Temporary Access Passes (TAPs) in Entra ID are invaluable for providing time-limited, secure access to resources. They’re often used for onboarding new employees, account recovery, or granting temporary permissions, but managing them efficiently can be a challenge—especially for IT admins and Managed Service Providers (MSPs) supporting multiple tenants.
Microsoft’s new “Request on Behalf” feature in Entra ID Entitlement Management simplifies this process by allowing admins to request TAP-enabled access packages on behalf of other users. This innovation removes roadblocks, reduces delays, and enhances governance.
The Challenges of TAP Management
While TAPs are a critical tool for secure, temporary access, managing them presents several challenges:
- Complexity for Users: Not all users are comfortable navigating Azure AD to request a TAP.
- Urgency: TAP requests are often time-sensitive, and delays can impact productivity.
- Scalability for MSPs: Managing TAP workflows across multiple tenants can be time-consuming and inefficient.
“Request on Behalf” addresses these pain points by enabling admins or MSPs to act directly on behalf of end-users, streamlining the process.
Key Benefits of “Request on Behalf”
This feature offers several advantages:
- Streamlined Requests: Admins can handle access requests without requiring user intervention, reducing errors and delays.
- Improved Governance: All requests and approvals are logged, ensuring compliance with organisational policies.
- Enhanced MSP Efficiency: MSPs managing multiple tenants can provide faster, more reliable support.
How to Configure and Use “Request on Behalf”
Here’s a straightforward guide to configuring and using this feature, based on Microsoft’s documentation:
Step 1: Configure an Access Package Policy Allowing On-Behalf-of Requests
- Go to Entitlement Management:
- In the Entra portal, navigate to > Identity Governance > Entitlement Management > Access Packages.
- Edit or Create an Access Package:
- Select an existing access package or create a new one.
- Set Policy for Requests on Behalf:
- Under the Policies tab of the access package, click + Add Policy (or select an existing policy to modify).
- Set a Policy Name.
- For Who can request access, choose Specific users and groups and select the admins or MSP representatives who can request access on behalf of others.
- For Users who can be assigned access, select All Users or restrict to a specific group as needed.
- Enable On-Behalf-of Requests:
- Under Allow request on behalf of others, toggle to Yes.
- Review and Save:
- Confirm your configuration and click Save.
Step 2: Request an Access Package on Behalf of an Employee
- Navigate to Access Packages:
- Go to https://myaccess.microsoft.com/ & select Access packages.
- On the Access packages page, locate the access package you want to request for a direct report and select Request Package:
- On the Request pane under Request details select requesting for Someone else.
- Fill in additional information needed to request an access package for the direct report
- Select Submit request.
Advanced Automation with Logic Apps
For those looking to go a step further, this blog post by Jan Bakker shows how you can use a Logic App to automate TAP workflows. While this is a creative and flexible solution, it might not be practical for MSPs managing multiple tenants. Deploying and configuring the Logic App for every tenant can be time-consuming and challenging to scale effectively.
Conclusion
Microsoft’s “Request on Behalf” feature is a game-changer for managing TAPs, simplifying workflows for IT admins and MSPs alike. By enabling secure, compliant, and efficient access requests, this capability ensures that TAP management aligns with both operational needs and security best practices.
Start using “Request on Behalf” today to streamline your TAP workflows and take the hassle out of temporary access management!