I'm looking to improve and automate our existing workflow for granting permissions to Azure resources, as the current process is quite manual. Right now, it involves a series of steps: a developer or IT manager submits a ticket via Jira Cloud for a user to get a Reader or Contributor role in a specific environment. Then, the ticket goes through an approval process with our IAM team and the resource owners. Finally, once approved, the IAM team assigns the requested role to the user. Given our resource structure—which organizes by region and then by environments like prod, dev, and test—I'm curious if anyone out there has successfully streamlined or automated a similar process?
3 Answers
We set up Active Directory groups on-prem that sync with Entra. These groups are assigned to PIM roles at the subscription level, allowing end users to request AD group access and automatically gain permissions through a Service Now request.
In a hybrid cloud setup, we rely on Active Directory memberships to control roles that sync with Azure. Custom roles are particularly beneficial for app developers, DevOps teams, and network engineers. When lacking custom roles, PIM can be very helpful for access management.
To automate this kind of process, I suggest using groups for role assignments. You can provision Entra groups tied to specific roles during the initial setup of your environments. When someone needs access, automation can add them to the appropriate group based on their role. Consistent and predictable group naming makes management easier!
What type of automation tools do you use to manage that process? We too have Entra groups linked to roles.
But with the PIM approach, isn't there a requirement to set every resource as available for developers to request access? Also, isn't the multi-level approval a big gap?