Common scenarios in Azure AD entitlement management

There are several ways that you can configure entitlement management for your organization. However, if you're just getting started, it's helpful to understand the common scenarios for administrators, catalog owners, access package managers, approvers, and requestors.

Delegate

Administrator: Delegate management of resources

  1. Watch video: Delegation from IT to department manager
  2. Delegate users to catalog creator role

Catalog creator: Delegate management of resources

Catalog owner: Delegate management of resources

  1. Add co-owners to the catalog
  2. Add resources to the catalog

Catalog owner: Delegate management of access packages

  1. Watch video: Delegation from catalog owner to access package manager
  2. Delegate users to access package manager role

Govern access for users in your organization

Access package manager: Allow employees in your organization to request access to resources

  1. Create a new access package
  2. Add groups, Teams, applications, or SharePoint sites to access package
  3. Add a request policy to allow users in your directory to request access
  4. Specify expiration settings

Requestor: Request access to resources

  1. Sign in to the My Access portal
  2. Find access package
  3. Request access

Approver: Approve requests to resources

  1. Open request in My Access portal
  2. Approve or deny access request

Requestor: View the resources you already have access to

  1. Sign in to the My Access portal
  2. View active access packages

Govern access for users outside your organization

Administrator: Collaborate with an external partner organization

  1. Read how access works for external users
  2. Review settings for external users
  3. Add a connection to the external organization

Access package manager: Collaborate with an external partner organization

  1. Create a new access package
  2. Add groups, Teams, applications, or SharePoint sites to access package
  3. Add a request policy to allow users not in your directory to request access
  4. Specify expiration settings
  5. Copy the link to request the access package
  6. Send the link to your external partner contact partner to share with their users

Requestor: Request access to resources as an external user

  1. Find the access package link you received from your contact
  2. Sign in to the My Access portal
  3. Request access

Approver: Approve requests to resources

  1. Open request in My Access portal
  2. Approve or deny access request

Requestor: View the resources your already have access to

  1. Sign in to the My Access portal
  2. View active access packages

Day-to-day management

Access package manager: Update the resources for a project

  1. Watch video: Day-to-day management: Things have changed
  2. Open the access package
  3. Add or remove groups, Teams, applications, or SharePoint sites

Access package manager: Update the duration for a project

  1. Watch video: Day-to-day management: Things have changed
  2. Open the access package
  3. Open the lifecycle settings
  4. Update the expiration settings

Access package manager: Update how access is approved for a project

  1. Watch video: Day-to-day management: Things have changed
  2. Open an existing policy of request settings
  3. Update the approval settings

Access package manager: Update the people for a project

  1. Watch video: Day-to-day management: Things have changed
  2. Remove users that no longer need access
  3. Open an existing policy of request settings
  4. Add users that need access

Access package manager: Directly assign specific users to an access package

  1. If users need different lifecycle settings, add a new policy to the access package
  2. Directly assign specific users to the access package

Assignments and reports

Administrator: View who has assignments to an access package

  1. Open an access package
  2. View assignments
  3. Archive reports and logs

Administrator: View resources assigned to users

  1. View access packages for a user
  2. View resource assignments for a user

Programmatic administration

You can also manage access packages, catalogs, policies, requests and assignments using Microsoft Graph. A user in an appropriate role with an application that has the delegated EntitlementManagement.ReadWrite.All permission can call the entitlement management API.

Next steps