You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-endpoint/grant-mssp-access.md
+13-13Lines changed: 13 additions & 13 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -30,17 +30,17 @@ ms.date: 12/18/2020
30
30
31
31
To implement a multitenant delegated access solution, take the following steps:
32
32
33
-
1. Enable [role-based access control](rbac.md) in Defender for Endpoint and connect with Active Directory (AD) groups.
33
+
1. Enable [role-based access control](rbac.md) in Defender for Endpoint and connect with Microsoft Entra ID groups.
34
34
35
35
2. Configure [Governance Access Packages](/azure/active-directory/governance/identity-governance-overview) for access request and provisioning.
36
36
37
37
3. Manage access requests and audits in [Microsoft MyAccess](/azure/active-directory/governance/entitlement-management-request-approve).
38
38
39
39
## Enable role-based access controls in Microsoft Defender for Endpoint
40
40
41
-
1.**Create access groups for MSSP resources in Customer AAD: Groups**
41
+
1.**Create access groups for MSSP resources in Customer Entra ID: Groups**
42
42
43
-
These groups are linked to the Roles you create in Defender for Endpoint. To do so, in the customer AD tenant, create three groups. In our example approach, we create the following groups:
43
+
These groups are linked to the Roles you create in Defender for Endpoint. To do so, in the customer Entra ID tenant, create three groups. In our example approach, we create the following groups:
44
44
45
45
- Tier 1 Analyst
46
46
- Tier 2 Analyst
@@ -60,29 +60,29 @@ To implement a multitenant delegated access solution, take the following steps:
60
60
61
61
## Configure Governance Access Packages
62
62
63
-
1.**Add MSSP as Connected Organization in Customer AAD: Identity Governance**
63
+
1.**Add MSSP as Connected Organization in Customer Entra ID: Identity Governance**
64
64
65
-
Adding the MSSP as a connected organization allows the MSSP to request and have accesses provisioned.
65
+
Adding the MSSP as a connected organization allows the MSSP to request and have access provisioned.
66
66
67
-
To do so, in the customer AD tenant, access Identity Governance: Connected organization. Add a new organization and search for your MSSP Analyst tenant via Tenant ID or Domain. We suggest creating a separate AD tenant for your MSSP Analysts.
67
+
To do so, in the customer Entra ID tenant, access Identity Governance: Connected organization. Add a new organization and search for your MSSP Analyst tenant via Tenant ID or Domain. We suggest creating a separate Entra ID tenant for your MSSP Analysts.
68
68
69
-
2.**Create a resource catalog in Customer AAD: Identity Governance**
69
+
2.**Create a resource catalog in Customer Entra ID: Identity Governance**
70
70
71
-
Resource catalogs are a logical collection of access packages, created in the customer AD tenant.
71
+
Resource catalogs are a logical collection of access packages, created in the customer Entra ID tenant.
72
72
73
-
To do so, in the customer AD tenant, access Identity Governance: Catalogs, and add **New Catalog**. In our example, it's called, **MSSP Accesses**.
73
+
To do so, in the customer Entra ID tenant, access Identity Governance: Catalogs, and add **New Catalog**. In our example, it's called, **MSSP Accesses**.
74
74
75
75
:::image type="content" source="media/goverance-catalog.png" alt-text="The new catalog page" lightbox="media/goverance-catalog.png":::
76
76
77
77
Further more information, see [Create a catalog of resources](/azure/active-directory/governance/entitlement-management-catalog-create).
78
78
79
-
3.**Create access packages for MSSP resources Customer AAD: Identity Governance**
Access packages are the collection of rights and accesses that a requestor is granted upon approval.
82
82
83
-
To do so, in the customer AD tenant, access Identity Governance: Access Packages, and add **New Access Package**. Create an access package for the MSSP approvers and each analyst tier. For example, the following Tier 1 Analyst configuration creates an access package that:
83
+
To do so, in the customer Entra ID tenant, access Identity Governance: Access Packages, and add **New Access Package**. Create an access package for the MSSP approvers and each analyst tier. For example, the following Tier 1 Analyst configuration creates an access package that:
84
84
85
-
- Requires a member of the AD group **MSSP Analyst Approvers** to authorize new requests
85
+
- Requires a member of the Entra ID group **MSSP Analyst Approvers** to authorize new requests
86
86
- Has annual access reviews, where the SOC analysts can request an access extension
87
87
- Can only be requested by users in the MSSP SOC Tenant
88
88
- Access auto expires after 365 days
@@ -92,7 +92,7 @@ To implement a multitenant delegated access solution, take the following steps:
92
92
93
93
For more information, see [Create a new access package](/azure/active-directory/governance/entitlement-management-access-package-create).
94
94
95
-
4.**Provide access request link to MSSP resources from Customer AAD: Identity Governance**
95
+
4.**Provide access request link to MSSP resources from Customer Entra ID: Identity Governance**
96
96
97
97
The My Access portal link is used by MSSP SOC analysts to request access via the access packages created. The link is durable, meaning the same link may be used over time for new analysts. The analyst request goes into a queue for approval by the **MSSP Analyst Approvers**.
0 commit comments