Entitlement Management access packages

Microsoft Entra Entitlement Management lets you bundle access to apps, groups, SharePoint sites, and Teams into access packages that users can request through a self-service catalog. Each package has policies — who can request, who approves, how long access lasts, recertification — making complex access requests manageable at scale.

What goes into an access package

An access package combines:

Microsoft Entra ID groups — security groups, Microsoft 365 Groups.
Microsoft 365 apps — Teams (via group), SharePoint sites (via group).
Enterprise applications — SaaS apps integrated with Entra ID via SSO.
Multiple roles within an app (where the app supports it).

A package isn't a permission set per se; it's a bundle of group memberships and app-role assignments that gets granted when the request is approved.

Use cases

Onboarding by role

Create an access package per role — "Sales Representative," "Software Engineer," "HR Business Partner." When a new hire is requested into the role, the access package grants them everything they need: relevant groups, Teams, SharePoint sites, Salesforce, JIRA, ServiceNow, etc.

For HR-system-driven provisioning, the access package is requested automatically as part of the joiner workflow.

Project-based access

For project staffing — "Project Phoenix Team Member" — the access package grants access to the project's resources, with automatic expiration at project end. No more orphaned access after the project closes.

External partner access

For ongoing partnerships — "Acme Corp Vendor Partner" — the access package handles the joining of partner organisation users as B2B guests, with appropriate group memberships and resource access.

Compliance recertification

Access packages with periodic access reviews force recertification — every 6 months, the user's manager confirms they still need this access. Catches the slow drift problem.

Configuration

In Entra admin center → Identity Governance → Entitlement management → Access packages:

Create the package with name and description.
Add resources — groups, apps, SharePoint sites.
Configure policies:
- Who can request — specific users, groups, anyone in the directory, external users.
- Approver(s) — manager, named approver, self (auto-approved).
- Required questions — justification fields the requester must fill.
- Duration — permanent, fixed days, time-bound.
- Access reviews — schedule and reviewers.
Publish to the catalog — users see it in myaccess.microsoft.com.
Approve or auto-approve requests as they come in.

The user experience

Users go to myaccess.microsoft.com and see a catalog of available packages. Pick one, fill in the justification, submit. Approver gets a notification, approves or denies. Access is granted within minutes; emails confirm what was granted.

For most non-IT users, this is dramatically better than "email IT for access to X."

Operational considerations

Catalog organisation — group access packages into catalogs for navigation (one per department, one per type).
Naming — descriptive names. "Sales — Standard Access Package" vs "AccPkg2".
Owners — every access package has an owner accountable for maintenance.
Audit — every grant, approval, and revocation is logged.
Recertification — access reviews are essential; don't grant indefinite access without review.

When access packages aren't the right tool

One-off ad-hoc requests — too much overhead vs just adding the user to a group.
Privileged admin role assignment — use PIM instead.
Very simple flat directories — minimal benefit over direct group assignment.

Licensing

Entitlement Management requires Microsoft Entra ID Governance licensing, sold separately from base Entra ID (often included with Microsoft 365 E5).

For organisations with significant access-management complexity — many roles, many apps, many users, partner relationships — access packages are how this becomes maintainable. The investment in designing the right package taxonomy pays back continuously.