Common scenarios in entitlement management

There are several ways that you can configure entitlement management for your organization. However, if you're just getting started, it's helpful to understand the common scenarios for administrators, catalog owners, access package managers, approvers, and requestors.

Delegate

Administrator: Delegate management of resources

1. Watch video: Delegation from IT to department manager
2. Delegate users to catalog creator role

Catalog creator: Delegate management of resources

• Create a new catalog

Catalog owner: Delegate management of resources

1. Add co-owners to the catalog
2. Add resources to the catalog

Catalog owner: Delegate management of access packages

1. Watch video: Delegation from catalog owner to access package manager
2. Delegate users to access package manager role

Govern access for users in your organization

Administrator: Assign employees access automatically

1. Create a new access package
2. Add groups, Teams, applications, or SharePoint sites to access package
3. Add an automatic assignment policy

Administrator: Assign employees access from lifecycle workflows

1. Create a new access package
2. Add groups, Teams, applications, or SharePoint sites to access package
3. Add a direct assignment policy
4. Add a task to Request user access package assignment to a workflow when a user joins
5. Add a task to Remove access package assignment for user to a workflow when a user leaves

Access package manager: Allow employees in your organization to request access to resources

1. Create a new access package
2. Add groups, Teams, applications, or SharePoint sites to access package
3. Add a request policy to allow users in your directory to request access
4. Specify expiration settings

Requestor: Request access to resources

1. Sign in to the My Access portal
2. Find access package
3. Request access

Approver: Approve requests to resources

1. Open request in My Access portal
2. Approve or deny access request

Requestor: View the resources you already have access to

1. Sign in to the My Access portal
2. View active access packages

Govern access for users outside your organization

Administrator: Collaborate with an external partner organization

1. Read how access works for external users
2. Review settings for external users
3. Add a connection to the external organization

Access package manager: Collaborate with an external partner organization

1. Create a new access package
2. Add groups, Teams, applications, or SharePoint sites to access package
3. Add a request policy to allow users not in your directory to request access
4. Specify expiration settings
5. Copy the link to request the access package
6. Send the link to your external partner contact partner to share with their users

Requestor: Request access to resources as an external user

1. Find the access package link you received from your contact
2. Sign in to the My Access portal
3. Request access

Approver: Approve requests to resources

1. Open request in My Access portal
2. Approve or deny access request

Requestor: View the resources your already have access to

1. Sign in to the My Access portal
2. View active access packages

Day-to-day management

Administrator: View the connected organizations that are proposed and configured

1. View the list of connected organizations

Access package manager: Update the resources for a project

1. Watch video: Day-to-day management: Things have changed
2. Open the access package
3. Add or remove groups, Teams, applications, or SharePoint sites

Access package manager: Update the duration for a project

1. Watch video: Day-to-day management: Things have changed
2. Open the access package
3. Open the lifecycle settings
4. Update the expiration settings

Access package manager: Update how access is approved for a project

1. Watch video: Day-to-day management: Things have changed
2. Open an existing policy's request settings
3. Update the approval settings

Access package manager: Update the people for a project

1. Watch video: Day-to-day management: Things have changed
2. Remove users that no longer need access
3. Open an existing policy's request settings
4. Add users that need access

Access package manager: Directly assign specific users to an access package

1. If users need different lifecycle settings, add a new policy to the access package
2. Directly assign specific users to the access package

Assignments and reports

Administrator: View who has assignments to an access package

1. Open an access package
2. View assignments
3. Archive reports and logs

Administrator: View resources assigned to users

1. View access packages for a user
2. View resource assignments for a user

Programmatic administration

You can also manage access packages, catalogs, policies, requests, and assignments using Microsoft Graph. A user in an appropriate role with an application that has the delegated EntitlementManagement.Read.All or EntitlementManagement.ReadWrite.All permission can call the entitlement management API. For more information, see the Tutorial: manage access to resources - Microsoft Graph. An application with the EntitlementManagement.Read.All or EntitlementManagement.ReadWrite.All application permissions can also use many of those API functions, except for managing resources in catalogs and access packages. An application that only needs to operate within specific catalogs can be added to the Catalog owner or Catalog reader roles of a catalog to be authorized to update or read within that catalog.

Next steps

• Delegation and roles
• Request process and email notifications