top of page
Search

🧩 Part 6: Entitlement Management and Access Packages

  • Writer: Bjørnar Aassveen
    Bjørnar Aassveen
  • Jun 26
  • 2 min read

The right access with one click


When new employees start, projects are kicked off, or external partners need to collaborate, the same question arises every time: How do we provide the right access – quickly, securely, and without manual work?


With Entitlement Management in Microsoft Entra ID, you can create access packages that collect everything a user needs – and let them request access via a self-service portal. You get control, traceability, and automation in one.


We are starting to approach a slightly more automatic onboarding by first using dynamic groups for more generic affiliations such as Teams, Sharepoint sites, shared applications, etc. You can also build on access packages for more role-specific access, where you also add lifecycle and access reviews to maintain a little stricter control.


🎁 What is an access package?

An access package is a collection of resources that a user can access as a "package." It can include:

  • Microsoft 365 Groups and Teams

  • SharePoint sites

  • Applications (SaaS or internal)

  • Roles in Entra ID


You define who can request the package, who must approve it, and how long access lasts.

Example: New hire in IT

You can create an access package that includes:

  • IT team in Teams

  • SharePoint site for documentation

  • Jira and GitHub as apps

  • Entra role for access to Intune


When a new hire starts, they can request the package—and get everything they need without IT having to do anything manually.



🔐 How does it work?


  • Create an access package in Entra admin center


  • Legg til ressurser (grupper, apper, nettsteder)

  • Add resources (groups, apps, websites) Define policies: Who can request access (internal, external, specific users) - In my case, I have set "dev-sandbox" which has a dynamic rule on all IT employees in the tenant.

  • Approval flow (automatic, single or multiple approvers) & duration (e.g. 90 days, with possibility of renewal)Publiser pakken i tilgangskatalogen



🌍 External Use and Collaboration

Access Packages also work for guest users. You can:

  • Allow external users to request access via a portal

  • Require approval from internal sponsor

  • Limit duration and resources

  • Combine with Cross-Tenant Sync or B2B

Benefits


🚀 Fast onboarding – everything in one place

🔐 Increased security – with approval and expiration

📊 Traceability – who has access to what, and why

🧠 Less manual work – more time for value-added tasks


Limitations

  • Requires Entra ID P2 and some features require ID governance

  • Slight learning curve for setup

  • Not all apps support granular access control


🚀 Next Steps

In the next post, we'll look at Privileged Identity Management (PIM) - how you can ensure that sensitive privileges are only used when needed, and with full visibility.


Bjørnar&AI

Comments

bottom of page