This blog is part of a series on Teams. For more articles, check back often
Written: 27/08/2023 | Updated: N/A
So I booked a holiday to Gran Canaria last week. The positives: time with the family, late summer sun, changing it up with the scenary and a great package and price. Negatives: it’s on 20th September so large parts of my workload are now super time sensitive. It’s going to be wild. For real. But here on the bank-holiday weekend in the UK I’ve got a little time to write: and today I have decided to do it on the idea of making Teams Just in Time (JIT) which, I guess, is a concept very applicable to my own situation. So why would we do this? Well, one of the issues we have in Teams is that we don’t need access to all Teams all the time, and also we have access to Teams that sometimes we don’t need to have access to all the time. In other words, there could be reasons why we need Just in Time access, and not need whats called standing access. For example, I need to access a Team for a day in order to access specific assets in that team, or apps built within that team. I am sure you can think of your own. Now, we could go down another route and use Entitlement Management, Access Packages and Access Reviews right? Yeah, we could. But let’s say I only want to give access for a specific period of time, to do something specific and then the user is removed and has to apply again to be added to it, and that’s all auditable at the same time. This is where PIM for groups will come into it’s own, especially where Entra ID roles are group specific. A team which shows for a specific period of time to do what’s needed and collaborate with others, and disapears again when the time limit is reached. I personally think this one is worth exploring as it could really change the way we think of Teams.
Let’s go
This blog will cover
- Configuring Just in Time Access to a Team
Note this blog will have abridged steps which will assume some experience with Microsoft Entra ID. All blogs will use the new Teams Desktop Client 2.1+ where possible.
Prerequisites
- Microsoft Entra ID Plan 2 or Identity Governance Licence assigned to users who will access the group
- Global Administrator for setup, or role which permits configuring PIM in Entra ID
- Microsoft Teams for testing
CONFIGURING JUST IN TIME ACCESS TO A TEAM
Ok, here is the scenario. I (Chris Hoard) would like to have a team which will hold sensitive information for my organisation. There are two others in my organisation (Adam Deltinger & Vesku Nopanen) which I want to have access to the team, but they must apply first to join the team as members, and can only be authorised to have access to the team for 4 hours at a time.
1.) First step is to create a Team. In the new Teams 2.1 Client I select Teams then + (Add) and then select Create a Team
2.) Select From Scratch
3.) Select Private
4.) Give the team a Name and Description (Here called PIM Team) and then select Create
5.) The team is created. Don’t added any members, select Skip
6.) PIM Team is now created and sensitive information can be added/apps added and the team build out
7.) Now that the Team is built, log into https://login.microsoftonline.com as the admin and select Admin from the waffle or the left navigation.
8.) In the Microsoft 365 Admin Centre select Identity from the left navigation
9.) In the Microsoft Entra Admin Centre select Identity, then Groups then All Groups
10.) Select the created group that was created when creating the Team (PIM Team)
11.) Select Priviledged Identity Management
12.) Enable PIM for Groups
13.) Here you can now see the Team owner who created the Team (Chris). Select Add Assignments
14.) Under Membership set the Role in the group/team (either Owner or Member) and the Members (in this case Adam and Vesku). Once done select Setting
15.) Under Setting set Eligible and then the period that the members will be eligible for to access the group/team. This can be up to a year, which has been used here. Once done select Assign.
16.) Adam and Vesku are now eligible to join the group/team. Now select Settings which is a cog next to the add assignments button
17.) Select Member
18.) Now the PIM settings for the Member role can be configured, select Edit
19.) On the Activation tab, configure settings such as Time to access thr group/team (here set as 4 hours per scenario), whether MFA or Conditional Access Authentication Context is enforced, and whether justification or approval is required. This scenario shows that access is required by the group/team owner (Chris). Once done, select the tab Assignment
20.) On the Assignment tab there are more settings to configure, including Allow Permanent Eligible Assignment and Require Azure Multi-Factor Authentication on Active Assignement which is ticked for this scenario (since the team has sensitive information) and allows eligibility to go beyond a year if required. Once done, select the tab Notifications
21.) Here configure notifications. Once done, select Update
22.) The settings are now updated, as shown under the columns Modified, Last Updated and Last Updated by. At this point, PIM for the group/team has been configured. Time to get the users going. At this point, the members eligibility for the role can be upgraded to permanent by selecting update on the member and ticking the box in the flyout. This sets the column End Time to Permanent.
23.) So our Just in Time Team is set up and ready to go! Time to test with Adam. As shown Adam does not have access to the PIM team in the Teams client
24.) Adam logs into the Microsoft Entra Admin Portal at https://entra.microsoft.com and under Identity Governance goes to Priviledged Identity Management and then Groups. Here, he will see that he is eligible to join the PIM Team. He selects Activate
25.) At this point Adam is enrolled in MFA if he hasn’t already got it enabled. Enrolling in MFA, or having been enrolled previously allows him to complete the process by setting the time he needs access to the team, and the business justification. He selects Activate which will send the approval to Chris.
26.) Chris sees there is a pending request. He will also get an email notification.
27.) To approve or deny the request Chris goes, or is directed by the link in the email to Approve Requests. This is in the section Priviledged Identity Management, then Groups, then within the Group itself. In this example, Chris selects Approve and Confirms after providing a Business Justification
28.) Adam is approved. He is now a member of the group/team as shown in Assignments.
29.) He is now added to the Team, and the Team appears in Teams Client to do the job as he needs to do!
Our job here is done. Adam will be removed from the team in 4 hours once he has done what he needs to do and his access has expired.
I hope you enjoyed this one. I did. Just in Time (JIT) access for a team. I am sure I will writing much more on this in the future, and I hope it helps you think about how Teams are used in an organisation.
@Microsoft365Pro 