Mapping
The core of the review process is the mapping of resource actions to activities. This mapping is used to determine which role is most suitable to perform the activities associated with a user (see Review Process).
The better the mapping, the more accurate the review process will be.
Resource actions are the actions that can be performed on a resource.
For example, in Entra ID, when a user adds a member to a group, the resource action is microsoft.directory/groups/members/add.
This action is included in various roles such as Group Administrator but also the lesser privileged User role which is a hidden role granted to all users of type Member.
The difference is that the Group Administrator role can add members to any group, while the User role can only add members to groups they own due to a permission condition ($SubjectIsOwner) on the permission set that includes this resource action.
Activities are operations recognized by the Entra ID audit logs.
For example, the activity Add member to group is logged when a user adds a member to a group.
These activities do not directly map to resource actions which is why we need this mapping.
Navigate to the mapping page by clicking on the Mapping link on the top navigation bar.
You will see a list of all activities currently known to the system.
To add a new mapping, click on the Create mapping button on the top of the page.
You will be presented with a form to create a new mapping.
- Select the activity you want to map from the dropdown list.
- Select the resource action(s) you want to map to the activity from the dropdown list.
- Click on the
Savebutton to create the mapping.
There are hundreds of resource actions in Entra ID. To make it easier to find the resource actions you are looking for, you can use the filter dropdowns to narrow down the the actions you are looking for.
If you want to find all resource actions that concerns Entra ID Group management, select microsoft.directory from the Namespace dropdown and groups from the Resource group dropdown.
You can also create a mapping directly from a role definition. This is useful to switch the perspective when trying to find the right mapping since you can use a known role to find the resource actions you are looking for.
Navigate to the role definition page by clicking on the Roles link on the top navigation bar.
You will see a list of all roles currently known to the system. Click on the role you want to create a mapping for (or just want to see some details about the role).
When you expand the permission sets of the role, you will see a list of all resource actions included in the role. You can click on the Map button to open the mapping dialog with the resource actions of the role pre-selected.
