Identify Group Members Added via Access Packages vs. Direct Membership

nicpar 1 Reputation point

I need to distinguish between group members that were added by access package resource assignments and those members that were added directly to a group. How can this be done? Currently, the audit log shows the source of a group member being added, which helps with realtime detection but not no so much for a point-in-time audit of members.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,618 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 56,206 Reputation points

    Hi @nicpar · Thank you for reaching out.

    Once members are added to a group, you can't distinguish whether they are added via Access Package or directly assigned with membership by simply checking the group membership.

    Azure Active Directory > Identity Governance > Access Packages > Your Access package > Assignments > Select desired states > Download


    You can then compare it with the list of existing members of the group to identify which users are not added via Access Package.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments