Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Making sure risky users don't gain access to sensitive resources is an important part of securing your environment. You can further secure the entitlement management request process by integrating Microsoft Purview Insider Risk Management (IRM) signals into the access package approval workflow in Microsoft Entra ID Governance’s Entitlement Management. With risk management-based approvals, Entitlement Management automatically adds a new first approval stage when a user flagged as risky requests access to an access package. This ensures that users identified as potentially compromised or at-risk are reviewed by authorized security or compliance approvers before access requests are routed for standard approval routing. This article describes how to further secure your entitlement request process with Insider risk management.
License requirements
Using this feature requires Microsoft Entra ID Governance or Microsoft Entra Suite licenses. To find the right license for your requirements, see Microsoft Entra ID Governance licensing fundamentals. You must also have appropriate licensing for Microsoft Purview.
Prerequisites
To use Insider Risk Management approvals with Entitlement management, you must first Create an Insider Risk Management policy.
How risk-based approvals work
When a user requests access to an access package through the My Access portal:
Risk evaluation: Entitlement Management queries Microsoft Purview Insider Risk Management for the user’s current userRiskLevel
Configuration check: If the user’s risk level matches one of the administrator-selected thresholds (for example, Moderate or Elevated), Entitlement Management automatically adds an additional risk-based approval stage before the standard approval process.
Automatic approver assignment:
- The request is routed to users assigned the Compliance Administrator role in Microsoft Entra ID.
Compliance review: The assigned approvers review the user’s risk details and decide whether to approve or deny this stage of the request approval routing.
- If approved, the request continues through the rest of the regular access package approval steps.
- If denied, the request is closed, recorded in the audit logs, and no further approval routing takes place.
Audit logging: All actions (approval and denial) and outcomes are captured in Entitlement Management logs for reporting and compliance visibility.
Configure Insider Risk Management-based approvals for an access package using the Microsoft Entra admin center
To configure Insider Risk Management-based approvals for an access package in the Microsoft Entra admin center, you'd do the following steps:
Sign in to the Microsoft Entra admin center as at least an Identity Governance Administrator.
Browse to ID Governance > Entitlement management > Control configurations.
On the control configurations screen, you're able to see the options
On the card Risk-based approval (Preview), select View settings.
On the risk-based approval page, next to Require approval for users with insider risk level (Preview), select Customize. (See the separate article to configure ID Protection-based approvals.)
You can set the insider risk level and then select Save.
Reviewing a risky user's request
To review the pending request from a risky user, the approver must have the Compliance Administrator role.
When a risky user submits a request for an access package, administrators are able to see their pending status via the requests page within the access package:
A user set as an approver, or fallback approver, for risky users can view the request to approve or deny via the my access portal:
Note
Approvers have a maximum of 14 days to take action. If they don't take action within that time frame, requests are automatically denied.