Back to blog

AAD Access Reviews: Azure AD Entitlement Management – pt. 2

Feb 18, 2020 by Dominik Hoefling

You can read part one of this series here.

Azure AD Entitlement Management

Another identity governance feature is called Azure AD entitlement management, which was announced as generally available at Microsoft Ignite 2019. Entitlement management enables organizations to manage identity and the access lifecycle at scale, by automating access request workflows, access assignments, reviews, and expiration. Your users need access to various groups, applications, and sites to perform their daily tasks. This gets more complicated when you collaborate with outside organizations and you may not know who needs access to your organization’s resources, and the guest users or partners won’t know what applications, groups or sites your organization is using.

More information can be found here, as this blog post only covers the identity governance of guest users in your organization. In this example, multiple users from one organization will need to be brought in via Azure AD B2B collaboration to access another organization’s resources.

Access packages

An access package is a bundle of resources that a team or project needs and is governed with policies. Access packages are defined in containers called ‘catalogs’ and you can delegate the management of the access package to the catalog’s owner.

Basics: Define a name, description, and catalog for your access package.

Resource roles: Click on ‘Groups and Teams’ and choose the object which will be used for management. In this example we are using the Team ‘Digital Initiative Public Relations’ as we already did in the previous section. The guest users from the external organization will be members (as defined by Role) in this Team.

Requests: the access package can be requested only for specific connected organizations with the UPN and don’t need any further approval.

Lifecycle: On the next screen you can configure the time when the access package assignments will expire and if the access package requires access reviews.

Invite users

After you’ve deployed the access package and reviewed all required configurations, you can either send the ‘My Access’ portal link to users within the external organization, or the organization with the specified UPN in your access package can see the requests in the My Access portal.

Verify assignments

You can verify which user has requested access to your defined resources. After the configured expiration time, the guest users will be removed from your resources and you can decide if you want to extend the time or edit/create new access packages.

The invited user will also get notified, receiving an email about the access confirmation:


Azure AD entitlement management is a powerful feature to control access within your organization and for external organizations like partners and guest users. You can delegate access to other users and configure an approval process and access reviews if required. It’s always a good idea to keep your tenant clean and remove external users as soon as they are not required – regular reviews and delegated control to the owners of the project or resources can support this effort.

You can download a PDF copy of both parts one and two here.