Create and manage a catalog of resources in Azure AD entitlement management

Create a catalog

A catalog is a container of resources and access packages. You create a catalog when you want to group related resources and access packages. Whoever creates the catalog becomes the first catalog owner. A catalog owner can add additional catalog owners.

Prerequisite role: Global administrator, User administrator, or Catalog creator

  1. In the Azure portal, click Azure Active Directory and then click Identity Governance.

  2. In the left menu, click Catalogs.

    Entitlement management catalogs in the Azure portal

  3. Click New catalog.

  4. Enter a unique name for the catalog and provide a description.

    Users will see this information in an access package's details.

  5. If you want the access packages in this catalog to be available for users to request as soon as they are created, set Enabled to Yes.

  6. If you want to allow users in selected external directories to be able to request access packages in this catalog, set Enabled for external users to Yes.

    New catalog pane

  7. Click Create to create the catalog.

Add resources to a catalog

To include resources in an access package, the resources must exist in a catalog. The types of resources you can add are groups, applications, and SharePoint Online sites. The groups can be cloud-created Office 365 Groups or cloud-created Azure AD security groups. The applications can be Azure AD enterprise applications, including both SaaS applications and your own applications federated to Azure AD. The sites can be SharePoint Online sites or SharePoint Online site collections.

Prerequisite role: See Required roles to add resources to a catalog

  1. In the Azure portal, click Azure Active Directory and then click Identity Governance.

  2. In the left menu, click Catalogs and then open the catalog you want to add resources to.

  3. In the left menu, click Resources.

  4. Click Add resources.

  5. Click a resource type: Groups and Teams, Applications, or SharePoint sites.

    If you don't see a resource that you want to add or you are unable to add a resource, make sure you have the required Azure AD directory role and entitlement management role. You might need to have someone with the required roles add the resource to your catalog. For more information, see Required roles to add resources to a catalog.

  6. Select one or more resources of the type that you would like to add to the catalog.

    Add resources to a catalog

  7. When finished, click Add.

    These resources can now be included in access packages within the catalog.

Remove resources from a catalog

You can remove resources from a catalog. A resource can only be removed from a catalog if it is not being used in any of the catalog's access packages.

Prerequisite role: See Required roles to add resources to a catalog

  1. In the Azure portal, click Azure Active Directory and then click Identity Governance.

  2. In the left menu, click Catalogs and then open the catalog you want to remove resources from.

  3. In the left menu, click Resources.

  4. Select the resources you want to remove.

  5. Click Remove (or click the ellipsis (...) and then click Remove resource).

Add additional catalog owners

The user that created a catalog becomes the first catalog owner. To delegate management of a catalog, you add users to the catalog owner role. This helps share the catalog management responsibilities.

Follow these steps to assign a user to the catalog owner role:

Prerequisite role: Global administrator, User administrator, or Catalog owner

  1. In the Azure portal, click Azure Active Directory and then click Identity Governance.

  2. In the left menu, click Catalogs and then open the catalog you want to add administrators to.

  3. In the left menu, click Roles and administrators.

    Catalogs roles and administrators

  4. Click Add owners to select the members for these roles.

  5. Click Select to add these members.

Edit a catalog

You can edit the name and description for a catalog. Users see this information in an access package's details.

Prerequisite role: Global administrator, User administrator, or Catalog owner

  1. In the Azure portal, click Azure Active Directory and then click Identity Governance.

  2. In the left menu, click Catalogs and then open the catalog you want to edit.

  3. On the catalog's Overview page, click Edit.

  4. Edit the catalog's name, description, or enabled settings.

    Edit catalog settings

  5. Click Save.

Delete a catalog

You can delete a catalog, but only if it does not have any access packages.

Prerequisite role: Global administrator, User administrator, or Catalog owner

  1. In the Azure portal, click Azure Active Directory and then click Identity Governance.

  2. In the left menu, click Catalogs and then open the catalog you want to delete.

  3. On the catalog's Overview, click Delete.

  4. In the message box that appears, click Yes.

Next steps