Create and manage a catalog of resources in Azure AD entitlement management

This article shows you how to create and manage a catalog of resources and access packages in Azure Active Directory (Azure AD) entitlement management.

Create a catalog

A catalog is a container of resources and access packages. You create a catalog when you want to group related resources and access packages. Whoever creates the catalog becomes the first catalog owner. A catalog owner can add more catalog owners.

Prerequisite roles: Global administrator, Identity Governance administrator, User administrator, or Catalog creator

Note

Users who were assigned the User administrator role will no longer be able to create catalogs or manage access packages in a catalog they don't own. If users in your organization were assigned the User administrator role to configure catalogs, access packages, or policies in entitlement management, you should instead assign these users the Identity Governance administrator role.

To create a catalog:

  1. In the Azure portal, select Azure Active Directory > Identity Governance.

  2. On the left menu, select Catalogs.

    Screenshot that shows entitlement management catalogs in the Azure portal.

  3. Select New catalog.

  4. Enter a unique name for the catalog and provide a description.

    Users will see this information in an access package's details.

  5. If you want the access packages in this catalog to be available for users to request as soon as they're created, set Enabled to Yes.

  6. If you want to allow users in selected external directories to be able to request access packages in this catalog, set Enabled for external users to Yes.

    Screenshot that shows the New catalog pane.

  7. Select Create to create the catalog.

Create a catalog programmatically

There are two ways to create a catalog programmatically.

Create a catalog with Microsoft Graph

You can create a catalog by using Microsoft Graph. A user in an appropriate role with an application that has the delegated EntitlementManagement.ReadWrite.All permission, or an application with that application permission, can call the API to create an accessPackageCatalog.

Create a catalog with PowerShell

You can also create a catalog in PowerShell with the New-MgEntitlementManagementAccessPackageCatalog cmdlet from the Microsoft Graph PowerShell cmdlets for Identity Governance module version 1.6.0 or later.

Connect-MgGraph -Scopes "EntitlementManagement.ReadWrite.All"
Select-MgProfile -Name "beta"
$catalog = New-MgEntitlementManagementAccessPackageCatalog -DisplayName "Marketing"

Add resources to a catalog

To include resources in an access package, the resources must exist in a catalog. The types of resources you can add are groups, applications, and SharePoint Online sites. For example:

  • Groups can be cloud-created Microsoft 365 Groups or cloud-created Azure AD security groups. Groups that originate in an on-premises Active Directory can't be assigned as resources because their owner or member attributes can't be changed in Azure AD. Groups that originate in Exchange Online as Distribution groups can't be modified in Azure AD either.
  • Applications can be Azure AD enterprise applications, which include both software as a service (SaaS) applications and your own applications integrated with Azure AD. For more information on how to select appropriate resources for applications with multiple roles, see Add resource roles.
  • Sites can be SharePoint Online sites or SharePoint Online site collections.

Prerequisite roles: See Required roles to add resources to a catalog.

To add resources to a catalog:

  1. In the Azure portal, select Azure Active Directory > Identity Governance.

  2. On the left menu, select Catalogs and then open the catalog you want to add resources to.

  3. On the left menu, select Resources.

  4. Select Add resources.

  5. Select the resource type Groups and Teams, Applications, or SharePoint sites.

    If you don't see a resource that you want to add or you're unable to add a resource, make sure you have the required Azure AD directory role and entitlement management role. You might need to have someone with the required roles add the resource to your catalog. For more information, see Required roles to add resources to a catalog.

  6. Select one or more resources of the type that you want to add to the catalog.

    Screenshot that shows the Add resources to a catalog pane.

  7. When you're finished, select Add.

    These resources can now be included in access packages within the catalog.

Add resource attributes (preview) in the catalog

Attributes are required fields that requestors will be asked to answer before they submit their access request. Their answers for these attributes will be shown to approvers and also stamped on the user object in Azure AD.

Note

All attributes set up on a resource require an answer before a request for an access package containing that resource can be submitted. If requestors don't provide an answer, their request won't be processed.

To require attributes for access requests:

  1. Select Resources on the left menu, and a list of resources in the catalog appears.

  2. Select the ellipsis next to the resource where you want to add attributes, and then select Require attributes (Preview).

    Screenshot that shows selecting Require attributes (Preview).

  3. Select the attribute type:

    1. Built-in includes Azure AD user profile attributes.
    2. Directory schema extension provides a way to store more data in Azure AD on user objects and other directory objects. This includes groups, tenant details, and service principals. Only extension attributes on user objects can be used to send out claims to applications.
  4. If you chose Built-in, select an attribute from the dropdown list. If you chose Directory schema extension, enter the attribute name in the text box.

    Note

    The User.mobilePhone attribute can be updated only for non-administrator users. Learn more at this website.

  5. Select the answer format you want requestors to use for their answer. Answer formats include short text, multiple choice, and long text.

  6. If you select multiple choice, select Edit and localize to configure the answer options.

    1. In the View/edit question pane that appears, enter the response options you want to give the requestor when they answer the question in the Answer values boxes.
    2. Select the language for the response option. You can localize response options if you choose more languages.
    3. Enter as many responses as you need, and then select Save.
  7. If you want the attribute value to be editable during direct assignments and self-service requests, select Yes.

    Note

    Screenshot that shows making attributes editable.

    • If you select No in the Attribute value is editable box and the attribute value is empty, users can enter the value of that attribute. After saving, the value can't be edited.
    • If you select No in the Attribute value is editable box and the attribute value isn't empty, users can't edit the preexisting value during direct assignments and self-service requests.

    Screenshot that shows adding localizations.

  8. If you want to add localization, select Add localization.

    1. In the Add localizations for question pane, select the language code for the language in which you want to localize the question related to the selected attribute.

    2. In the language you configured, enter the question in the Localized Text box.

    3. After you add all the localizations you need, select Save.

      Screenshot that shows saving the localizations.

  9. After all attribute information is completed on the Require attributes (Preview) page, select Save.

Add a Multi-Geo SharePoint site

  1. If you have Multi-Geo enabled for SharePoint, select the environment you want to select sites from.

    Screenshot that shows the Select SharePoint Online sites pane.

  2. Then select the sites you want to be added to the catalog.

Add a resource to a catalog programmatically

You can also add a resource to a catalog by using Microsoft Graph. A user in an appropriate role, or a catalog and resource owner, with an application that has the delegated EntitlementManagement.ReadWrite.All permission can call the API to create an accessPackageResourceRequest. An application with application permissions can't yet programmatically add a resource without a user context at the time of the request, however.

Remove resources from a catalog

You can remove resources from a catalog. A resource can be removed from a catalog only if it isn't being used in any of the catalog's access packages.

Prerequisite roles: See Required roles to add resources to a catalog.

To remove resources from a catalog:

  1. In the Azure portal, select Azure Active Directory > Identity Governance.

  2. On the left menu, select Catalogs and then open the catalog you want to remove resources from.

  3. On the left menu, select Resources.

  4. Select the resources you want to remove.

  5. Select Remove. Optionally, select the ellipsis (...) and then select Remove resource.

Add more catalog owners

The user who created a catalog becomes the first catalog owner. To delegate management of a catalog, add users to the catalog owner role. Adding more catalog owners helps to share the catalog management responsibilities.

Prerequisite roles: Global administrator, Identity Governance administrator, User administrator, or Catalog owner

To assign a user to the catalog owner role:

  1. In the Azure portal, select Azure Active Directory > Identity Governance.

  2. On the left menu, select Catalogs and then open the catalog you want to add administrators to.

  3. On the left menu, select Roles and administrators.

    Screenshot that shows catalog roles and administrators.

  4. Select Add owners to select the members for these roles.

  5. Click Select to add these members.

Edit a catalog

You can edit the name and description for a catalog. Users see this information in an access package's details.

Prerequisite roles: Global administrator, Identity Governance administrator, User administrator, or Catalog owner

To edit a catalog:

  1. In the Azure portal, select Azure Active Directory > Identity Governance.

  2. On the left menu, select Catalogs and then open the catalog you want to edit.

  3. On the catalog's Overview page, select Edit.

  4. Edit the catalog's name, description, or enabled settings.

    Screenshot that shows editing catalog settings.

  5. Select Save.

Delete a catalog

You can delete a catalog, but only if it doesn't have any access packages.

Prerequisite roles: Global administrator, Identity Governance administrator, User administrator, or Catalog owner

To delete a catalog:

  1. In the Azure portal, select Azure Active Directory > Identity Governance.

  2. On the left menu, select Catalogs and then open the catalog you want to delete.

  3. On the catalog's Overview page, select Delete.

  4. On the message box that appears, select Yes.

Delete a catalog programmatically

You can also delete a catalog by using Microsoft Graph. A user in an appropriate role with an application that has the delegated EntitlementManagement.ReadWrite.All permission can call the API to delete an accessPackageCatalog.

Next steps

Delegate access governance to access package managers