Change approval and requestor information (preview) settings for an access package in Azure AD entitlement management
As an access package manager, you can change the approval and requestor information settings for an access package at any time by editing an existing policy or adding a new policy.
This article describes how to change the approval and requestor information settings for an existing access package.
In the Approval section, you specify whether an approval is required when users request this access package. The approval settings work in the following way:
- Only one of the selected approvers or fallback approvers needs to approve a request for single-stage approval.
- Only one of the selected approvers from each stage needs to approve a request for 2-stage approval.
- The approver can be a Manager, Internal sponsor, or External sponsor depending on who the policy is governing access.
- Approval from every selected approver isn't required for single or 2-stage approval.
- The approval decision is based on whichever approver reviews the request first.
For a demonstration of how to add approvers to a request policy, watch the following video:
For a demonstration of how to add a multi-stage approval to a request policy, watch the following video:
Change approval settings of an existing access package
Follow these steps to specify the approval settings for requests for the access package:
Prerequisite role: Global administrator, User administrator, Catalog owner, or Access package manager
In the Azure portal, click Azure Active Directory and then click Identity Governance.
In the left menu, click Access packages and then open the access package.
Either select a policy to edit or add a new policy to the access package
- Click Policies and then Add policy if you want to create a new policy.
- Click the policy you wish to edit and then click edit.
Go to the Request tab.
To require approval for requests from the selected users, set the Require approval toggle to Yes. Or, to have requests automatically approved, set the toggle to No.
To require users to provide a justification to request the access package, set the Require requestor justification toggle to Yes.
Now determine if requests will require single or 2-stage approval. Set the How many stages toggle to 1 for single stage approval or set the toggle to 2 for 2-stage approval.
Use the following steps to add approvers after selecting how many stages you require:
Add the First Approver:
If the policy is set to govern access for users in your directory, you can select Manager as approver. Or, add a specific user by clicking Add approvers after selecting Choose specific approvers from the dropdown menu.
If this policy is set to govern access for users not in your directory, you can select External sponsor or Internal sponsor. Or, add a specific user by clicking Add approvers or groups under Choose specific approvers.
If you selected Manager as the first approver, click Add fallback to select one or more users or groups in your directory to be a fallback approver. Fallback approvers receive the request if entitlement management can't find the manager for the user requesting access.
The manager is found by entitlement management using the Manager attribute. The attribute is in the user's profile in Azure AD. For more information, see Add or update a user's profile information using Azure Active Directory.
If you selected Choose specific approvers, click Add approvers to select one or more users or groups in your directory to be approvers.
In the box under Decision must be made in how many days?, specify the number of days that an approver has to review a request for this access package.
If a request isn't approved within this time period, it will be automatically denied. The user will have to submit another request for the access package.
To require approvers to provide a justification for their decision, set Require approver justification to Yes.
The justification is visible to other approvers and the requestor.
If you selected a 2-stage approval, you'll need to add a second approver.
Add the Second Approver:
If the users are in your directory, add a specific user as the second approver by clicking Add approvers under Choose specific approvers.
If the users aren't in your directory, select Internal sponsor or External sponsor as the second approver. After selecting the approver, add the fallback approvers.
Specify the number of days the second approver has to approve the request in the box under Decision must be made in how many days?.
Set the Require approver justification toggle to Yes or No.
You can specify alternate approvers, similar to specifying the first and second approvers who can approve requests. Having alternate approvers will help ensure that the requests are approved or denied before they expire (timeout). You can list alternate approvers the first approver and second approver for 2-stage approval.
By specifying alternate approvers, in the event that the first or second approvers were unable to approve or deny the request, the pending request gets forwarded to the alternate approvers, per the forwarding schedule you specified during policy setup. They receive an email to approve or deny the pending request.
After the request is forwarded to the alternate approvers, the first or second approvers can still approve or deny the request. Alternate approvers use the same My Access site to approve or deny the pending request.
We can list people or groups of people to be approvers and alternate approvers. Please ensure that you list different sets of people to be the first, second, and alternate approvers. For example, if you listed Alice and Bob as the First Approver(s), list Carol and Dave as the alternate approvers. Use the following steps to add alternate approvers to an access package:
Under the First Approver, Second Approver, or both, click Show advanced request settings.
Set If no action taken, forward to alternate approvers? toggle to Yes.
Click Add alternate approvers and select the alternate approver(s) from the list.
In the Forward to alternate approver(s) after how many days box, put in the number of days the approvers have to approve or deny a request. If no approvers have approved or denied the request before the request duration, the request expires (timeout), and the user will have to submit another request for the access package.
Requests can only be forwarded to alternate approvers a day after the request duration reaches half-life, and the decision of the main approver(s) has to time-out after at least 4 days. If the request time-out is less or equal than 3, there is not enough time to forward the request to alternate approver(s). In this example, the duration of the request is 14 days. So, the request duration reaches half-life at day 7. So the request can't be forwarded earlier than day 8. Also, requests can't be forwarded on the last day of the request duration. So in the example, the latest the request can be forwarded is day 13.
If you want the access package to be made immediately available for users in the request policy to request, move the Enable toggle to Yes.
You can always enable it in the future after you have finished creating the access package.
If you selected None (administrator direct assignments only) and you set enable to No, then administrators can't directly assign this access package.
Collect additional requestor information for approval (preview)
In order to make sure users are getting access to the right access packages, you can require requestors to answer custom text field or multiple choice questions at the time of request. There is a limit of 20 questions per policy and a limit of 25 answers for multiple choice questions. The questions will then be shown to approvers to help them make a decision.
Go to the Requestor information tab and click the Questions sub tab.
Type in what you want to ask the requestor, also known as the display string, for the question in the Question box.
If the community of users who will need access to the access package don't all have a common preferred language, then you can improve the experience for users requesting access on myaccess.microsoft.com. To improve the experience, you can provide alternative display strings for different languages. For example, if a user's web browser is set to Spanish, and you have Spanish display strings configured, then those strings will be displayed to the requesting user. To configure localization for requests, click add localization.
- Once in the Add localizations for question pane, select the language code for the language in which you are localizing the question.
- In the language you configured, type the question in the Localized Text box.
- Once you have added all the localizations needed, click Save.
Select the Answer format in which you would like requestors to answer. Answer formats include: short text, multiple choice, and long text.
If selecting multiple choice, click on the view and edit button to configure the answer options.
- After selecting view and edit the View/edit question pane will open.
- Type in the response options you wish to give the requestor when answering the question in the Answer values boxes.
- Type in as many responses as you need then click Save.
To require requestors to answer this question when requesting access to an access package, click the check box under Required.
Fill out the remaining tabs (e.g., Lifecycle) based on your needs.
After you have configured requestor information in your access package policy, can view the requestor's responses to the questions. For guidance on seeing requestor information, see View requestor's answers to questions (Preview).