Let's go through the scenario of setting up an external contractor to use internal resources using an access package. You need to have an Azure AD premium P2 or an Enterprise mobility plus security E5 licence to use this feature. I'll start by logging into the Azure portal and going into Azure Active Directory. Select identity governance from the left-hand menu. I'm going to create an access package for external contractors, so I'll choose external user lifecycle and click create access package. 

In the basics tab, I'll give the package name and a description, leaving the catalogue as general. We’ll look at catalogues in more detail in the catalogues demo, but essentially a catalogue as a group of resources. The general catalogue is the default catalogue. When I move to the resource roles tab and click Groups and Teams, only one group is shown. I have to check see all group and teams that are not in the general catalogue to see all groups in my AD. In fact, I'm going to check that box for SharePoint sites as well. For each added resource I need to assign a role. 

In the requests tab, I'll select for users not in your directory and then all users as the contractor is an individual with a Gmail account, so doesn't belong to an organization.

Approval is required for external users, and I'll get them to justify their request for resource access. For the sake of simplicity let's make it a one-stage approval process and I'll make myself the approver. If a decision on the request isn't made within the number of days specified here, the request will be rejected. I'll get the approver to justify the approval and allow new requests to be made. I'm sure the requestor information isn't supposed to be some kind of quiz, but I'll use a trivial sporting fact to make sure the contractor is like-minded. 

The answer format will be multi-choice and I need to add possible answers with a language and what the answer will be in that language, specified in the localized text field. Let's make answering the question a mandatory requirement. The lifecycle tab is where we set the duration of the access package. I'll set it to a specific date, won't allow the user to modify the duration, and because it's only a month there's no need to review the access. That all looks in order, let's create the access package. 

Once the package has been created, we can see it in access packages under Entitlement management. I can get the access URL link from the context menu or from within the access package. Going into the access package shows us a summary of what we've just set up. The creator, when it was created, and the associated catalogue. The important piece of information for us now, is the My Access portal link. I'll copy it and paste it into another browser. 

Now I'll sign in with an email account completely unknown to my active directory. Impressively quickly an email with a code has appeared in Don's inbox. I'll copy the code from the email and paste it into the login field. This takes us through to the access package with the required question and business justification. You might recall that I didn't have to specify what the correct answer to the question is. The answer is just for the approver's benefit and not a test or password device. Once the mandatory fields have been completed, we request access. As the approver, I get notified of the request by email. The summary information in the email seems to be in order except for the access end date which I specified as the 17th of September 2022 but is showing as no end date. 

I'll copy the hyperlink from the email button because I don't want to use my default browser. Access approval doesn't happen within the Azure portal, but within the myaccess.microsoft.com domain. Pasting in the link from the email takes me to the approval page where I can see Don is requesting the External Contractor package. Selecting Don Kramer and hitting the approve button brings up the request data. Request details displays the requestor's business justification and the answer to the question is under information provided by user. 

Package details shows us what they’re getting access to, with the relevant roles. Approval history is a little barren as there is just the pending request. I’ll provide a reason to give Don access and click approve. Putting my Don hat back on and refreshing the access packages page, I need to log back in with a new access code. Now Don has been granted approval he needs to accept the terms and conditions to gain access. Following up on the email end date discrepancy, we can see that package end date is correct. correct. Don has been automatically added as an unlicensed user to the associated Microsoft 365 subscription.