Entitlements for Workplace Analytics

26 Mar 2022 4-minute read Al Eardley
Identity GovernanceWellbeing
Viva InsightsAzure Active Directory

Viva Insights is gaining popularity as a personal productivity and wellbeing tool, but it’s big brother, backed by Workplace Analytics (WPA) offers even more information to help organisations identify and promote good behaviours.

Introduction

Problem

The data that is available in WPA is very sensitive (even though it is anonymised) and the access to the backend data needs to be restricted. This is achieved through Azure Active Directory (AAD) which has a dependency on someone with elevated rights managing the permissions.

As with most allocations of permissions, once they have been allocated, they will usually never be reviewed or revoked. This can lead to

  • Users finding it difficult and time-consuming to gain permissions
  • IT needing to carryout the allocation of permissions
  • Users retaining permissions when they no longer require them

Existing Process for Assigning WPA Roles

The existing process for assigning permissions includes the following steps:

  1. Open Azure Active Directory Enterprise Applications Screen shot of Active Directory Enterprise Applications
  2. Remove the filter of “Enterprise Applications” so that Workplace Analytics is displayed Screen shot of Active Driectory Enterprise Applications with the filter removed
  3. Open the Workplace Analytics app Screen shot of Workplace Analytics App
  4. Go to the assign users and groups screen Screen shot of Workplace Analytics Assign users and groups
  5. Add users or groups to a role Screen shot of Workplace Analytics add users/groups to role

Along with the issues of no reivews or approval, there may be additional permissions that are needed to allow users to work effectviely. These additional permissions would need to be allocated separately.

Solution

The solution that I will present in this post uses the Entitlements capability from AAD Identity Governance to

  • Create a Catalogue of resources
  • Add an Access Package to the Catalogue that create a group of permissions which are allocated as part of the Access Package
  • Allow users to request access to Access Package
  • Carry out an approval process to grant access to the Access Package
  • Crate a review schedule to review access and revoke it when no longer required

Steps

Pre-requisites

This post is making the assumption that the following conditions are satisified:

  • WPA has been licenced in the tenant
  • The user carrying out these steps has permissions to create Access Packages in AAD

Add resources to a Catalogue

A Catalogue is a group of resources that can have permissions allocated as part of Access Packages. A Catalogue is made up of the following:

  • Resources - these are SharePoint Sites, Teams or Applications
  • Access Packages - groups or resources with specific permissions/roles, approval process, review process
  • Roles and administrators - business users who can manage the Catalogue

The first step to enable WPA to be managed is to add it as a resource to a Catalogue.

  1. Open the Catalogue and view the Resources Screen shot of Catalogue Resources
  2. Clicking on add a resource and searching for Workplace Analytics will not work Screen shot of searching for the Workplace Analytics App
  3. Instead, go to Active Directory Enterprise Applications, and copy the App ID for Workplace Analytics Screen shot of the Workplace Analytics App in Active Directory
  4. Back in the dialogue to add a App resource to the Catalogue, search for the App ID for Workplace Analytics and add the App Screen shot of searching for the Workplace Analytics App ID

Create an Access Package

Now that the Workplace Analytics app is in the Catalogue, an Access Package can be created. Each Access Package will provide different levels of access so consider naming them based on the role that they are supporting, e.g. Admin or Analyst rather than WPA

  1. Open the Access Package tab of the Catalogue Screen shot of Access Packages in a Catalogue
  2. Create a new Access Package providing a name and description that will be visible to users requesting the Access Package Screen shot of new Access Packages - Basics screen
  3. Add resources to the Access Package and select the appropriate role for each resource Screen shot of new Access Packages - Resources screen
  4. Choose who can view and request the Access Package. For WPA this might be a specific security group such as HR. At this point other choices that will be made are:
  • Is approval required, and if so how many steps will be required
  • In the image below, one step is included which is the manager of the user, based on Azure Active Directory hierarchy. A fallback has to be provided in case there is no manager for the user or no response is received. Screen shot of new Access Packages - Requests screen Screen shot of new Access Packages - Requests screen, part 2
  1. After access is granted, Access Reivews can be used to ensure that access is checked on a schedule and revoked if no longer needed Screen shot of new Access Packages - Lifecycle

User Access

Once the Access Package has been created, users can request access themselves without the need to go to IT.

This is accessed from https://myaccess.microsoft.com/ Screen shot of My Access page

The “My Access” page is where a user can view Access Packages that have been published to them, request access to them and also participate in the approval process for requests if they are an approver.

Summary

The use of Entitlements and the Catalogues and Access Packages requires Azure Active Directory Plan 2 licencing but it allows the management of groups of permissions but the business users who know who should and should not have access. This can significantly increase the speed that users gain access to the resources they require to do their job and can ensure that highly sensitive applications such as Workplace Analytics are secured and access is monitored constantly removing the risk of permissions never being removed when a user changes their job role.

Comment on this post: