Entra ID Access Package in Entitlement Management During Landing Zone Provisioning

[AErmie]

As part of deploying Azure Landing Zones (ie. "Project Sets"), we need to grant access to the Management Group / Subscriptions to the respective Product Owner (PO) and Technical Leads (TLs) as part of the automated provisioning.

Management of Azure Entra ID is the responsibility of the Access and Directory Management Services (ADMS) team. This presents a limitation in not being able to dynamically creating Security Groups to manage access.

As an alternative approach, the ADMS team has ask that we look into using Entra ID access package in entitlement management.

Research and investigation is require, to determine if this approach can fulfill the needs within the automated provisioning.

Acceptance Criteria

• [ ] Scenario: Access package in entitlement management
  • Given a package is created in Entitlement Management
  • When the package is assigned to the respective Product Owner (PO) and Technical Leads (TLs)
  • Then the POs and TLs should have access to the required resources within the project set
  • [ ] Scenario: Package assignment automation
  • Given a package is created in Entitlement Management
  • When the package is automatically assigned to the respective Product Owner (PO) and Technical Leads (TLs) during automated provisioning
  • Then the POs and TLs should have access to the required resources within the project set

[AErmie]

As part of investigating this approach, automation will need to be explored. Here is a reference article that might be useful: Automating Access Package Creation for Entra ID roles with PowerShell