Last Updated on March 19, 2023 by Dishan M. Francis

In an organization, users are required access to many different groups, applications, and sites to do their day-to-day tasks. Sometimes there can be external organizations that also required access to these various resources. As access requirements change frequently, it is quite challenging for IT administrators to manage access. As a solution to this problem, we can use Azure AD access packages to govern access for internal users as well as external users. Each Access package can contain applications, and permissions required to perform specific tasks. In one of my previous blog posts, I explained how we can set up access packages. You can access it by using the following link https://www.rebeladmin.com/2020/02/step-step-guide-azure-ad-access-package/#more-4735

With the access package, we also can define the approval process. When the user request access to the package, the approver will get a notification, and then he/she can approve or deny the access request. This approver can be an internal or external user/group. So far, we were able to use a two-stage approval process but now access packages can have a three-stage approval process. This is quite important especially if you required a review from security personnel. In this blog post, I am going to demonstrate how to set up a three-stage approval process for the existing Azure AD Access package. To start the configuration process,

1) Log in to the Azure portal as a Global administrator, Identity Governance administrator, User administrator, Catalog owner, or Access package manager.

2) Then click on Azure Active Directory | Identity Governance

Azure AD Identity Governance

3) Next, click on Access packages and then the access package we need to edit.

Selecting already existing access package

4) On new page click on Policies and then click on the existing policy

existing access policy

5) Then in policy details, click on Edit

edit access policy settings

6) It will open the policy settings, click on Requests, and then set the Require approval toggle to Yes

enable approval process for access package

7) To enable three-stage approval process, Set the How many stages to the number three.

enable three-stage approval processfor access package

8) To set the First approver, go to First Approver section and from the drop-down select the relevant option. In this demo, I am going to use Choose specific approvers option. If the access policy is set to For users not in your directory option the list here will change. In there we can define external or internal sponsors.

9) After that click on + Add approvers to select the First approver.

add first approver

10) It will list down the users from the directory. Select the relevant approver from the list. In this demo, I also like to capture approver justification. To enable that set the Require approver justification toggle to Yes.

require approver justification setting

11) Repeat steps 8 to 10 to set the Second approver and Third approver.

add second and third approvers

12) After settings are in place click on Next and go to the Custom extension tab and then click on Update to apply policy changes.

update access policy for the access package

This completes the policy configuration and the next step is to see new settings in action.

Testing

To verify the three-stage approval process, I log in to https://myaccess.microsoft.com/ as an end-user and there I can see the relevant access package. I went ahead and click on Request.

request access to access package

completing access request process

After the request is submitted, First approver received notification.

notification to first approver

The First approver went ahead and approve the request via myaccess portal.

first approver's pending approval request

approver justification

As expected, second and Third approvers also got the relevant notification. They also follow the same steps and approved the access request.

In the end, the user receives a notification about approved access package access.

access granted to access package

Then the user logged in to myaccess portal and as expected now the access package status is set to active.

Active access package

As we can see the three-stage approval process is working as expected. I hope now you have a better understanding of how we can three-stage approval process with access packages. This marks the end of this blog post. If you have any further questions about this feel free to contact me at rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.