Edit

Share via

What is entitlement management?

Entitlement management is an identity governance feature that enables organizations to manage identity and access lifecycle at scale, by automating access request workflows, access assignments, reviews, and expiration.

People in organizations need access to various groups, applications, and SharePoint Online sites to perform their job. Managing this access is challenging, as requirements change. New applications are added or identities need more access rights. This scenario gets more complicated when you collaborate with outside organizations. You might not know who in the other organization needs access to your organization's resources, and they won't know what applications, groups, or sites your organization is using.

Entitlement management can help you more efficiently manage access to groups, applications, and SharePoint Online sites for internal identities, and also for identities outside your organization who need access to those resources. You can also use entitlement management in preview to assign groups, API permissions, and roles to agent IDs.

Why use entitlement management?

Enterprise organizations often face challenges when managing workforce access to resources such as:

  • Identities might not know what access they, their direct reports, or the agents they sponsor should have, and even if they do, they could have difficulty locating the right individuals to approve their access
  • Once the access to resources is discovered and assigned, the identities could hold on to access longer than required for their business needs

These problems are compounded for identities who need access from another organization, such as external identities that are from supply chain organizations or other business partners. For example:

  • No one person might know all of the specific individuals in other organization's directories to be able to invite them
  • Even if they were able to invite these identities, no one in that organization might remember to manage all of the identities access consistently

Entitlement management can help address these challenges. To learn more about how customers have been using entitlement management, you can read the Mississippi Division of Medicaid, Storebrand, and Digital Security and Resilience team at Microsoft case studies. This video provides an overview of entitlement management and its value:

What can I do with entitlement management?

Here are some of capabilities of entitlement management:

  • Control who can get access to applications, groups, Teams and SharePoint sites, with multi-stage approval, and ensure identities don't retain access indefinitely through time-limited assignments and recurring access reviews.
  • Give identities access automatically to those resources, based on identity properties like department or cost center, and remove an identity's access when those properties change.
  • Give agent IDs access to resources needed and allow sponsors of the agent IDs to make sure access is maintained only while required.
  • Delegate to nonadministrators the ability to create access packages. These access packages contain resources that identities can request, and the delegated access package managers can define policies with rules for which identities can request, who must approve their access, and when access expires.
  • Select connected organizations whose identities can request access. When an identity who isn't yet in your directory requests access, and is approved, they're automatically invited into your directory and assigned access. When their access expires, if they have no other access package assignments, their B2B account in your directory can be automatically removed.

Note

If you are ready to try Entitlement management you can get started with our tutorial to create your first access package.

You can also read the common scenarios, or watch videos, including

What are access packages and what resources can I manage with them?

Entitlement management introduces the concept of an access package. An access package is a bundle of all the resources with the access an identity needs to work on a project or perform their task. Access packages can be used to govern access for internal identities, and also for identities who originate outside your organization.

Here are the types of resources you can manage identities' access to, with entitlement management:

  • Membership of Microsoft Entra security groups
  • Membership of Microsoft 365 Groups and Teams
  • Assignment to Microsoft Entra enterprise applications, including SaaS applications and custom-integrated applications that support federation/single sign-on and/or provisioning
  • Membership of SharePoint Online sites
  • API permissions, for agents with agent IDs or service principals, in preview as part of Microsoft Entra Agent ID

You can also control access to other resources that rely upon Microsoft Entra security groups or Microsoft 365 Groups. For example:

  • You can give identities licenses for Microsoft 365 by using a Microsoft Entra security group in an access package and configuring group-based licensing for that group.
  • You can give identities access to manage Azure resources by using a Microsoft Entra security group in an access package and creating an Azure role assignment for that group.
  • You can give identities access to manage Microsoft Entra roles by using groups assignable to Microsoft Entra roles in an access package and assigning a Microsoft Entra role to that group.

How do I control who gets access?

With an access package, an administrator or delegated access package manager lists the resources (groups, apps, and sites, Microsoft Entra roles, and API permissions), and the roles the identities need for those resources.

Access packages also include one or more policies. A policy defines the rules or guardrails for assignment to the access package. Each policy can be used to ensure that only the appropriate identities are able to have access assignments, and the access is time-limited to expire if not renewed.

Diagram of access package and policies.

You can have policies for identities to request access. In these kinds of policies, an administrator or access package manager defines

  • Either the already-existing identities (typically employees or already-invited guests), or the partner organizations of external identities that are eligible to request access
  • The approval process and the identities that can approve or deny access
  • The duration of an identity's access assignment, once approved, before the assignment expires

You can also have policies for identities to be assigned access, either by an administrator, automatically based on rules, or through lifecycle workflows.

The following diagram shows an example of the different elements in entitlement management. It shows one catalog with two example access packages.

  • Access package 1 includes a single group as a resource. Access is defined with a policy that enables a set of identities in the directory to request access.
  • Access package 2 includes a group, an application, and a SharePoint Online site as resources. Access is defined with two different policies. The first policy enables a set of identities in the directory to request access. The second policy enables identities in an external directory to request access.

Entitlement management overview diagram

When should I use access packages?

Access packages don't replace other mechanisms for access assignment. They're most appropriate in situations such as:

  • Migrating access policy definitions from a third party enterprise role management to Microsoft Entra ID.
  • Identities need time-limited access for a particular task. For example, you might use group-based licensing and a dynamic group to ensure all employees have an Exchange Online mailbox, and then use access packages for situations in which employees need more access rights. For example, rights to read departmental resources from another department.
  • Access that requires the approval of a person's manager or other designated individuals.
  • Access that should be assigned automatically to people in a particular part of an organization during their time in that job role, but also available for people elsewhere in the organization, or in a business partner organization, to request.
  • Departments wish to manage their own access policies for their resources without IT involvement.
  • Two or more organizations are collaborating on a project, and as a result, multiple identities from one organization needs to be brought in via Microsoft Entra B2B to access another organization's resources.

How do I delegate access?

Access packages are defined in containers called catalogs. You can have a single catalog for all your access packages, or you can designate individuals to create and own their own catalogs. An administrator can add resources to any catalog, but a nonadministrator can only add to a catalog the resources that they own. A catalog owner can add other identities as catalog co-owners, or as access package managers. These scenarios are described further in the article delegation and roles in entitlement management.

Summary of terminology

To better understand entitlement management and its documentation, you can refer back to the following list of terms.

Term Description
access package A bundle of resources that a team or project needs and is governed with policies. An access package is always contained in a catalog. You would create a new access package for a scenario in which identities need to request access for themselves.
access request A request to access the resources in an access package. A request typically goes through an approval workflow. If approved, the requesting identity receives an access package assignment.
assignment An assignment of an access package to an identity ensures the identity has all the resource roles of that access package. Access package assignments typically have a time limit before they expire.
catalog A container of related resources and access packages. Catalogs are used for delegation, so that nonadministrators can create their own access packages. Catalog owners can add resources they own to a catalog.
catalog creator A collection of identities who are authorized to create new catalogs. When a nonadministrator identity who is authorized to be a catalog creator creates a new catalog, they automatically become the owner of that catalog.
connected organization An external Microsoft Entra directory or domain that you have a relationship with. The identities from a connected organization can be specified in a policy as being allowed to request access.
policy A set of rules that defines the access lifecycle, such as how identities get access, who can approve, and how long they have access through an assignment. A policy is linked to an access package. For example, an access package could have two policies - one for employees to request access and a second for external identities to request access.
resource An asset, such as an Office group, a security group, an application, or a SharePoint Online site, with a role that an identity can be granted permissions to.
resource directory A directory that has one or more resources to share.
resource role A collection of permissions associated with and defined by a resource. A group has two roles - member and owner. SharePoint sites typically have three roles but could have other custom roles. Applications can have custom roles.

License requirements

This feature requires Microsoft Entra ID Governance or Microsoft Entra Suite subscriptions, for your organization's users. Some capabilities, within this feature, may operate with a Microsoft Entra ID P2 subscription. For more information, see the articles of each capability for more details. To find the right license for your requirements, see Microsoft Entra ID Governance licensing fundamentals.

License requirements for assigning agents to access packages (preview)

Important

Microsoft Entra Agent ID is part of Microsoft Agent 365, available now in Frontier, the Microsoft early access program for the latest AI innovations. For more information, see Microsoft Entra Agent ID.

Next steps

  • Last updated on