This chapter covers Azure AD entitlement management and access packages, a critical component of identity governance for the AZ-104 exam. Entitlement management enables administrators to manage access to groups, applications, and SharePoint Online sites at scale through automated workflows, approvals, and time-limited assignments. Approximately 15-20% of exam questions in the 'Manage identities and governance' domain (15-20% of total exam) touch on entitlement management, access packages, or related concepts like connected organizations and access reviews. Mastering this topic is essential for passing AZ-104.
Jump to a section
Entitlement management with access packages works like a university library's membership system. The library (Azure AD) has many resources: books (applications), study rooms (groups), and databases (SharePoint sites). A student (user) needs access to certain resources for a specific course (project). The librarian (administrator) creates a membership package (access package) that includes a book, a study room booking, and a database subscription. The student requests this package through a catalog (Azure AD My Access portal). The librarian's automated system checks if the student is enrolled in the course (fulfills policy requirements) and, if approved, issues the package for a set semester (time-limited access). The system automatically revokes access when the semester ends (expiration). The librarian can also have a manager approve the request (approval workflow). Just as a student cannot keep the book after the semester without renewal, a user cannot retain access beyond the policy's expiration without re-requesting. The library's system tracks all issued packages and their statuses, just as Azure AD tracks access package assignments. If the student changes courses, the librarian can update the package to include different resources, and the system automatically adjusts access. This analogy captures the core mechanics: resource bundling, policy-based access, time limits, and automated lifecycle management.
What is Entitlement Management and Why It Exists
Entitlement management is a feature of Azure AD (now Microsoft Entra ID) that enables organizations to manage the identity and access lifecycle at scale. It addresses the challenge of granting and revoking access to internal and external users across a heterogeneous environment of groups, applications, and SharePoint Online sites. Instead of manually adding users to individual groups or assigning licenses one by one, administrators can create *access packages* — bundles of resources that a user can request, be approved for, and automatically receive. The key driver is the need for governance: ensuring the right people have the right access for the right amount of time, with audit trails and automated expiration.
On the AZ-104 exam, you must understand that entitlement management is part of Azure AD Identity Governance. It is not a standalone product but a feature set within Azure AD P2 licensing (or Azure AD Identity Governance SKU). The exam tests your ability to configure access packages, define policies, manage connected organizations, and perform access reviews.
How It Works Internally
Entitlement management operates through a series of interconnected components:
Catalog: A container for related access packages. Catalogs are used to group access packages by department, project, or purpose. Only users with the appropriate administrative role (e.g., Catalog Creator, Catalog Owner) can manage catalogs.
Access Package: A bundle of resources (groups, apps, SharePoint sites) with one or more policies. Each policy defines who can request (users in directory, users from connected orgs, or none), approval settings, and lifecycle (duration, expiration, access reviews).
Resources: The actual objects being assigned: Azure AD security groups, Microsoft 365 groups, Azure AD enterprise applications, and SharePoint Online site collections. When a user is assigned an access package, the entitlement management service adds the user to the group(s) or assigns the application via Azure AD provisioning.
Policies: Each access package can have multiple policies, each targeting a different audience. For example, one policy for employees (with manager approval, 6-month duration) and another for external partners (with sponsor approval, 30-day duration).
Connected Organizations: External Azure AD tenants or domains that are pre-configured for collaboration. Users from these organizations can request access packages without needing to be added as guest users manually.
Access Reviews: Periodic reviews of active assignments to confirm continued need. These can be built into the access package policy.
My Access Portal: The user-facing portal (https://myaccess.microsoft.com) where users request access packages, view their assignments, and manage approvals.
The flow of an access package request: 1. A user (internal or external) navigates to the My Access portal and selects an access package from the catalog. 2. The user fills out any required business justification. 3. The request is routed based on the policy: it may require one or two stages of approval (e.g., manager, then resource owner). 4. If approved, the entitlement management service automatically assigns the resources. This is asynchronous; the assignment may take up to a few minutes. 5. The assignment has a defined duration (e.g., 90 days). Before expiration, the user may be able to extend the assignment (if policy allows). 6. When the assignment expires or is terminated, the entitlement management service removes the user from the groups and revokes application access.
Key Components, Values, Defaults, and Timers
Default assignment duration: 365 days if not specified. Can be set from 0 days (no expiration) to 3650 days (10 years).
Maximum number of access packages per catalog: 30.
Maximum number of resources per access package: 30.
Maximum number of policies per access package: 30.
Approval stages: Up to 2 stages. Stage 1 typically is the user's manager (automatically detected). Stage 2 is a specific user or group.
Approval timeout: If an approver does not respond within 14 days (default), the request is automatically denied. This timeout is configurable from 1 to 30 days.
Access review frequency: Can be weekly, monthly, quarterly, semi-annually, or annually.
Connected organizations: Supports up to 200 connected organizations per tenant.
Guest user auto-expiration: For external users, access package assignments can be set to expire, and the guest user account itself can be automatically removed after a period of inactivity (via Azure AD external identities settings).
Configuration and Verification Commands
While most entitlement management configuration is done via the Azure portal (Azure AD > Identity Governance > Entitlement management), the AZ-104 exam may test PowerShell or Microsoft Graph API commands.
PowerShell (AzureADPreview module):
# Connect to Azure AD
Connect-AzureAD
# Create a catalog
New-AzureADMSAccessPackageCatalog -DisplayName "HR Catalog" -Description "Access packages for HR department"
# Create an access package
New-AzureADMSAccessPackage -DisplayName "HR Onboarding Package" -Description "Resources for new HR hires" -CatalogId $catalogId
# Add resources (group) to the access package
Add-AzureADMSAccessPackageResource -AccessPackageId $packageId -ResourceType "Group" -ResourceId $groupId
# Create a policy
New-AzureADMSAccessPackageAssignmentPolicy -AccessPackageId $packageId -DisplayName "Employee Policy" -DurationInDays 90
# View assignments
Get-AzureADMSAccessPackageAssignment -AccessPackageId $packageIdMicrosoft Graph API (used by Azure CLI and REST):
# Using Azure CLI with Graph extension
az rest --method GET --uri "https://graph.microsoft.com/v1.0/identityGovernance/entitlementManagement/accessPackages"How It Interacts with Related Technologies
Azure AD Groups: Access packages can include groups. When assigned, the user is added to the group. This trickles down to applications that use group-based assignment.
Azure AD Application Provisioning: If an access package includes an enterprise application, the user is assigned to the application via provisioning. The app must support user provisioning (SCIM, etc.).
Access Reviews: Access packages can have built-in access reviews. When a review is completed, if a reviewer denies access, the assignment is removed.
Identity Protection: Risky users can be blocked from requesting access packages via Conditional Access.
Privileged Identity Management (PIM): Access packages are for persistent access; PIM is for time-bound privileged roles. They are complementary.
Microsoft 365 Groups: Access packages can include Microsoft 365 groups, granting access to Teams, SharePoint, etc.
B2B Collaboration: Connected organizations enable external users from partner tenants to request access packages without manual guest invitation.
Create a Catalog
Navigate to Azure AD > Identity Governance > Entitlement management > Catalogs. Click 'New catalog'. Provide a name and description (e.g., 'Marketing Catalog'). You can optionally add owners (users who can manage access packages in this catalog) and reviewers. Catalogs are logical containers; they do not grant any access by themselves. Each catalog can hold up to 30 access packages. In a production environment, you might create one catalog per department or project. Once created, you can add resources (groups, apps, sites) to the catalog before creating access packages. Note: Only users with the 'Catalog Creator' role or 'Global Administrator' can create catalogs.
Add Resources to the Catalog
In the catalog, under 'Resources', click 'Add resources'. You can add Azure AD security groups, Microsoft 365 groups, enterprise applications, or SharePoint Online site collections. For groups, you must specify the group object ID. For applications, the app must be registered in Azure AD and support user assignment. For SharePoint sites, you provide the site URL. Resources can be shared across multiple access packages within the same catalog. Once added, the resource is available for use in any access package in that catalog. Note: You cannot add resources from outside the catalog; they must be brought into the catalog first. This step is often forgotten by candidates — resources must be added to the catalog before they can be included in an access package.
Create an Access Package
From the catalog, click 'New access package'. Provide a name, description, and select the catalog. Then, on the 'Resource roles' tab, select resources from the catalog and assign roles (e.g., 'Member' for a group, 'User' for an app). Each resource can have one role. Next, on the 'Requests' tab, define who can request: 'Users in your directory' (internal), 'Users from connected organizations' (external), or 'None' (admin only). You can also require approval (1 or 2 stages), set a justification requirement, and enable 'Require access review'. On the 'Lifecycle' tab, set expiration: 'Number of days' (default 365), 'Specific date', or 'No expiration'. You can also allow users to extend access. Finally, review and create. Access packages can be updated later, but changes to policies apply only to new requests, not existing assignments.
Configure Connected Organizations
If external users need to request access, you must define connected organizations. Go to Azure AD > Identity Governance > Entitlement management > Connected organizations. Click 'Add connected organization'. Provide the organization's name, description, and domain(s) (e.g., 'contoso.com'). You can also specify a tenant ID for a direct federation. Connected organizations are used to allow users from those domains to request access packages that have a policy targeting 'Specific connected organizations'. Without this, external users cannot see or request access packages. The exam often tests that connected organizations must be configured before external users can request. Also note: You can set a 'Sponsors' list — users who are notified when a request is made from that organization.
Test and Monitor Access Package Assignments
As a user, navigate to https://myaccess.microsoft.com. Sign in and browse the catalog. Request an access package. If approval is required, the approver will receive an email and can approve/deny via the My Access portal. Once approved, the user will see the assignment in 'My access' > 'Entitlements'. The assignment may take a few minutes to provision. As an administrator, monitor assignments in Azure AD > Identity Governance > Entitlement management > Access packages > select the package > 'Assignments'. You can see status (Delivered, Delivering, Failed, etc.). You can also manually assign a user to an access package by clicking 'New assignment' and selecting a user and policy. This bypasses the request workflow. The exam may ask about manual assignments vs. requests.
Enterprise Scenario 1: Partner Onboarding
A multinational corporation uses access packages to onboard external partners. They create a 'Partner Access' catalog with resources like a shared SharePoint document library, a Microsoft 365 group for communication, and a CRM application. Connected organizations are configured for each partner tenant (e.g., partner1.com). Each partner has a policy: approval by the partner's sponsor (a company employee), duration of 90 days, with quarterly access reviews. When a partner employee requests access, the sponsor approves, and the user is automatically added to the group and assigned the CRM app. After 90 days, access expires; the user can request extension if needed. This eliminates manual guest account management and ensures access is time-bound and auditable. Common pitfall: forgetting to configure the 'Sponsors' list for the connected organization, causing approval emails to go to no one.
Enterprise Scenario 2: Employee Project-Based Access
A consulting firm uses access packages for employees working on different projects. They create a 'Project Alpha' access package containing a Teams team, a project management app, and a SharePoint site. The policy targets internal users with manager approval and a duration of 6 months (aligned with project timeline). When an employee is assigned to the project, they request the package, their manager approves, and they gain access. When the project ends or the employee leaves, the assignment expires automatically. This ensures that employees do not accumulate permissions over time. The firm also runs monthly access reviews to catch any stale assignments. A common issue: employees forget to request access and IT receives helpdesk tickets. To mitigate, the firm enables automatic assignment via group membership (using Azure AD dynamic groups) but uses access packages for non-dynamic scenarios.
Scenario 3: Compliance-Driven Access Lifecycle
A financial institution must comply with SOX and GDPR. They use access packages to grant access to sensitive financial applications. Each access package includes an access review that occurs quarterly. The policy requires two-stage approval: first the user's manager, then the compliance officer. Duration is set to 90 days, and users must provide a business justification. If a user's access is not reviewed, it is automatically revoked. The institution uses audit logs (Azure AD audit logs) to track all requests and approvals. They also integrate with Azure Monitor to alert on any failed provisioning. Misconfiguration: setting 'No expiration' on a sensitive access package, which violates compliance. The exam tests that for sensitive resources, you should always set expiration and access reviews.
What AZ-104 Tests on Entitlement Management and Access Packages
AZ-104 objective 1.1 (Manage identities and governance) includes:
Configure entitlement management, including catalogs, access packages, and policies.
Manage access reviews.
Manage connected organizations.
Understand the difference between entitlement management and PIM.
The exam focuses on the configuration steps, not deep internals. You must know the portal navigation: Azure AD > Identity Governance > Entitlement management. You must know that access packages require Azure AD Premium P2 licensing (or Identity Governance SKU). Common scenario-based questions ask: 'You need to allow external users from a partner company to request access to a set of resources for 30 days with manager approval. What should you configure?' The answer: Create a connected organization, an access package with a policy targeting that connected organization, set duration to 30 days, and require approval.
Common Wrong Answers and Why
Using Azure AD B2B directly instead of connected organizations: Candidates think they can just invite guest users manually. But the requirement is to allow users to request access themselves; connected organizations enable self-service requests.
Setting no expiration for compliance: The exam often tests that for sensitive resources, you must set expiration and access reviews. Choosing 'No expiration' is wrong.
Adding resources directly to an access package without adding them to the catalog first: The step-by-step process requires adding resources to the catalog. The exam may present a scenario where the admin tries to add a resource and fails because it's not in the catalog.
Confusing access packages with Azure AD groups: An access package is a policy-driven bundle; a group is just one type of resource. The exam may ask which to use for time-limited access: access package (correct) vs. dynamic group (wrong, because dynamic groups don't have expiration).
Specific Numbers and Terms That Appear Verbatim
'My Access portal' (https://myaccess.microsoft.com)
'Connected organization' (not 'external organization')
'Catalog' (not 'container')
'Access package' (not 'resource package')
'Assignment policy' (often referred to as 'policy')
Maximum 30 access packages per catalog, 30 resources per package, 30 policies per package.
Default expiration: 365 days.
Approval timeout: 14 days.
Edge Cases and Exam Tricks
If a user is assigned to an access package that includes a group, and later the group is removed from the access package, the user remains in the group. Removing a resource from an access package does not remove existing assignments.
An access package can have multiple policies, but a user can only have one assignment per access package. If a user is already assigned via one policy, they cannot request again via another policy.
Access reviews can be configured on the access package or on the group directly. The exam may ask which one to use for recurring reviews: access package-based reviews are tied to the assignment lifecycle.
Deleting an access package does not remove existing assignments; it only prevents new requests.
How to Eliminate Wrong Answers
If the question mentions 'self-service request by external users', look for 'connected organization' in the answer choices.
If the question mentions 'time-limited access', ensure the policy has an expiration set.
If the question mentions 'approval', ensure the policy has approval stages configured.
If the question mentions 'audit and compliance', ensure access reviews are included.
If the question mentions 'multiple resources bundled together', the answer is 'access package'.
Entitlement management requires Azure AD Premium P2 licensing for internal users.
Access packages bundle resources (groups, apps, SharePoint sites) with policies for request, approval, and lifecycle.
Connected organizations must be configured before external users can request access packages.
Resources must be added to a catalog before they can be included in an access package.
Default expiration for access package assignments is 365 days.
Approval timeout default is 14 days; can be configured 1-30 days.
Maximum of 30 access packages per catalog, 30 resources per package, 30 policies per package.
Deleting an access package does not remove existing assignments.
Access reviews can be built into access package policies for periodic recertification.
The My Access portal (myaccess.microsoft.com) is where users request and manage their access packages.
These come up on the exam all the time. Here's how to tell them apart.
Entitlement Management (Access Packages)
Used for persistent, time-limited access to groups, apps, and SharePoint.
Assignments are active for a defined duration (e.g., 90 days).
Supports self-service requests with approval workflows.
Can include multiple resources in one package.
Licensing: Azure AD Premium P2.
Privileged Identity Management (PIM)
Used for just-in-time privileged role activation (e.g., Global Admin).
Activation is temporary (hours) with approval and justification.
Primarily for Azure AD roles and Azure resource roles.
Each role is managed individually, not bundled.
Licensing: Azure AD Premium P2.
Mistake
Entitlement management is available in Azure AD Free tier.
Correct
Entitlement management requires Azure AD Premium P2 licenses for users who are members of access packages. External guest users may be covered by the 'rights management' provision, but internal users must be licensed.
Mistake
Access packages can only include groups.
Correct
Access packages can include Azure AD security groups, Microsoft 365 groups, enterprise applications, and SharePoint Online site collections. They are not limited to groups.
Mistake
Once an access package is created, its policies cannot be changed.
Correct
Policies can be updated at any time. However, changes apply only to new requests, not existing assignments. Existing assignments retain the original policy settings.
Mistake
A user can be assigned to the same access package multiple times via different policies.
Correct
A user can have only one active assignment per access package. If they are already assigned, they cannot request again. However, they can extend access if the policy allows.
Mistake
Connected organizations are required for all external users, even if they are already guests in the directory.
Correct
If a user is already a guest user in the Azure AD tenant, they can request access packages that target 'Users in your directory' without needing a connected organization. Connected organizations are only needed for users who are not yet guests and need to request access.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Entitlement management requires Azure AD Premium P2 licenses for internal users who are members of access packages. External guest users may not require a license if the organization has sufficient rights management provisions, but it is recommended to have P2 licenses for all users. The AZ-104 exam may present a scenario where you need to enable entitlement management; the answer will mention Azure AD Premium P2.
First, configure a connected organization in Azure AD > Identity Governance > Entitlement management > Connected organizations. Add the external domain(s). Then, in the access package policy, under 'Users who can request', select 'Users from specific connected organizations' and choose the connected organization. Ensure the policy has approval and expiration configured. External users will see the access package in the My Access portal after signing in with their organizational account.
Yes, you can modify the access package (e.g., add/remove resources, change policies). However, changes to policies only affect new requests. Existing assignments remain under the original policy settings. If you remove a resource from the access package, existing assignments are not affected; the user retains access to that resource until their assignment expires or is revoked.
An access package is a policy-driven bundle that can include multiple resources (groups, apps, SharePoint sites) with request, approval, and expiration settings. A group is a single resource that can be included in an access package. Access packages provide governance features like time-limited access and approval workflows, which groups alone do not. On the exam, if the requirement includes time-limited access or self-service requests, the answer is an access package.
As an administrator, go to Azure AD > Identity Governance > Entitlement management > Access packages > select the package > Assignments. Find the user's assignment and click 'Remove'. This will trigger removal of the user from all resources in the package. Alternatively, you can use PowerShell: Remove-AzureADMSAccessPackageAssignment -AccessPackageAssignmentId $assignmentId. Note: Removing an assignment does not delete the user's account.
Access packages can include static groups, but you can also include a dynamic group as a resource. However, if a user is added to a dynamic group via an access package, their membership is still governed by the dynamic group rule. If the rule no longer applies, they may be removed by the dynamic group engine. It is generally recommended to use static groups for access package resources to have predictable control.
The access package itself does not expire; it is the assignments that have expiration. When a user's assignment expires, the entitlement management service automatically removes the user from all resources in the package. If the policy allows extension, the user can request an extension before expiration. After expiration, the user must submit a new request to regain access.
You've just covered Entitlement Management and Access Packages — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?