View and remove requests for an access package in Azure AD entitlement management

In Azure AD entitlement management, you can see who has requested access packages, their policy, and status. This article describes how to view requests for an access package, and remove requests that are no longer needed.

View requests

Prerequisite role: Global administrator, Identity Governance administrator, User administrator, Catalog owner, Access package manager or Access package assignment manager

  1. In the Azure portal, click Azure Active Directory and then click Identity Governance.

  2. In the left menu, click Access packages and then open the access package.

  3. Click Requests.

  4. Click a specific request to see additional details.

    List of requests for an access package

  5. You can click on Request History details to see who approved a request, what their approval justifications were, and when access was delivered.

If you have a set of users whose requests are in the "Partially Delivered" or "Failed" state, you can retry those requests by using the reprocess functionality.

View assignments with Microsoft Graph

You can also retrieve requests for an access package using Microsoft Graph. A user in an appropriate role with an application that has the delegated EntitlementManagement.Read.All or EntitlementManagement.ReadWrite.All permission can call the API to list accessPackageAssignmentRequests. You can supply a filter to indicate a specific access package, such as: $expand=accessPackage&$filter=accessPackage/id eq '9bbe5f7d-f1e7-4eb1-a586-38cdf6f8b1ea'. An application that has the application permission EntitlementManagement.Read.All or EntitlementManagement.ReadWrite.All permission can also use this API.

Remove request (Preview)

You can also remove a completed request that is no longer needed. To remove a request:

  1. In the Azure portal, click Azure Active Directory and then click Identity Governance.

  2. In the left menu, click Access packages and then open the access package.

  3. Click Requests.

  4. Find the request you want to remove from the access package.

  5. Select the Remove button.

Note

If you remove a completed request from an access package, this doesn't remove the active assignment, only the data of the request. So the requestor will continue to have access. If you also need to remove an assignment and the resulting access from that access package, in the left menu, click Assignments, locate the assignment, and then remove the assignment.

Remove a request with Microsoft Graph

You can also remove a request using Microsoft Graph. A user in an appropriate role with an application that has the delegated EntitlementManagement.ReadWrite.All permission, or an application with that application permission, can call the API to remove an accessPackageAssignmentRequest.

Next steps