In my previous blog post, I have explained how we can collect custom attribute values by using Azure AD user flows. We had custom attributes setup in Azure AD and when a guest user accesses an application for the first time, the values for these custom attributes will be collected by using user flows. Azure AD entitlement management feature does identity governance by allowing organizations to manage identity and access life cycle with help of access packages, workflows, and reviews. In one of my previous blog posts, I have talked about entitlement management in detail and it can be accessed using https://www.rebeladmin.com/2020/02/step-step-guide-azure-ad-access-package/ . Now we can also collect these custom attribute values when a user accesses an access package. In my Azure environment, I have an application and its access life cycle is managed by using Azure AD entitlement management. This application is also open for guest users. When a guest user requests access, I need to collect values for two custom attributes called “Organization ID” and “User Token”. After the guest user is provided this information, the approver will cross-check these values with the internal system to make sure the request is legitimate. Once the verification process is completed, the approver will go ahead and process the request.
In this blog post, I am going to demonstrate how we can set up this. Another important to mention in here is, similar to the user flow method, the collected custom attribute values will be saved in Azure AD and if required we can query these values using Microsoft Graph.
Current Setup
In my existing environment, I already created two custom attributes called “Organization ID” and “User Token”. I have covered the steps for that in my previous blog post.
I have also created an access package for the application under the Azure AD entitlement management. This particular application is hosted in on-prem server and it is using Azure AD application proxy for remote access.
As per the policy, this application is open for any external user. Also, any access request will go through the approval process.
Configure required attributes for the application
Let’s go ahead and see how we can configure require attributes feature for the application.
1. Log in to Azure Portal and go to Azure AD | Identity Governance | Click on the access package you want to modify (I assume you already have relevant access packages configured)
2. Then click on Resource roles
3. The next step of the configuration is to add the application to the access package. To do that click on + Add resource roles
4. Then, click on + Applications
5. It will list down the applications. From the list select the application you want to manage. In this demo, I am choosing an application called rebelapp01.
6. Once the selection is done, choose the role you going to manage by using the access package.
7. To complete the process, click on Add at the end.
8. This completes the process of adding an application to the access package. The next step is to add the required attributes to the application. To do that, select the application and click on Require attributes (preview) option.
