Tutorial: Manage access to resources in entitlement management

Managing access to all the resources employees need, such as groups, applications, and sites, is an important function for organizations. You want to grant employees the right level of access they need to be productive and remove their access when it's no longer needed.

In this tutorial, you work for Woodgrove Bank as an IT administrator. You've been asked to create a package of resources for a marketing campaign that internal users can use to self-service request. Requests don't require approval and user's access expires after 30 days. For this tutorial, the marketing campaign resources are just membership in a single group, but it could be a collection of groups, applications, or SharePoint Online sites.

Diagram that shows the scenario overview.

In this tutorial, you learn how to:

  • Create an access package with a group as a resource
  • Allow a user in your directory to request access
  • Demonstrate how an internal user can request the access package

For a step-by-step demonstration of the process of deploying Microsoft Entra entitlement management, including creating your first access package, view the following video:

This rest of this article uses the Microsoft Entra admin center to configure and demonstrate entitlement management.

Prerequisites

To use entitlement management, you must have one of the following licenses:

  • Microsoft Entra ID P2 or Microsoft Entra ID Governance
  • Enterprise Mobility + Security (EMS) E5 license

For more information, see License requirements.

Step 1: Set up users and group

Tip

Steps in this article might vary slightly based on the portal you start from.

A resource directory has one or more resources to share. In this step, you create a group named Marketing resources in the Woodgrove Bank directory that is the target resource for entitlement management. You also set up an internal requestor.

Prerequisite role: Global administrator or Identity Governance Administrator

Diagram that shows the users and groups for this tutorial.

  1. Sign in to the Microsoft Entra admin center as at least an Identity Governance Administrator.

  2. Browse to Identity governance > Entitlement management > Access packages.

  3. Create two users. Use the following names or different names.

    Name Directory role
    Admin1 Global administrator, or Identity Governance Administrator. This user can be the user you're currently signed in.
    Requestor1 User
  4. Create a Microsoft Entra security group named Marketing resources with a membership type of Assigned. This group is the target resource for entitlement management. The group should be empty of members to start.

Step 2: Create an access package

An access package is a bundle of resources that a team or project needs and is governed with policies. Access packages are defined in containers called catalogs. In this step, you create a Marketing Campaign access package in the General catalog.

Prerequisite role: Global Administrator, Identity Governance Administrator, Catalog owner, or Access package manager

Diagram that describes the relationship between the access package elements.

  1. Sign in to the Microsoft Entra admin center as at least an Identity Governance Administrator.

  2. Browse to Identity governance > Entitlement management > Access package.

  3. On the Access packages page open an access package.

  4. When opening the access package if you see Access denied, ensure that a Microsoft Entra ID P2 or Microsoft Entra ID Governance license is present in your directory.

  5. Select New access package.

    Screenshots that shows how to create an access package.

  6. On the Basics tab, type the name Marketing Campaign access package and description Access to resources for the campaign.

  7. Leave the Catalog drop-down list set to General.

    Screenshot showing how to set the basic of the access policy.

  8. Select Next to open the Resource roles tab. On this tab, select the resources and the resource role to include in the access package. You can choose to manage access to groups and teams, applications, and SharePoint Online sites. In this scenario, select Groups and Teams.

    Screenshot showing how to select groups and teams.

  9. In the Select groups pane, find and select the Marketing resources group you created earlier.

    By default, you see groups inside the General catalog. When you select a group outside of the General catalog, which you can see if you check the See all check box, it's added to the General catalog.

    Screenshot that shows how to select the groups"

  10. Choose Select to add the group to the list.

  11. In the Role drop-down list, select Member. If you select the Owner role, it allows users to add or remove other members or owners. For more information on selecting the appropriate roles for a resource, read add resource roles.

    Screenshot the shows how to select the member role.

    Important

    The role-assignable groups added to an access package will be indicated using the Sub Type Assignable to roles. For more information, check out the Create a role-assignable group article. Keep in mind that once a role-assignable group is present in an access package catalog, administrative users who are able to manage in entitlement management, including users in the Global Administrator role, users in the Identity Governance Administrator role, and catalog owners of the catalog, will be able to control the access packages in the catalog, allowing them to choose who can be added to those groups. If you don't see a role-assignable group that you want to add or you are unable to add it, make sure you have the required Microsoft Entra role and entitlement management role to perform this operation. You might need to ask someone with the required roles add the resource to your catalog. For more information, see Required roles to add resources to a catalog.

    Note

    When using dynamic groups you will not see any other roles available besides owner. This is by design. Screenshots that shows a dynamic group available roles.

  12. Select Next to open the Requests tab. On the Requests tab, you create a request policy. A policy defines the rules or guardrails to access an access package. You create a policy that allows a specific user in the resource directory to request this access package.

  13. In the Users who can request access section, select For users in your directory and then select Specific users and groups.

    Screenshot of the access package requests tab.

  14. Select Add users and groups.

  15. In the Select users and groups pane, select the Requestor1 user you created earlier.

    Screenshot of select users and groups.

  16. Choose Select to add the user to the list.

  17. Scroll down to the Approval and Enable requests sections.

  18. Leave Require approval set to No.

  19. For Enable requests, select Yes to enable this access package to be requested as soon as it's created.

  20. If your organization is set up to receive verified IDs, there's an option to configure an access package to require requestors to provide a verified ID. To learn more, see: Configure verified ID settings for an access package in entitlement management (Preview)

    Screenshot of the Verified ID picker selection.

  21. Select Next to open the Requestor information tab.

    Screenshots of the requests tab approval and enable requests settings.

  22. On the Requestor information tab, you can ask questions to collect more information from the requestor. The questions are shown on the request form and can be either required or optional. In this scenario, you haven't been asked to include requestor information for the access package, so you can leave these boxes empty. Select Next to open the Lifecycle tab.

  23. On the Lifecycle tab, you specify when a user's assignment to the access package expires. You can also specify whether users can extend their assignments. In the Expiration section:

    1. Set the Access package assignments expire to Number of days.
    2. Set the Assignments expire after to 30 days.
    3. Leave the Users can request specific timeline default value, Yes.
    4. Set the Require access reviews to No.

    Screenshot of the access package lifecycle tab

  24. Skip the Custom extensions step.

  25. Select Next to open the Review + Create tab.

  26. On the Review + Create tab, select Create. After a few moments, you should see a notification that the access package was successfully created.

  27. In left menu of the Marketing Campaign access package, select Overview.

  28. Copy the My Access portal link.

    You'll use this link for the next step.

    Screenshot that demonstrates how to copy the link to the access policy.

Step 3: Request access

In this step, you perform the steps as the internal requestor and request access to the access package. Requestors submit their requests using a site called the My Access portal. The My Access portal enables requestors to submit requests for access packages, see the access packages they already have access to, and view their request history. When a new guest requests an access package in MyAccess, their preferred language is stamped based on the MyAccess browser language at request time. This enables new guests to receive email communication in a language they understand.

Prerequisite role: Internal requestor

  1. Sign out of the Microsoft Entra admin center.

  2. In a new browser window, navigate to the My Access portal link you copied in the previous step.

  3. Sign in to the My Access portal as Requestor1.

    You should see the Marketing Campaign access package.

  4. In the Business justification box, type the justification I'm working on the new marketing campaign.

    Screenshot of the My Access portal listing the access packages.

  5. Select Submit.

  6. In the left menu, select Request history to verify that your request was delivered. For more details, select View.

    Screenshot of the My Access portal request history.

Step 4: Validate that access has been assigned

In this step, you confirm that the internal requestor was assigned the access package and that they're now a member of the Marketing resources group.

Prerequisite role: Global Administrator, Identity Governance Administrator, Catalog owner, or Access package manager

  1. Sign out of the My Access portal.

  2. Sign in to the Microsoft Entra admin center as Admin1.

  3. Browse to Identity governance > Entitlement management > Access packages.

  4. Find and select Marketing Campaign access package.

  5. In the left menu, select Requests.

    You should see Requestor1 and the Initial policy with a status of Delivered.

  6. Select the request to see the request details.

    Screenshot of the access package request details.

  7. In the left navigation, select Identity.

  8. Select Groups and open the Marketing resources group.

  9. Select Members.

    You should see Requestor1 listed as a member.

    Screenshot shows the requestor one has been added to the marketing resources group.

Step 5: Clean up resources

In this step, you remove the changes you made and delete the Marketing Campaign access package.

Prerequisite role: Global Administrator or Identity Governance Administrator

  1. In the Microsoft Entra admin center Identity Governance.

  2. Open the Marketing Campaign access package.

  3. Select Assignments.

  4. For Requestor1, select the ellipsis (...) and then select Remove access. In the message that appears, select Yes.

    After a few moments, the status will change from Delivered to Expired.

  5. Select Resource roles.

  6. For Marketing resources, select the ellipsis (...) and then select Remove resource role. In the message that appears, select Yes.

  7. Open the list of access packages.

  8. For Marketing Campaign, select the ellipsis (...) and then select Delete. In the message that appears, select Yes.

  9. In Identity, delete any users you created such as Requestor1 and Admin1.

  10. Delete the Marketing resources group.

Next steps

Advance to the next article to learn about common scenario steps in entitlement management.