Self-Service Local Admin Rights via Entra ID Access Packages. Is it an option?

In an era where technology is reshaping the way we work, it’s crucial to streamline and automate administrative tasks to enhance productivity. One such area is user management, where the traditional manual process can be time-consuming and error-prone. A modern solution to this issue is leveraging Entra ID Access Packages, which enables end-users to request access to specific resources directly. This article will delve into a practical solution that uses Entra ID Access Packages to allow users to request addition to an Entra ID group, which in turn is added to the local administrator group on Microsoft Intune managed clients.

Solution Overview

Our solution uses Entra ID Access Packages to automate the process of adding users to an Entra ID group. Once users request the Access Package from https://myaccess.microsoft.com/, they are automatically added to the Entra ID group. This group is subsequently added to the local administrator group on Microsoft Intune managed clients.

Step-by-step Guide for Admins

Step 1: Create the Entra ID Group

First, create an Entra ID group that will be added to the local administrator group on the Intune managed clients.

Step 2: Set up the Access Package

Next, create an Access Package in Entra ID. This package should be configured to grant users access to the Entra ID group created in Step 1.

Navigate to https://entra.microsoft.com/ and open „Entitlement management“ at „Identity governance“. Click on „Access packages“ and „+ New access package“:

Define a name and description:

Click on „+ Groups and Teams“:

Select the earlier created group:

Define that users will become a „Member“ by requesting the access package:

In my use case I only want the access package to be available to internal user accounts:

Next, define if a approval is required. For the example with local admin permissions on Windows endpoints I want the request to be approved from my admin account:

Enable the access package, so that users can request it:

If you want you can require more information from the requestor. So the requestor needs to fill some questions that you can define here:

We also should define a lifecycle. So that users only get the access for a certain amount of time. Here I will grant the package in default for 30 days but the user can request to get it longer:

It is also a good idea to configure a regularly access review. So that someone checks if the assigned users need the access anymore or if they can be removed:

Finish and review settings from the wizard to create the Access package.

Step 3: Configure Microsoft Intune

In Microsoft Intune, configure a device configuration profile that adds the Entra ID group to the local administrator group on the managed clients. To do so navigate to Endpoint security -> Account protection -> „+ Create Policy“ and create a new „Local user group membership“ rule:

Define a name and description:

Make sure that the local group is set to „Administrators“ and choose „Add (Update)“. Then click on „Select users/groups“ and add the earlier created Entra ID group which will be assigned through the access package:

Assign the profile and finish the wizard.

Step 4: User Requests Access

Users can now request the Access Package from https://myaccess.microsoft.com/ . Once they do, they will be added to the Entra ID group. A user simply has to click on „Request“:

Now the user needs to define a justification and if enabled he can ask for a certain amount of time:

Step 5: Approve requests

Once a user has requested the access package the approver needs to approve or decline the request. So a defined approval user needs to navigate to https://myaccess.microsoft.com/ and open the „Approvals“ blade:

Here the approver can review the request an approve or deny it, by simply clicking on „Review“ at the request:

By clicking on „Request details“ we can see more details like the justification that the user had need to fill:

Here I am approving the users request:

The request will be marked as approved:

Step 6: Verify Access

Finally, verify that the users who requested the Access Package are indeed added to the local administrator group on the Intune managed clients. This can be done by the user or by checking the Entra ID group members:

Conclusion

Incorporating Access Packages into your workflow not only streamlines user management but also empowers your users by giving them the ability to request access directly. This solution fosters a more efficient and autonomous working environment. As a bonus, it also reduces the administrative burden on IT staff. In the modern work era, automating such processes is the key to driving productivity and fostering a seamless working experience.