Working with the Azure AD entitlement management API


APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported.

Azure Active Directory (Azure AD) entitlement management can help you manage access to groups, applications, and SharePoint Online sites for internal users as well as users outside your organization.

By creating access packages with the roles users need to have across those resources, and defining policies for who can request an access package and how long they can have an assignment to an access package, you can govern the lifecycle of access for both internal and external users.

The entitlement management resource types include:

Note that the entitlement management feature, including the API, is included in Azure AD Premium P2. The tenant where entitlement management is being used must have a valid purchased or trial Azure AD Premium P2 or EMS E5 subscription.


The following table lists the methods that you can use to interact with entitlement management-related resources.

Method Return type Description
List accessPackages accessPackage collection Retrieve a list of accessPackage objects.
Create accessPackage accessPackage Create a new accessPackage object.
Get accessPackage accessPackage Read properties and relationships of an accessPackage object.
Delete accessPackage Delete accessPackage.
List accessPackageResourceRoleScopes accessPackageResourceRoleScope collection Retrieve a list of accessPackageResourceRoleScope objects for an access package.
Create accessPackageResourceRoleScope Create a new accessPackageResourceRoleScope object for an access package.
List accessPackageAssignmentPolicies accessPackageAssignmentPolicy collection Retrieve a list of accessPackageAssignmentPolicy objects.
Create accessPackageAssignmentPolicy accessPackageAssignmentPolicy Create a new accessPackageAssignmentPolicy object.
Get accessPackageAssignmentPolicy accessPackageAssignmentPolicy Read properties and relationships of an accessPackageAssignmentPolicy object.
Delete accessPackageAssignmentPolicy Delete an accessPackageAssignmentPolicy.
List accessPackageAssignmentRequests accessPackageAssignmentRequest collection Retrieve a list of accessPackageAssignmentRequest objects.
Create accessPackageAssignmentRequest accessPackageAssignmentRequest Create a new accessPackageAssignmentRequest.
Get accessPackageAssignmentRequest accessPackageAssignmentRequest Read properties and relationships of an accessPackageAssignmentRequest object.
List accessPackageAssignments accessPackageAssignment collection Retrieve a list of accessPackageAssignment objects.
List accessPackageAssignmentResourceRoles accessPackageAssignmentResourceRole collection Retrieve a list of accessPackageAssignmentResourceRole objects.
Get accessPackageAssignmentResourceRole accessPackageAssignmentResourceRole Retrieve a accessPackageAssignmentResourceRole object.
List accessPackageCatalogs accessPackageCatalog collection Retrieve a list of accessPackageCatalogs objects.
Create accessPackageCatalog accessPackageCatalog Create a new accessPackageCatalog object.
Get accessPackageCatalog accessPackageCatalog Read properties and relationships of an accessPackageCatalog object.
Delete accessPackageCatalog Delete an accessPackageCatalog.
List accessPackageCatalog resources accessPackageResource collection Retrieve a list of accessPackageResource objects.
List accessPackageCatalog resource roles accessPackageResourceRole collection Retrieve a list of accessPackageResourceRole objects.
List accessPackageResourceRequests accessPackageResourceRequest collection Read properties and relationships of accessPackageResourceRequest objects.
Create accessPackageResourceRequest accessPackageCatalog Create a new accessPackageResourceRequest object.

See also