Entitlement packages in Microsoft 365 are a way to streamline and grant access to users more easily. An entitlement package encapsulates user groups, Teams, applications, and SharePoint sites into a catalog. The resources in the catalog are each assigned an access role that dictates the permissions a user will have when using the resource. An approval process and a hyperlink added to the resources and roles are the basic ingredients of an entitlement package. This course will explore entitlement packages and their use cases more thoroughly, including implementation through the Azure portal.

Learning Objectives

  • Overview of Entitlement access packages
  • How to use Entitlement access packages
  • How to create an Entitlement access package in the Azure portal

Intended Audience

This course is intended for students who want to learn about Entitlement access packages, their use cases, and how to implement them. Students who intend to take the MS-100 exam: Microsoft 365 Identity and Services.


Have used the Azure portal, know what Azure Active Directory is, and optionally, have an Azure Active Directory Premium P2 or Enterprise Mobility plus Security E5.


So, what is entitlement in the context of Azure AD? The best explanation is the staff onboarding example. You turn up for your first day at a new job and after being introduced to people in the office, you’re shown to your desk and computer. A common experience is spending the next few hours, or perhaps days, getting access to the various systems you'll be using. Not only is this unproductive for you, a new and excited employee, but granting access to various systems may involve several people in different departments, taking them away from their core functions. In large organizations with multiple systems requiring diverse levels of access and employing thousands of people with the associated staff turnover, correctly managing user accounts is a substantial administrative overhead.

You can think of entitlement access packages as an extension of user roles. A set of user groups, teams, applications, and SharePoint sites are bundled together in a catalogue. Access to each resource in a catalogue is role-based. Access to the catalogue can be time limited or set to end on fixed date. The timeframe component of a package simplifies managing access lifecycle. A package can be limited to a project’s lifetime, with access automatically revoked when time is up. Unlike the usual process of assigning people to user groups, users request access to the entitlement package. The access approval mechanism is built into the package and can be configured as a multi-stage process involving multiple approvers. An access package can be configured to review access on a regular basis.

Using entitlement access packages means no one must explicitly give individuals access to systems. Going back to the employee onboarding scenario. The new employee would be given a URL link to the appropriate access package. They would request access to the package and once approved, they would be setup within the user groups, Teams, and with access to all the applications in the package. No more relying on Bob in IT to remember to grant individual access to all the necessary systems.

As with many software access models, administrators can delegate permission assignment to specified users who can create access packages within a particular domain or set of applications, i.e., a catalogue. Package approval can be escalated, so you could specify that packages having access to specific resources needs additional approval when requested. When an entitlement package is approved for an external user, that is, someone not in your Active Directory, they will be automatically added. When the package expires, and they have no other assigned access they will be automatically removed from the AD.

About the Author
Learning Paths

Hallam is a software architect with over 20 years experience across a wide range of industries. He began his software career as a  Delphi/Interbase disciple but changed his allegiance to Microsoft with its deep and broad ecosystem. While Hallam has designed and crafted custom software utilizing web, mobile and desktop technologies, good quality reliable data is the key to a successful solution. The challenge of quickly turning data into useful information for digestion by humans and machines has led Hallam to specialize in database design and process automation. Showing customers how leverage new technology to change and improve their business processes is one of the key drivers keeping Hallam coming back to the keyboard.