How Azure Active Directory (Azure AD) Identity Governance can assist your organization in responding quickly to new collaboration needs while maintaining security and governance.
The sudden onset of the COVID-19 pandemic sent much of the world into a frenzy. With businesses concerned for the safety and wellbeing of their employees and customers, and many governments strongly advising social distancing, the need to ramp-up the remote workforce went from a distant goal to a top priority almost overnight. One of the many groups greatly impacted by this new priority is the group of people responsible for collaboration platforms such as Microsoft 365. The need to quickly enable remote workers has made it seem necessary for many groups to ignore or postpone best practices and security considerations in favor of business continuity. Azure AD’s Identity Governance is one set of tools designed to help strike the balance between security and productivity, enabling quick turnaround on required resources while providing checks and balances to mitigate risk.
What is Azure AD Identity Governance?
Simply put, Azure AD Identity Governance is about “ensuring the right people have the right access at the right time.” More specifically, it is a set of 3 primary tools designed to control and audit access to company resources.
Entitlement Management is about creating Access Packages to control the scope and duration of access to groups, applications, and SharePoint sites.
Access Reviews are about auditing access to ensure previously granted permissions are still appropriate and necessary.
Privileged Identity Management covers the just-in-time elevation of tightly scoped roles to allow users to perform privileged operations when needed while maintaining lower permission levels during their day-to-day job functions.
These three functions work synergistically to help keep a watchful eye on the collaboration space without impeding productivity. Part 1 of this series will cover Entitlement Management in detail.
Entitlement Management
Setting up an Access Package
The key component of Entitlement Management is the creation of “Access Packages”. An Access Package is a collection of resources that users can be granted or request access to. Unlike simply adding users directly to Groups, these packages can control the duration, approval process, and periodic reviews of those assignments.
The first step of creating an Access Package is naming and describing its purpose. You can also create “Catalogs” to group multiple packages and delegate the administration of them to the appropriate users.
Next, you determine the Resource Roles that will be part of this package. It can be a combination of Groups/Teams, Applications, and SharePoint sites. In this case, we will grant access to the “COVID-19 Response Team” team in the Member role.
We’ll then move onto the Request process. Since this team may be made up of external collaborators who are unknown at this time, we’ll select “For users not in your directory”, and we’ll allow “All users (All connected organizations + any new external users)” to request access.
Since we are allowing as of yet unknown external users, we must require approval (other settings allow you to disable approval). We will set a specific user to provide approval, ensure a decision is made within 2 days, and force both the requestor and the approver to provide a justification for the access. We’ll enable this access request when we are ready to start requesting access.
Next, we will set the lifecycle of the access being provided. In this case, we will allow for 30 days of access, with the ability to request an extension (which also requires approval). If this was a longer duration or did not expire, we could also tie access to an Access Review, which we’ll cover later.
The last page will show a summary of all the choices to allow you to make any desired changes before creating the package.
Once the package is created, the browser will display a list of all Access Packages the current user has access to. From here, you can use the ellipsis to copy the link used to request access. This link can be emailed, put on a public site, or shared in any other traditional way.
Requesting Access
To request access via an Access Package, a user can use the link generated during the creation process. Once they sign in to the 365 tenant, they will be presented details of the access being requested. The user would then select the package and push the “request access” button.
From there, because we require justification, the user will be presented an area to provide the reason they are requesting access.
They will receive confirmation that their request was submitted.
Approving Access
After requesting access, the Approver will receive an Email with actions to Approve or Deny the request, and a summary of the information about the request.
Pressing the Approve or deny request button takes you to an Approvals page where you can approve or deny and provide the required justification.
Now that the request has been approved, the user should have access to the Team as a Member. When the expiration date is reached in 30 days, that access will be revoked unless an extension is requested.
Summary
Entitlement Management using Access Packages is a great way to govern access to resources such as Teams, SharePoint sites, and Applications, especially when external users are involved or the context of the access is limited to a specific timeframe. Users can request access as needed, owners can be empowered to grant access on demand, and removal of access can be automated to prevent lingering exposure of company information.
Next up: Access Reviews
Configure periodic, guided reviews of access to resources with suggestions based on login activity and automated resolution based on dispositions.
Relational drop-downs are something that come up quite frequently but aren’t always straight forward.
PowerApps gives you a relatively friendly manner of creating simple relational drop-downs when using the “Depends On” functionality but this falls apart when utilizing anything but simple fields (text, number, etc.) and trying to further drill down into filtered results. You may have noticed that when you start trying to use Choice fields to filter your drop-downs on, it is not inherently possible.
In our example, we will work off a mock Products list in SharePoint. The SharePoint Products list will be made up of the following columns (yours can vary):
- Product Type – Choice field – Choices: HDD, CPU
- Title – Text (Product Name)
- Manufacturer – Choice field – Choices: Timlin, Generic
- Configuration – Choice field – Choices: 250GB, 500GB, x1, x2
Below is a screenshot of how this list looks and some sample data we have input for testing.
Once your list is setup, we can hop straight into PowerApps. If you aren’t familiar with how to get started, simply click on the “PowerApps” button followed by the “Customize Forms” button.
We arranged our fields in the PowerApp to go in the following order: Product Type, Manufacturer, Configuration and Title.
The end goal of this is to have it so the end-user will go through the menu one by one and be provided a final filtered list of products that follow the selected Type, Manufacturer, and Configuration.
You might notice from the screenshot of the layout of the PowerApp above that there are duplicate fields. The reason for this is that the more advanced filtering we will be doing on the fields does not work when using the out of the box choices column in PowerApps.
To circumvent this, we unlock each of these data cards and add a “Dropdown” control (to make things easier, set “AllowEmptyField” to true in the properties of each drop-down we add).
Currently, the fields are disabled just as a visual aid but in normal circumstances, you can set the value of the fields to the value of the drop-down and have them hidden in the background so nothing is visually different to the end-user. In our example, Product Type won’t need to be filtered in any way so we can leave that card alone.
Our options in Product Type are CPU and HDD.
In this instance and given the sample data above, when we select “CPU” we will want to see both the Timlin and Generic manufacturers (we will filter this even though each manufacturer has a CPU, there will be instances in production where a manufacturer will exist that does not offer a CPU product).
To filter the Manufacturer drop-down based on the Product Type, we can set it’s “Items” property to the following formula (keep in mind that the numbers or names of the Data Cards may vary on your application):
Distinct(Filter(Products, ‘Product Type’.Value = DataCardValue2.Selected.Value),Manufacturer.Value) – DataCardValue2 is associated with Product Type
Using the “Distinct” operation, we ensure that we do not pull back the same manufacturer more than once. The second parameter following the filter (Manufacturer.Value) is the return value, which in this case is the Manufacturer value that we want.
The Filter operation is ensuring that we are only getting products in the list that match the product type we selected in the first field. One other thing we want to do on this drop-down is to set up a variable that stores the filtered results so we can easily filter our next field. To do so, we can change the “On Change” operation to the following formula:
Set(ManufacturerFilteredProducts, Filter(Products, Manufacturer.Value = DataCardValue4.Selected.Value)) – DataCardValue4 is associated with Manufacturer
This will provide us with the list of products we have filtered on Product Type and on Manufacturer.
Next, we will want to set up our Configuration drop-down to only show us products that have the Product Type and Manufacturer the user has selected. To do so, we can set the “Items” property on the Configuration drop-down we added (the control, not the field) to the following:
Distinct(Filter(ManufacturerFilteredProducts,’Product Type’.Value = DataCardValue2.Selected.Value),Configuration.Value)
We should now have a drop-down with only the results that match the Product Type and Manufacturer the user chose in the previous two fields.
Lastly, we will want to make sure that when a user chooses a configuration that the product names that appear in the “Title” drop-down are those that match all of the previous filters. To do so, we set the “On Change” property of the Configuration drop-down to a new variable (FinalFilteredProducts).
This variable will filter the results we stored in ManufacturerFilteredProducts based on the Configuration value the user chooses and store the results for use in the Title/Product Name field. We can do this via the formula below:
Set(FinalFilteredProducts, Filter(ManufacturerFilteredProducts, Configuration.Value = DataCardValue3.Selected.Value)) – DataCardValue3 is associated with Configuration
Finally, we want to make sure that the only Titles we get back are for products that are related to all three previous drop-downs. This is simply just the Title rows in the FinalFilteredProducts variable we just created. To do this, set the “Items” property on the custom Title drop-down to the following:
FinalFilteredProducts.Title
This should produce a fully filtered list of choices for the products (as shown in the original screenshot). Given the sample data, if a user were to look at SSDs made by Timlin with a 250GB capacity, the only title we should get back is the “Timlin 250GB SSD”, which we do (shown below).
Interested in diving in deeper to Filtered Relational Drop-downs? Reach out to our team here to set up a free consultation call.
Life sciences companies experience various degrees of growth based on their evolution through discovery and R&D efforts leading into clinical trials. As a company’s target drug receives positive feedback through initial clinical trials, they can experience 50% to 100% growth in one year. If they are granted approval, they also can experience growth as they add on more personnel to sales and operations.
This growth is exciting but results in insecure collaboration and significant challenges to operational efficiency.
As a life science company grows, what was once an efficient process quickly gets out of control and becomes an operational burden. Manual processes that were once simple and easy become cumbersome and inefficient. This may be simple HR processes like vacation requests or expense management, or it may be more complicated solutions such as employee reviews, contract management, or the onboarding of new employees.
Navigating the ups and downs of growth phases is successful only if your organization adopts the proper processes and technology to support its day-to-day operations.
Defined and automated solutions that can handle basic and complicated operational tasks – and automatically scale and retract as appropriate – will enable your organization to focus on developing and moving drugs through the FDA approval process.
In this blog post, we’ll explore five key areas where business processes automation can make a material difference, based on our work with 70+ life sciences organizations – from nimble start-ups to publicly-traded enterprises.
1.) Human Resources
We find many life sciences companies use 3rd party Human Resource (HR) providers/tools, such as ADP, that allow them to automate some business processes. Other companies use SaaS solutions for HR workflows that, depending on the solution, have some capability to automate processes.
Whether you have a separate HR solution or not, we have found that the tools in Office 365 can easily be used to automate and simplify many HR processes. The best part — you can implement these solutions at a relatively low cost without requiring any additional investment in software.
Here are some examples of how we’ve automated HR processes in Office 365 for our customers:
- Vacation Request and Carry Over
- Tuition Reimbursement
- Review Process
- Timesheet Tracking
- Employee Training and Tracking
These streamlined and automated processes save HR and your users a significant amount of time. Instead of managing your review process via emails and multiple versions of a review document, an automated solution ensures all individuals involved in a particular review are notified, their responses are tracked, and, if you have multiple managers submitting data on one review, and all responses are automatically tallied into one final review.
2.) Contract Management
A Confidential Disclosure Agreement (CDA) is one of the most widely used agreements in the life sciences sector. Although this is a simple agreement to execute, with the volume of CDA’s sent to partners, vendors, and contractors, finding and managing these documents can quickly get out of control.
Beyond CDA documents, contracts also need to be maintained for all your key relationships. These contracts need to be organized, searchable, and easily tracked for renewals. You also need to ensure proper rules are in place to approve and process contracts efficiently.
Timlin has built several solutions to manage the entire contract management process at life sciences firms. Historically we accomplished these solutions using 3rd party workflow and forms solutions. Recently, we have seen that the evolution of Microsoft Flow and Power Apps has allowed us to build these solutions using the tools and applications within Office 365, removing the need for our customers to purchase 3rd party solutions. Here’s an example below:
With the core document management and publishing capabilities in SharePoint Online, combined with the forms and workflow capabilities of Flow and Power Apps, and integration of electronic signatures, life science organizations can have a powerful contract management solution.
3.) Onboarding and Offboarding Employees & Contractors
Although technically an HR process, the critical nature of efficiently and securely onboarding and offboarding employees and contractors has proven to be a huge benefit to our customers. When you’re hiring 15 people a week, it’s essential to have a pre-defined and automated process to onboard everyone, so they add value and perform their tasks as soon as possible.
Life science organizations should consider automating the entire onboarding process. The process would begin before the new employee or contractor has set foot in the door.
For example, we can build a workflow that will add a new record into your Active Directory (AD) when an offer is accepted, and then the flow triggers based on the employee start date to enable access to the appropriate systems on that date. Our onboarding solutions can integrate with your HR, finance, and other systems as required to ensure all required steps are handled based on pre-defined rules. One of our customers was able to help automate the analysis of over 400 systems and services with this solution.
In addition to onboarding new employees and contractors efficiently, it is equally important to shut down all access once someone leaves the organization.
Data and intellectual property protection are incredibly important for life science organizations to maintain. Not only does access need to be terminated, but these actions also need to be logged, especially for public companies who are under SOX compliance. We have delivered automated offboarding solutions at several organizations, and have built offboarding PowerShell scripts that:
- Capture last login date
- Last password set date
- Current AD security group membership
- Set new password
- Cancel O365 meetings
- Remove from all AD security groups
- Remove manager
- Set default group to “No Access”
- Move user to off boarded OU
4.) Finance
Finance is another key area ripe for automation in life sciences organizations. Imagine implementing expense request approvals and reporting that provide separate approval workflows based on the amount of the expense, requestor, or department.
Another key finance flow that has proven to greatly help finance operations is Purchase Order (PO) approvals and processing. An automated PO process allows users to enter details on a new PO Request, then a workflow is triggered to ensure the correct individual(s) approve the request based on the amount, requesting department or individual.
The workflow would also provide full transparency to the submitter on the status of their request. Lastly, the workflow can integrate with or allow finance to enter the required General Ledger items.
5.) Information Technology
There are two primary areas where automating IT processes make a material difference. First, life science organizations typically follow a specific documentation review and approval process. Imagine if that workflow was built into documentation development using SharePoint? Not only is the process streamlined, but also results in more effective document management and security.
The second area is the trouble ticket resolution. Given the speed at which life sciences organizations operate, uptime is critical. Providing self-service and automated trouble ticketing solutions ensure all IT requests are tracked and managed effectively.
Successful Growth Phases Are Dependent on Strategic and Sustainable Business Automation
When you are in a high-growth phase of your company’s lifespan, it’s critical to ensure business processes are efficient. It may feel stressful most of the time, but it’s a good problem to have. These phases mean you are receiving positive results in your drug development and clinical trials. With the proper levels of process automation, your life science organization will be able to easily and efficiently ride the waves toward FDA approval.
If you’re interested in learning more about the automation services we provide to life sciences organizations, reach out to our team of Office 365 and SharePoint experts here.
