A while back ago Microsoft decided to default start to block end-users from being able to set up auto forwarding of emails outside the organization. This decision was partly taken due to the risk of data leakage and the common strategy to auto forward emails to an external email address when an attacker have compromised an account. This is a very common strategy during a compromised account and is also often fully automated.
Forwarding emails outside the organization can however still be a necessary task, both during a short time period and a longer time period.
In this blog post, we will go through how you can utilize Identity Governance and more exactly entitlement management to allow users to request these permissions by themselves.
To utilize Entitlement Management, you will need an Azure AD Premium P2 license. To be fully compliant with the licensing, please follow the statement from Microsoft:
Ensure that your directory has at least as many Azure AD Premium P2 licenses as you have:
- Member users who can request an access package.
- Member users who request an access package.
- Member users who approve requests for an access package.
- Member users who review assignments for an access package.
- Member users who have a direct assignment to an access package.
In the following example we will have the following requirements:
- All users (Excluding guests) needs to be allowed to request access to the access package that will allow them to request access to auto forward emails outside the organization
- Request must be approved to verify business justification
- Access must be time limited to 7 days, but the end-user must be able to expand access without a new approval
Setup a Access Package in entitlement management
- Sign-in to portal.azure.com and elevate your permissions to User Administrator or Identity Governance Administrator
- Open the Identity Governance service
3. Go to Access Package
4. Click on New access package
5. Enter Name, description and a catalog and then go to Resource roles
Select Groups and Teams
Select the security group configured in your custom outbound spam policy in EOP that enables all members of the group to forward emails outside the organization and go to Requests
In this case, we’d like to include all members (excluding guests) and require that the user enters an justification to the request.
The request must be approved in one step, and in this case we will only add one approver that wont be required to enter an justification when approving the request.
We will not need to require any requestor information in this case, go to lifecycle
Now configure how the access package should expire, if the user should be allowed to extend access and id that request will need an approval once again.
Review your configuration and create the access package😊
All end-users now have the possibility to request access through the newly created access package within the “my access portal”
- Go to the my access portal
- Request the specific access package
3. Enter the justification and submit
The request will now be processed and the approver will receive an email with the request in a couple of minutes.
The end-user should now be a member of the security group in a couple of minutes and be able to forward emails outside the organization