This chapter covers Entra ID Entitlement Management and Access Packages, a key component of Identity Governance under exam objective 2.3. Entitlement management enables organizations to manage identity and access lifecycle at scale by automating access requests, approvals, assignments, and reviews. For the MS-102 exam, this topic typically accounts for 5-10% of questions, with a focus on configuring access packages, understanding entitlement management components, and troubleshooting common misconfigurations. Mastery of this topic is critical for the 'Manage identity and access' domain.
Jump to a section
Entitlement management with access packages works like a university library system that issues membership cards to different groups. The library (your organization) has many sections: general stacks, rare books, digital archives, and study rooms (resources like SharePoint sites, groups, and apps). Instead of giving every student a single key that opens everything, the library creates membership packages. A "Graduate Researcher Package" might include access to the rare books room, 24-hour study rooms, and the digital archive. The library catalog (Entra ID) defines these packages. When a student requests a package, the librarian (catalog) checks eligibility (is this student a graduate researcher?) and then issues a temporary membership card with an expiration date. The card is automatically revoked when the student graduates or the term ends. The library also has an approval process: if a student wants access to the special collections, the rare books librarian must approve. The student can see all available packages in the library portal (My Access). The entire process—from request to approval to expiration—is automated, ensuring that access is granted only to those who need it and only for as long as they need it. This mirrors how access packages in Entra ID bundle multiple resource assignments (group memberships, app roles, SharePoint site permissions) into a single requestable entity with automated lifecycle management.
What is Entitlement Management?
Entitlement management is a feature of Microsoft Entra ID (formerly Azure AD) that enables organizations to manage the identity and access lifecycle of internal and external users at scale. It automates the process of requesting, approving, assigning, and reviewing access to resources such as groups, applications, and SharePoint Online sites. At its core, entitlement management uses access packages—collections of resource assignments that can be requested by users, approved by designated approvers, and automatically revoked after a defined period.
Why Entitlement Management Exists
Traditional access management often involves manual processes: IT receives a ticket, adds a user to a group, and later forgets to remove them. This leads to security risks and audit failures. Entitlement management solves this by:
Enabling self-service access requests through the My Access portal.
Automating approval workflows with multi-stage approvers.
Enforcing time-bound access with expiration policies.
Supporting periodic access reviews to certify continued need.
Managing external user access via connected organizations.
How Entitlement Management Works Internally
Entitlement management is built on top of Entra ID's existing directory and access control infrastructure. When a user requests an access package, the following happens:
1. Request Submission: The user submits a request via the My Access portal (https://myaccess.microsoft.com). The request is stored as an accessPackageAssignmentRequest object in the Entra ID directory.
2. Policy Evaluation: The system checks the request against the access package's assignment policies. Policies define who can request (scope), approval requirements (number of stages, approvers), and lifecycle (expiration, access reviews).
3. Approval Workflow: If required, the request enters an approval workflow. Approval requests are sent via email to approvers, who can approve or deny through the My Access portal or email. The system supports up to two approval stages.
4. Assignment Creation: Upon approval, the system creates an accessPackageAssignment object. This object represents the user's entitlement to the resources in the access package.
5. Resource Provisioning: The system provisions the user to each resource defined in the access package. This may involve adding the user to a Microsoft 365 group, assigning an app role, or granting access to a SharePoint Online site. Provisioning is asynchronous and uses the Entra ID provisioning engine.
6. Lifecycle Management: The assignment has a start date (typically now) and an end date (defined by the policy). The system automatically removes the user from resources when the assignment expires. If access reviews are configured, the user's access is periodically reviewed.
7. Cleanup: When an assignment expires or is revoked, the system deprovisions the user from all resources.
Key Components
#### Access Package An access package is a container of resources and policies. It can include: - Resource Roles: Specific permissions within a resource. For a group, roles include 'Member' or 'Owner'. For an enterprise application, roles are defined in the application manifest (e.g., 'User', 'Admin'). For SharePoint Online sites, roles correspond to site permission levels (e.g., 'Read', 'Contribute', 'Full Control'). - Multiple Resources: An access package can bundle multiple resources, each with its own role. For example, an access package for 'Sales Team' might include membership in the Sales group, the Sales app role, and Contributor access to the Sales SharePoint site.
#### Catalog A catalog is a container for access packages. Catalogs are used to group related access packages and delegate management. By default, there is a 'General' catalog. Admins can create custom catalogs and assign catalog owners who can create and manage access packages within that catalog.
#### Assignment Policy Each access package has at least one assignment policy. The policy defines: - Requestor Scope: Who can request? Can be 'All users', 'Users in a specific group', or 'External users from connected organizations'. - Approval Settings: Number of stages (1 or 2), approvers (specific users, group members, or manager), and fallback approvers. - Lifecycle: Assignment duration (e.g., 30 days, 90 days, specific date), and whether access reviews are required. - Custom Extensions: Optionally, you can integrate with Logic Apps for custom actions.
#### Connected Organizations Connected organizations represent external partners or customers. You can define a list of allowed external tenants and domains. When an external user requests an access package, they must be from a connected organization. This enables B2B collaboration with governance.
Configuration and Verification Commands
You can manage entitlement management using the Microsoft Entra admin center, Microsoft Graph API, or PowerShell. Key PowerShell commands (using the Microsoft Graph PowerShell SDK):
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "EntitlementManagement.ReadWrite.All"
# List all access packages
Get-MgEntitlementManagementAccessPackage -All
# Get an access package by ID
Get-MgEntitlementManagementAccessPackage -AccessPackageId "00000000-0000-0000-0000-000000000000"
# Create a new access package (example)
New-MgEntitlementManagementAccessPackage -DisplayName "Sales Team Access" -Description "Access for sales team" -CatalogId "catalog-id"
# List assignment policies for an access package
Get-MgEntitlementManagementAccessPackageAssignmentPolicy -AccessPackageId "access-package-id" -All
# Get access package assignments
Get-MgEntitlementManagementAccessPackageAssignment -AllFor auditing, you can review the Entra ID audit logs with filter 'Activity: Access package assignment'.
Interaction with Related Technologies
Microsoft 365 Groups: When an access package includes a group role, the user is added to the group. This grants access to all group-connected resources (team, SharePoint, etc.).
Enterprise Applications: Access packages can assign app roles for SaaS apps integrated with Entra ID.
SharePoint Online: Access packages can grant site permissions. The site must be connected to a security group or enabled for Entitlement Management.
Access Reviews: Entitlement management integrates with Entra ID Access Reviews. You can configure an access package to trigger a review of assignments periodically.
Lifecycle Workflows: You can use Lifecycle Workflows to automate actions when an access package assignment is created or expires.
Default Values and Timers
Default assignment duration: 30 days (if not specified).
Expiration: Can be set to a specific date, number of days after assignment, or no expiration.
Approval timeout: Approvals expire after 30 days by default. If not reviewed, the request is denied.
Provisioning delay: Resource provisioning typically occurs within minutes, but may take up to 1 hour for some resources.
Access review frequency: Default is 90 days for recurring reviews.
Trap Patterns on the Exam
Confusing access packages with Azure AD roles: Access packages are for resource access, not administrative roles. Azure AD roles are managed via Privileged Identity Management (PIM).
Assuming catalogs are required for all access packages: While catalogs organize packages, a default 'General' catalog exists. You do not need to create a new catalog.
Misunderstanding approval stages: The exam may test that you can have up to two approval stages. A single policy cannot have more than two.
Thinking external users can request without a connected organization: External users must be from a verified connected organization or be invited manually.
Edge Cases and Exam Tips
Multiple policies per access package: You can have multiple assignment policies for different groups of requestors. For example, one policy for employees (2-stage approval) and one for contractors (1-stage approval).
Manager as approver: If you select 'Manager as approver', the system uses the user's manager attribute. If the manager is not set, the request will fail unless a fallback approver is configured.
Custom extensions: The exam may ask about Logic Apps integration for custom actions like sending notifications or updating external systems.
Access package for external users: When an external user requests, they must authenticate using their home tenant credentials. The assignment creates a B2B guest user object in the resource tenant.
Summary
Entitlement management provides a structured, automated approach to managing access. Understanding the flow from request to provisioning to expiration is essential for the MS-102 exam and real-world administration.
Create a Catalog
Navigate to Identity Governance > Entitlement Management > Catalogs in the Microsoft Entra admin center. Click '+ New catalog'. Provide a name (e.g., 'Sales Resources') and description. Add one or more catalog owners who will manage access packages within this catalog. By default, the 'General' catalog exists and cannot be deleted. Catalogs allow delegation of management; for example, a sales manager can own the Sales catalog and create packages without needing global admin rights. Catalogs also help with governance by grouping related resources.
Add Resources to Catalog
Within the catalog, go to 'Resources' and click '+ Add resources'. You can add Microsoft Entra groups, enterprise applications, or SharePoint Online sites. For groups, you can add existing groups or create new ones. For SharePoint sites, you need the site URL. Each resource will have roles (e.g., group Member/Owner, app role, site permission level). Resources can be shared across multiple access packages within the same catalog. Once added, the resource is available for inclusion in any access package in that catalog.
Create Access Package
In the catalog, click 'Access packages' then '+ New access package'. Provide a name (e.g., 'Sales Team Access') and description. Check the 'Require approval' box if needed. Select resources from the catalog and assign roles for each. For example, add the 'Sales Group' with role 'Member' and the 'Sales App' with role 'User'. You can add multiple resources. The access package defines the bundle of permissions that a user will receive.
Configure Assignment Policy
Under the access package, go to 'Assignment policies' and click '+ New policy' or edit the default. Define the policy name. Set the requestor scope: 'All users', 'Users in a specific group', or 'External users from connected organizations'. Configure approval: choose 1 or 2 stages, select approvers (specific users, group members, manager). Set lifecycle: expiration (e.g., 30 days after assignment) and access review settings. Optionally, add custom extensions. Each access package can have multiple policies for different audiences.
Test Request and Provisioning
As a test user, navigate to the My Access portal (https://myaccess.microsoft.com) and sign in. The user should see the access package under 'Available packages'. Click 'Request', provide justification if required, and submit. The request appears in the approval queue. As an approver, approve via email or the portal. After approval, the system provisions resources: adds user to group, assigns app role, etc. Verify by checking group membership or app assignment. Check audit logs for provisioning status.
Scenario 1: Onboarding External Partners
A large consulting firm needs to grant temporary access to its project management site and related applications for external partners. They create a connected organization for each partner tenant. An access package 'Partner Project Access' includes membership in a Microsoft 365 group (which provides a SharePoint site and Teams) and roles in a project management app. The assignment policy allows requests only from users in the connected organization, requires manager approval, and expires after 90 days. When a partner employee requests access, the system creates a B2B guest user, adds them to the group, and assigns the app role. After 90 days, access is automatically revoked. This eliminates manual guest account management and ensures compliance with time-bound access.
Scenario 2: Internal Role-Based Access
A multinational company uses entitlement management to grant access to sensitive HR systems. They create an access package 'HR Systems Access' that includes membership in 'HR-Employees' group and the 'HR Portal' app role. The policy requires two-stage approval: first by the user's manager, then by HR director. Access expires after 1 year with a quarterly access review. Employees request through My Access. The system provisions access within minutes. If an employee changes departments, their access is reviewed and potentially revoked. This reduces over-privileged accounts and simplifies audit.
Common Pitfalls
Misconfigured connected organizations: If the external user's domain is not in the connected organization list, requests are blocked. Always verify the domain and tenant ID.
Missing resource roles: An access package must include at least one resource role. If you forget to add a role, the package appears empty.
Approval timeout: If approvers do not respond within 30 days, requests are automatically denied. Set fallback approvers to avoid delays.
Provisioning failures: Sometimes group membership fails due to group size limits (50,000 members for Microsoft 365 groups). Monitor audit logs for errors.
Performance Considerations
Entitlement management scales to millions of assignments. However, provisioning to large groups can be delayed. Use dynamic groups when possible to reduce manual membership. For SharePoint sites, ensure the site is not exceeding its storage or user limits.
Objective 2.3: Manage identity governance
MS-102 tests your ability to configure and manage entitlement management, access packages, and connected organizations. Specific skills measured include:
Create and manage catalogs
Create and manage access packages
Configure assignment policies (requestors, approvers, lifecycle)
Manage connected organizations
Troubleshoot access package assignments
Top Wrong Answers on the Exam
Choosing 'Add user directly to group' instead of using access packages: Candidates often think manual group assignment is equivalent. However, the exam wants you to understand that access packages provide governance (approvals, expiration, reviews) that direct assignments lack.
Selecting 'Global Administrator' as catalog owner: While GA can manage, the exam emphasizes delegation. Catalog owners should be resource owners, not GAs.
Thinking access packages can include Azure AD roles: Azure AD roles are managed via PIM, not entitlement management. Access packages are for resource access (groups, apps, SharePoint).
Assuming external users don't need a connected organization: Connected organizations are required for self-service requests by external users. Without it, only admins can assign access.
Specific Numbers and Values
Maximum of 2 approval stages per policy.
Default assignment duration: 30 days.
Approval timeout: 30 days.
Maximum number of resources per access package: 30.
Maximum number of access packages per catalog: 500.
Maximum number of catalogs per tenant: 200.
Edge Cases
Manager approval without manager attribute: If the user has no manager set, the request fails unless a fallback approver is configured.
Multiple policies with overlapping scopes: The system evaluates policies; if a user qualifies for multiple, they can choose which policy to use.
Expired access package: If an access package is deleted, existing assignments are not automatically removed; they remain until expiration.
How to Eliminate Wrong Answers
If the question mentions 'time-limited access', look for access packages with expiration.
If the question mentions 'external users self-service', look for connected organizations.
If the question mentions 'delegation', look for catalogs and catalog owners.
If the question mentions 'approval workflow', look for assignment policies with multiple stages.
Entitlement management uses access packages to bundle resource assignments with policies for request, approval, and lifecycle.
Catalogs are containers for access packages and allow delegation of management to non-admins.
Assignment policies define who can request, approval stages, and expiration settings.
Connected organizations enable external users to request access packages via self-service.
Access packages can include Microsoft 365 groups, enterprise applications, and SharePoint Online sites.
Maximum of 2 approval stages per assignment policy.
Default assignment duration is 30 days; approval timeout is 30 days.
Deleting an access package does not affect existing assignments.
External users must be from a connected organization to request access packages.
Provisioning is asynchronous and may take up to 1 hour.
These come up on the exam all the time. Here's how to tell them apart.
Access Packages
Supports approval workflows (1-2 stages).
Enforces time-bound access with expiration.
Integrates with access reviews for periodic certification.
Supports self-service requests via My Access portal.
Can bundle multiple resources (groups, apps, SharePoint).
Direct Group Assignment
No built-in approval workflow.
No automatic expiration; manual removal required.
No integration with access reviews unless configured separately.
Requires admin action to add/remove users.
Assigns only one resource (the group itself).
Mistake
Access packages can assign Azure AD administrative roles.
Correct
Access packages are for resource access (groups, apps, SharePoint), not Azure AD roles. Azure AD roles are managed via Privileged Identity Management (PIM).
Mistake
You must create a custom catalog; the General catalog cannot be used.
Correct
The General catalog is available by default and can be used for access packages. Custom catalogs are optional for delegation.
Mistake
External users can request access packages without any configuration.
Correct
External users must be from a connected organization or be invited manually. Self-service requests require the external user's tenant to be in the connected organizations list.
Mistake
Access packages automatically remove assignments when the package is deleted.
Correct
Deleting an access package does not remove existing assignments. Assignments remain until they expire or are manually removed.
Mistake
You can have unlimited approval stages in an assignment policy.
Correct
Each assignment policy supports a maximum of two approval stages. For more complex workflows, you can use custom extensions with Logic Apps.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Navigate to Identity Governance > Entitlement Management > Catalogs. Select a catalog (or use General), then click 'Access packages' and '+ New access package'. Provide a name, add resources with roles, and configure assignment policies. The package will appear in My Access portal for eligible users.
Yes, an access package can include up to 30 resources. Each resource must have a role assigned (e.g., group Member, app role). All resources are provisioned when the user is approved.
When the assignment duration ends (based on policy), the system automatically removes the user from all resources included in the package. The user loses access. If the package itself is deleted, existing assignments remain until their expiration.
First, configure a connected organization for the external user's tenant. Then, create an access package with an assignment policy that allows 'External users from connected organizations'. The external user requests via My Access portal using their home tenant credentials.
Access packages manage access to resources (groups, apps, SharePoint) with time-bound assignments and approvals. PIM manages privileged access to Azure AD roles and Azure resources with just-in-time activation. They serve different purposes.
Yes, you can configure up to two approval stages in an assignment policy. The first stage could be the user's manager, the second a resource owner. Each stage can have multiple approvers (any one approves).
Check the Entra ID audit logs for 'Access package assignment' events. Look for errors like 'Provisioning failed'. Common causes: resource no longer exists, group size limit exceeded, or insufficient permissions. You can also use the 'Redeploy' option in the access package assignment.
You've just covered Entra ID Entitlement Management and Access Packages — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?