsp;&nbsp;</span>Scoped Groups</a></span></li><li><span><a href=\"#Entitlements--and-Activation\" data-toc-modified-id=\"Entitlements--and-Activation-2.2\"><span class=\"toc-item-num\">2.2&nbsp;&nbsp;</span>Entitlements  and Activation</a></span></li></ul></li><li><span><a href=\"#Access-Packages\" data-toc-modified-id=\"Access-Packages-3\"><span class=\"toc-item-num\">3&nbsp;&nbsp;</span>Access Packages</a></span></li><li><span><a href=\"#Owned-Groups\" data-toc-modified-id=\"Owned-Groups-4\"><span class=\"toc-item-num\">4&nbsp;&nbsp;</span>Owned Groups</a></span></li></ul></div>"},{"metadata":{"scrolled":true,"trusted":true},"cell_type":"code","source":"P = input(\"Enter Prefix:  \").upper()\nprint('Prefix: {}'.format(P))","execution_count":1,"outputs":[{"output_type":"stream","name":"stdout","text":"Enter Prefix:  aad.pac\nPrefix: AAD.PAC\n"}]},{"metadata":{"scrolled":false,"trusted":true},"cell_type":"code","source":"G = input(\"Enter Group||Project: \").lower().capitalize()\nprint('Group: {}'.format(G))","execution_count":3,"outputs":[{"output_type":"stream","name":"stdout","text":"Enter Group||Project: FooGroup\nGroup: Foogroup\n"}]},{"metadata":{"trusted":true},"cell_type":"code","source":"R = input(\"Enter Resource: \").lower().capitalize()\nprint('Resource: {}'.format(R))","execution_count":5,"outputs":[{"output_type":"stream","name":"stdout","text":"Enter Resource: RG1\nResource: Rg1\n"}]},{"metadata":{"code_folding":[],"scrolled":true,"trusted":true},"cell_type":"code","source":"def setDefault(dVar=None,dVal=0):\n    if dVar is None:\n        return dVal\n\nP = setDefault(P,'QBU-PM.PAC') \nG = setDefault(G,'FooGroup')\nR = setDefault(R,'ResGrp1') \n\nscopeGroupName = f'{(P)}.{G}.{R}'\nprint (\"Scope Group\",scopeGroupName)","execution_count":14,"outputs":[{"output_type":"stream","text":"Scope Group QBU-PM.PAC.FooGroup.ResGrp1\n","name":"stdout"}]},{"metadata":{"variables":{"scopeGroupName":"QBU-PM.PAC.FooGroup.ResGrp1"}},"cell_type":"markdown","source":"# Privileged Access Management\n\nWe want to be able to accommodate a workflow where\n\n- entitlements are pre-authorized eligibilities to resources via RBAC\n- approvers/mgmt designate users for entitlements\n- users are eligible to enable roles they are entitled\n- users have self-help ability to enable  such entitlements\n- activated roles have a limited duration\n\n## Requirements\n- RBAC Managed Access to resources\n- Limited Access / Expiration\n- Self-Help / User initiated\n- Auditability\n\nAAD Tenant Configuration\nOur primary tenant is company wide while our production tenants are dedicated to production  \n\n## Our current approach\n### Scoped Groups\nUse AAD Security Groups to \"scope\" RBAC to resources \n\nGroup naming format: `<Prefix>.<Group>.[<Resource>.]<Role>` is assigned to `<Group>`, to `<Resource>` resource if specified, of Role <Role>\n    \n    - Prefix: is unique descriptor for tenant or other convention\n    - Group: is an arbitrary description denoting a Teams subscription or management group\n    - Resource: [optional] granular designation to specific resource[s]\n    - Role: Azure Role :)\n        \n### Entitlements  and Activation\nEntitlement is a mapping of user to group, e.g. `Bob1 is entitled access to scope designated by *PAC.FooGrp1.RG1.Contributor*` \n\nActivation of role is simply the user being granted membership to a entitled group.\n\nOptions for *Activation*\n\n1. Upon request : manually\n\n    Negatives:\n    - As a manual effort, there will be a delay between the time requested and time fulfilled\n    - Need a reminder, or other method, to automatically remove \n      \n2. Access Package workflow \n    Can accomdodate the workflows with policies very well, but requires 2-3 groups for every 1 scoped group\n    - Approvers Group          : **{{scopeGroupName}}.**Approver\n    - Eligible/Entitled Group  : **{{scopeGroupName}}.**Eligible\n    - Scoped Group             : **{{scopeGroupName}}.**Reader\n    \n    Negatives\n    would require \n    \n    3. Self-Help: Enterprise App with Group assignment\n    4. Join Group (which user is an owner)\n    \nTracking activated roles could be tracked as we do entitlements, but may be duplicating something inherent in Azure PIM, IG or something else.\n    \n\n# Activation Options \n\n- Upon Request: Clearly is not optimal\n- \n\n\n## Access Packages\n\n## Owned Groups\nAssign Ownership to any \n\n## \n\n\n\nhttps://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Announcing-a-new-Azure-AD-identity-governance-preview/ba-p/480864"},{"metadata":{"trusted":true},"cell_type":"code","source":"","execution_count":null,"outputs":[]},{"metadata":{"trusted":true},"cell_type":"code","source":"","execution_count":null,"outputs":[]},{"metadata":{"trusted":true},"cell_type":"code","source":"","execution_count":null,"outputs":[]}],"metadata":{"kernelspec":{"name":"python3","display_name":"Python 3","language":"python"},"language_info":{"name":"python","version":"3.7.2","mimetype":"text/x-python","codemirror_mode":{"name":"ipython","version":3},"pygments_lexer":"ipython3","nbconvert_exporter":"python","file_extension":".py"},"toc":{"nav_menu":{},"number_sections":true,"sideBar":false,"skip_h1_title":true,"base_numbering":1,"title_cell":"Table of Contents","title_sidebar":"Contents","toc_cell":true,"toc_position":{"height":"100px","left":"10px","top":"150px","width":"165px"},"toc_section_display":true,"toc_window_display":false}},"nbformat":4,"nbformat_minor":2}