Tutorial: Manage access to resources in entitlement management

Managing access to all the resources employees need, such as groups, applications, and sites, is an important function for organizations. You want to grant employees the right level of access they need to be productive and remove their access when it's no longer needed.

In this tutorial, you work for Woodgrove Bank as an IT administrator. You've been asked to create a package of resources for a marketing campaign that internal users can use to self-service request. Requests don't require approval and user's access expires after 30 days. For this tutorial, the marketing campaign resources are just membership in a single group, but it could be a collection of groups, applications, or SharePoint Online sites.

Diagram that shows the scenario overview.

In this tutorial, you learn how to:

  • Create an access package with a group as a resource
  • Allow a user in your directory to request access
  • Demonstrate how an internal user can request the access package

For a step-by-step demonstration of the process of deploying Azure Active Directory entitlement management, including creating your first access package, view the following video:

This rest of this article uses the Azure portal to configure and demonstrate entitlement management.


To use entitlement management, you must have one of the following licenses:

  • Azure AD Premium P2
  • Enterprise Mobility + Security (EMS) E5 license

For more information, see License requirements.

Step 1: Set up users and group

A resource directory has one or more resources to share. In this step, you create a group named Marketing resources in the Woodgrove Bank directory that is the target resource for entitlement management. You also set up an internal requestor.

Prerequisite role: Global administrator or User administrator

Diagram that shows the users and groups for this tutorial.

  1. Sign in to the Azure portal as a Global administrator or User administrator.

  2. In the left navigation, select Azure Active Directory.

  3. Create two users. Use the following names or different names.

    Name Directory role
    Admin1 Global administrator, or User administrator. This user can be the user you're currently signed in.
    Requestor1 User
  4. Create an Azure AD security group named Marketing resources with a membership type of Assigned. This group is the target resource for entitlement management. The group should be empty of members to start.

Step 2: Create an access package

An access package is a bundle of resources that a team or project needs and is governed with policies. Access packages are defined in containers called catalogs. In this step, you create a Marketing Campaign access package in the General catalog.

Prerequisite role: Global administrator, Identity Governance administrator, User administrator, Catalog owner, or Access package manager

Diagram that describes the relationship between the access package elements.

  1. In the Azure portal, in the left navigation, select Azure Active Directory.

  2. In the left menu, select Identity Governance

  3. In the left menu, select Access packages. If you see Access denied, ensure that an Azure AD Premium P2 license is present in your directory.

  4. Select New access package.

    Screenshots that shows how to create an access package.

  5. On the Basics tab, type the name Marketing Campaign access package and description Access to resources for the campaign.

  6. Leave the Catalog drop-down list set to General.

    Screenshot showing how to set the basic of the access policy.

  7. Select Next to open the Resource roles tab. On this tab, select the resources and the resource role to include in the access package. You can choose to manage access to groups and teams, applications, and SharePoint Online sites. In this scenario, select Groups and Teams.

    Screenshot showing how to select groups and teams.

  8. In the Select groups pane, find and select the Marketing resources group you created earlier.

    By default, you see groups inside the General catalog. When you select a group outside of the General catalog, which you can see if you check the See all check box, it will be added to the General catalog.

    Screenshot that shows how to select the groups"

  9. Choose Select to add the group to the list.

  10. In the Role drop-down list, select Member. If you select the Owner role, it allows users to add or remove other members or owners. For more information on selecting the appropriate roles for a resource, read add resource roles.

    Screenshot the shows how to select the member role.


    The role-assignable groups added to an access package will be indicated using the Sub Type Assignable to roles. For more information, check out the Create a role-assignable group article. Keep in mind that once a role-assignable group is present in an access package catalog, administrative users who are able to manage in entitlement management, including global administrators, user administrators and catalog owners of the catalog, will be able to control the access packages in the catalog, allowing them to choose who can be added to those groups. If you don't see a role-assignable group that you want to add or you are unable to add it, make sure you have the required Azure AD role and entitlement management role to perform this operation. You might need to ask someone with the required roles add the resource to your catalog. For more information, see Required roles to add resources to a catalog.


    When using dynamic groups you will not see any other roles available besides owner. This is by design. Screenshots that shows a dynamic group available roles.

  11. Select Next to open the Requests tab. On the Requests tab, you create a request policy. A policy defines the rules or guardrails to access an access package. You create a policy that allows a specific user in the resource directory to request this access package.

  12. In the Users who can request access section, select For users in your directory and then select Specific users and groups.

    Screenshot of the access package requests tab.

  13. Select Add users and groups.

  14. In the Select users and groups pane, select the Requestor1 user you created earlier.

    Screenshot of select users and groups.

  15. Choose Select to add the user to the list.

  16. Scroll down to the Approval and Enable requests sections.

  17. Leave Require approval set to No.

  18. For Enable requests, select Yes to enable this access package to be requested as soon as it's created.

  19. To add a Verified ID requirement to the access package, select on Add issuer in the Required Verified IDs section. If you don't have the Verified ID service set up in your tenant, navigate to the Verified ID section of the Azure portal.

    Screenshot of the Verified ID picker selection.

  20. Search for an issuer in the dropdown and select the credential type you want users to present when requesting access.


    If you select multiple issuers / credential types, users requesting access will be required to present all of the credential types you have included in this policy. To give users the option of presenting one of many credential types, please include each acceptable option in a separate policy.

  21. Select Next to open the Requestor information tab.

    Screenshots of the requests tab approval and enable requests settings.

  22. On the Requestor information tab, you can ask questions to collect more information from the requestor. The questions are shown on the request form and can be either required or optional. In this scenario, you haven't been asked to include requestor information for the access package, so you can leave these boxes empty. Select Next to open the Lifecycle tab.

  23. On the Lifecycle tab, you specify when a user's assignment to the access package expires. You can also specify whether users can extend their assignments. In the Expiration section:

    1. Set the Access package assignments expire to Number of days.
    2. Set the Assignments expire after to 30 days.
    3. Leave the Users can request specific timeline default value, Yes.
    4. Set the Require access reviews to No.

    Screenshot of the access package lifecycle tab

  24. Skip the Custom extensions (Preview) step.

  25. Select Next to open the Review + Create tab.

  26. On the Review + Create tab, select Create. After a few moments, you should see a notification that the access package was successfully created.

  27. In left menu of the Marketing Campaign access package, select Overview.

  28. Copy the My Access portal link.

    You'll use this link for the next step.

    Screenshot that demonstrates how to copy the link to the access policy.

Step 3: Request access

In this step, you perform the steps as the internal requestor and request access to the access package. Requestors submit their requests using a site called the My Access portal. The My Access portal enables requestors to submit requests for access packages, see the access packages they already have access to, and view their request history.

Prerequisite role: Internal requestor

  1. Sign out of the Azure portal.

  2. In a new browser window, navigate to the My Access portal link you copied in the previous step.

  3. Sign in to the My Access portal as Requestor1.

    You should see the Marketing Campaign access package.

  4. In the Business justification box, type the justification I'm working on the new marketing campaign.

    Screenshot of the My Access portal listing the access packages.

  5. Select Submit.

  6. In the left menu, select Request history to verify that your request was delivered. For more details, select View.

    Screenshot of the My Access portal request history.

Step 4: Validate that access has been assigned

In this step, you confirm that the internal requestor was assigned the access package and that they're now a member of the Marketing resources group.

Prerequisite role: Global administrator, User administrator, Catalog owner, or Access package manager

  1. Sign out of the My Access portal.

  2. Sign in to the Azure portal as Admin1.

  3. Select Azure Active Directory and then select Identity Governance.

  4. In the left menu, select Access packages.

  5. Find and select Marketing Campaign access package.

  6. In the left menu, select Requests.

    You should see Requestor1 and the Initial policy with a status of Delivered.

  7. Select the request to see the request details.

    Screenshot of the access package request details.

  8. In the left navigation, select Azure Active Directory.

  9. Select Groups and open the Marketing resources group.

  10. Select Members.

    You should see Requestor1 listed as a member.

    Screenshot shows the requestor one has been added to the marketing resources group.

Step 5: Clean up resources

In this step, you remove the changes you made and delete the Marketing Campaign access package.

Prerequisite role: Global administrator or User administrator

  1. In the Azure portal, select Azure Active Directory and then select Identity Governance.

  2. Open the Marketing Campaign access package.

  3. Select Assignments.

  4. For Requestor1, select the ellipsis (...) and then select Remove access. In the message that appears, select Yes.

    After a few moments, the status will change from Delivered to Expired.

  5. Select Resource roles.

  6. For Marketing resources, select the ellipsis (...) and then select Remove resource role. In the message that appears, select Yes.

  7. Open the list of access packages.

  8. For Marketing Campaign, select the ellipsis (...) and then select Delete. In the message that appears, select Yes.

  9. In Azure Active Directory, delete any users you created such as Requestor1 and Admin1.

  10. Delete the Marketing resources group.

Set up group writeback in entitlement management

To set up group writeback for Microsoft 365 groups in access packages, you must complete the following prerequisites:

  • Set up group writeback in the Azure portal.
  • The Organizational Unit (OU) that will be used to set up group writeback in Azure AD Connect Configuration.
  • Complete the group writeback enablement steps for Azure AD Connect.

Using group writeback, you can now sync Microsoft 365 groups that are part of access packages to on-premises Active Directory. To sync the groups, follow the steps below:

  1. Create an Azure Active Directory Microsoft 365 group.

  2. Set the group to be written back to on-premises Active Directory. For instructions, see Group writeback in the Azure portal.

  3. Add the group to an access package as a resource role. See Create a new access package for guidance.

  4. Assign the user to the access package. See View, add, and remove assignments for an access package for instructions to directly assign a user.

  5. After you've assigned a user to the access package, confirm that the user is now a member of the on-premises group once Azure AD Connect Sync cycle completes:

    1. View the member property of the group in the on-premises OU OR
    2. Review the member Of on the user object.


Azure AD Connect's default sync cycle schedule is every 30 minutes. You may need to wait until the next cycle occurs to see results on-premises or choose to run the sync cycle manually to see results sooner.

Next steps

Advance to the next article to learn about common scenario steps in entitlement management.