Delegate access governance to catalog creators in Azure AD entitlement management

A catalog is a container of resources and access packages. You create a catalog when you want to group related resources and access packages. By default, a Global administrator or an Identity governance administrator can create a catalog, and can add additional users as catalog owners.

To delegate to users who aren't administrators, so that they can create their own catalogs, you can add those users to the Azure AD entitlement management-defined catalog creator role. You can add individual users, or you can add a group, whose members are then able to create catalogs. After creating a catalog, they can subsequently add resources they own to their catalog.

As an IT administrator, delegate to a catalog creator

Follow these steps to assign a user to the catalog creator role.

Prerequisite role: Global administrator, Identity Governance administrator or User administrator

  1. In the Azure portal, click Azure Active Directory and then click Identity Governance.

  2. In the left menu, in the Entitlement management section, click Settings.

  3. Click Edit.

    Settings to add catalog creators

  4. In the Delegate entitlement management section, click Add catalog creators to select the users or groups that you want to delegate this entitlement management role to.

  5. Click Select.

  6. Click Save.

Allow delegated roles to access the Azure portal

To allow delegated roles, such as catalog creators and access package managers, to access the Azure portal to manage access packages, you should check the administration portal setting.

Prerequisite role: Global administrator or User administrator

  1. In the Azure portal, click Azure Active Directory and then click Users.

  2. In the left menu, click User settings.

  3. Make sure Restrict access to Azure AD administration portal is set to No.

    Azure AD user settings - Administration portal

Manage role assignments programmatically (preview)

You can also view and update catalog creators and entitlement management catalog-specific role assignments using Microsoft Graph. A user in an appropriate role with an application that has the delegated EntitlementManagement.ReadWrite.All permission can call the Graph API to list the role definitions of entitlement management, and list role assignments to those role definitions.

To retrieve a list of the users and groups assigned to the catalog creators role, the role with definition id ba92d953-d8e0-4e39-a797-0cbedb0a89e8, use the Graph query

GET https://graph.microsoft.com/beta/roleManagement/entitlementManagement/roleAssignments?$filter=roleDefinitionId eq 'ba92d953-d8e0-4e39-a797-0cbedb0a89e8'&$expand=principal

Next steps