Identify Group Members Added via Access Packages vs. Direct Membership

nicpar 1 Reputation point
2021-05-26T20:37:08.05+00:00

I need to distinguish between group members that were added by access package resource assignments and those members that were added directly to a group. How can this be done? Currently, the audit log shows the source of a group member being added, which helps with realtime detection but not no so much for a point-in-time audit of members.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,618 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 56,206 Reputation points
    2021-06-07T08:43:00.903+00:00

    Hi @nicpar · Thank you for reaching out.

    Once members are added to a group, you can't distinguish whether they are added via Access Package or directly assigned with membership by simply checking the group membership.

    Azure Active Directory > Identity Governance > Access Packages > Your Access package > Assignments > Select desired states > Download

    103013-image.png

    You can then compare it with the list of existing members of the group to identify which users are not added via Access Package.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments