Access Package Demo


Implementing Entitlement Packages in Microsoft 365
1m 57s
Start course

Entitlement packages in Microsoft 365 are a way to streamline and grant access to users more easily. An entitlement package encapsulates user groups, Teams, applications, and SharePoint sites into a catalog. The resources in the catalog are each assigned an access role that dictates the permissions a user will have when using the resource. An approval process and a hyperlink added to the resources and roles are the basic ingredients of an entitlement package. This course will explore entitlement packages and their use cases more thoroughly, including implementation through the Azure portal.

Learning Objectives

  • Overview of Entitlement access packages
  • How to use Entitlement access packages
  • How to create an Entitlement access package in the Azure portal

Intended Audience

This course is intended for students who want to learn about Entitlement access packages, their use cases, and how to implement them. Students who intend to take the MS-100 exam: Microsoft 365 Identity and Services.


Have used the Azure portal, know what Azure Active Directory is, and optionally, have an Azure Active Directory Premium P2 or Enterprise Mobility plus Security E5.


Let's go through the scenario of setting up an external contractor to use internal resources using an access package. You need to have an Azure AD premium P2 or an Enterprise mobility plus security E5 licence to use this feature. I'll start by logging into the Azure portal and going into Azure Active Directory. Select identity governance from the left-hand menu. I'm going to create an access package for external contractors, so I'll choose external user lifecycle and click create access package. 

In the basics tab, I'll give the package name and a description, leaving the catalogue as general. We’ll look at catalogues in more detail in the catalogues demo, but essentially a catalogue as a group of resources. The general catalogue is the default catalogue. When I move to the resource roles tab and click Groups and Teams, only one group is shown. I have to check see all group and teams that are not in the general catalogue to see all groups in my AD. In fact, I'm going to check that box for SharePoint sites as well. For each added resource I need to assign a role. 

In the requests tab, I'll select for users not in your directory and then all users as the contractor is an individual with a Gmail account, so doesn't belong to an organization.

Approval is required for external users, and I'll get them to justify their request for resource access. For the sake of simplicity let's make it a one-stage approval process and I'll make myself the approver. If a decision on the request isn't made within the number of days specified here, the request will be rejected. I'll get the approver to justify the approval and allow new requests to be made. I'm sure the requestor information isn't supposed to be some kind of quiz, but I'll use a trivial sporting fact to make sure the contractor is like-minded. 

The answer format will be multi-choice and I need to add possible answers with a language and what the answer will be in that language, specified in the localized text field. Let's make answering the question a mandatory requirement. The lifecycle tab is where we set the duration of the access package. I'll set it to a specific date, won't allow the user to modify the duration, and because it's only a month there's no need to review the access. That all looks in order, let's create the access package. 

Once the package has been created, we can see it in access packages under Entitlement management. I can get the access URL link from the context menu or from within the access package. Going into the access package shows us a summary of what we've just set up. The creator, when it was created, and the associated catalogue. The important piece of information for us now, is the My Access portal link. I'll copy it and paste it into another browser. 

Now I'll sign in with an email account completely unknown to my active directory. Impressively quickly an email with a code has appeared in Don's inbox. I'll copy the code from the email and paste it into the login field. This takes us through to the access package with the required question and business justification. You might recall that I didn't have to specify what the correct answer to the question is. The answer is just for the approver's benefit and not a test or password device. Once the mandatory fields have been completed, we request access. As the approver, I get notified of the request by email. The summary information in the email seems to be in order except for the access end date which I specified as the 17th of September 2022 but is showing as no end date. 

I'll copy the hyperlink from the email button because I don't want to use my default browser. Access approval doesn't happen within the Azure portal, but within the domain. Pasting in the link from the email takes me to the approval page where I can see Don is requesting the External Contractor package. Selecting Don Kramer and hitting the approve button brings up the request data. Request details displays the requestor's business justification and the answer to the question is under information provided by user. 

Package details shows us what they’re getting access to, with the relevant roles. Approval history is a little barren as there is just the pending request. I’ll provide a reason to give Don access and click approve. Putting my Don hat back on and refreshing the access packages page, I need to log back in with a new access code. Now Don has been granted approval he needs to accept the terms and conditions to gain access. Following up on the email end date discrepancy, we can see that package end date is correct. correct. Don has been automatically added as an unlicensed user to the associated Microsoft 365 subscription.

About the Author
Learning Paths

Hallam is a software architect with over 20 years experience across a wide range of industries. He began his software career as a  Delphi/Interbase disciple but changed his allegiance to Microsoft with its deep and broad ecosystem. While Hallam has designed and crafted custom software utilizing web, mobile and desktop technologies, good quality reliable data is the key to a successful solution. The challenge of quickly turning data into useful information for digestion by humans and machines has led Hallam to specialize in database design and process automation. Showing customers how leverage new technology to change and improve their business processes is one of the key drivers keeping Hallam coming back to the keyboard.