Tutorial: Manage access to resources in Microsoft Entra entitlement management using Microsoft Graph PowerShell
Article
Managing access to all the resources that employees need, such as groups, applications, and sites, is an important function for organizations. You want to grant employees the right level of access they need to be productive and remove their access when it's no longer needed. Microsoft Entra entitlement management using Microsoft Graph PowerShell enables you to manage this type of access.
In this tutorial, you'll create a package of resources for a marketing campaign that internal users can use for self-service requests. Requests don't require approval and users' access expires after 30 days. Here, the marketing campaign resources are just membership in a single group, but it could be a collection of groups, applications, or SharePoint Online sites.
Prerequisites
To successfully complete this tutorial, make sure you have the required prerequisites:
Microsoft Graph PowerShell SDK is installed. Follow the installation guide for more info on how to do this.
To use Microsoft Entra entitlement management, you must have Microsoft Entra ID Governance subscriptions for your organization's users. Some capabilities within this feature may operate with a Microsoft Entra ID P2 subscription.
Entitlement management is available in the beta and v1 modules of Microsoft Graph PowerShell. This tutorial uses the beta module. Ensure that you have both Microsoft.Graph and Microsoft.Graph.Beta modules installed.
Microsoft Graph PowerShell using a Identity Governance Administrator and the appropriate permissions. The User.ReadWrite.All, Group.ReadWrite.All, and EntitlementManagement.ReadWrite.All delegated permissions are required. To set the permissions in Microsoft Graph PowerShell, run;
Select Consent on behalf of your organization before accepting in the sign-in dialog box.
Step 1: Create a user account and a group
In this step, you'll create a group named Marketing resources in the directory that is the target resource for entitlement management. You'll also create a user account that is set up as an internal requestor.
Create a user account
Create a user account that you'll use later to request access to the resources in the access package.
When you make these calls, change contoso.onmicrosoft.com to the domain name of your tenant. You can find tenant information on the Microsoft Entra overview page. Record the value of the returned Id property to use later.
Id DisplayName Mail UserPrincipalName UserType
-- ----------- ---- ----------------- --------
6c42590f-fcf0-4922-bac6-205f7c6aa89c Requestor1 Requestor1@contoso.onmicrosoft.com Member
Create a group
Create a group named Marketing resources that is the target resource for entitlement management.
Step 2: Add resources to a catalog and create an access package
An access package is a bundle of resources that a team or project needs and is governed by policies. Access packages are defined in containers called catalogs. Catalogs can reference resources such as groups, apps, and sites that are used in the access package.
In this step, create a Marketing Campaign access package in the General catalog.
Get the catalog identifier
To add resources to a catalog, you must first get its identifier. If you're using the general catalog, run the following command to get its Id. If you're using a different catalog, change the filter value in the request to the name of your catalog. Record the returned Id property to use later.
AccessPackageResourceRoles :
AccessPackageResourceScopes :
AccessPackageResources :
AccessPackages :
CatalogStatus : Published
CatalogType : ServiceDefault
CreatedBy : Azure AD
CreatedDateTime : 1/13/2022 6:47:56 AM
Description : Built-in catalog.
DisplayName : General
Id : 88d3e491-5247-4209-9b56-c4c95d9694e9
IsExternallyVisible : True
ModifiedBy : Azure AD
ModifiedDateTime : 1/13/2022 6:47:56 AM
AdditionalProperties : {}
The output should only contain the catalog whose name you provided in the request. If there are no values returned, check that the name of the catalog is correct before you proceed.
Add the group to the catalog
To add the group that you created to the catalog, provide the following property values:
CatalogId - Specifies the Id of the catalog that you're using.
RequestType - Set to AdminAdd.
AccessPackageResource - Represents the resource. This resource should contain two properties: OriginSystem should be AadGroup and OriginId is the identifier of the group.
The request state indicates the outcome of whether the service was able to add the resource to the catalog. The value is Delivered if the resource was added.
Get catalog resources
In later steps, you'll need the Id that was assigned to the group resource in the catalog. This identifier represents the group as a resource in the catalog and is different from the group identifier itself in Microsoft Graph PowerShell. To get the resource, provide the Id of the catalog and filter by the display name of the group.
The access package assigns users to the roles of a resource. The typical role of a group used in an access package is the member role. You'll need the member role when you add a resource role to the access package.
In this command, use the Id of the catalog and the Id of the group resource you recorded in the previous step to get the OriginId of the member resource role.
Get-MgBetaEntitlementManagementAccessPackageCatalogAccessPackageResourceRole -AccessPackageCatalogId '88d3e491-5247-4209-9b56-c4c95d9694e9' -Filter "originSystem eq 'AadGroup' and accessPackageResource/id eq '0a358d7b-42d9-48c5-8455-df23dcaff2ad' and DisplayName eq 'Member'"
Id Description DisplayName OriginId OriginSystem
-- ----------- ----------- -------- ------------
00000000-0000-0000-0000-000000000000 Member Member_87553228-0d72-4138-890b-36e683f883b7 AadGroup
If successful, a single record is returned which represents the member role of that group. If no roles are returned, check the Id values of the catalog and the access package resource.
Create the access package
At this point, you have a catalog with a group resource, and you know that you'll use the resource role of group member in the access package. The next step is to create the access package. After creating the access package, you can add the resource role to it and create a policy for how users can request access to that resource role. You use the Id of the catalog that you recorded earlier to create the access package. Record the Id of the access package to use later. In this step, you create a Marketing Campaign access package in the General catalog.
Add the member role of the group resource to the access package. Provide the Id of the access package, Id of the group catalog resource for the accessPackageResource, and the OriginId of the Member role that you previously recorded.
AccessPackageResourceRole : Microsoft.Graph.PowerShell.Models.MicrosoftGraphAccessPackageResourceRole
AccessPackageResourceScope : Microsoft.Graph.PowerShell.Models.MicrosoftGraphAccessPackageResourceScope
CreatedBy : admin@contoso.onmicrosoft.com
CreatedDateTime : 4/5/2022 11:48:35 AM
Id : 970ea023-669d-49a5-ae4b-642b3c6f403c_fea332ec-06e3-4c35-ad87-c97d79c3bf9b
ModifiedBy : admin@contoso.onmicrosoft.com
ModifiedDateTime : 4/5/2022 11:48:35 AM
AdditionalProperties : {[@odata.context, https://graph.microsoft.com/beta/$metadata#identityGovernance/entitlementManagement/accessPackages('08173ced-8eae-4023-8433-cb85f29e7726')/accessPackageResourceRoleScopes/$entity]}
This access package now has one resource role, which is a group membership. The role is assigned to any user who has the access package.
Create an access package policy
After creating the access package and adding resources and roles, you can decide who can access it by creating an access package policy. Enable the Requestor1 user account that you created in step 1 to request access to the resources in the access package. For this task, you need these values:
Id of the access package for the value of the accessPackageId property.
Id of the Requestor1 user account for the value of the id property in the allowedRequestors.
The value of the DurationInDays property enables the Requestor1 account to access the resources in the access package for 30 days. Record the value of the Id property that is returned to use later.
In this step, Requestor1 user account you created in step 1 requests access to the resources in the access package.
To request access, you need to provide these values:
TargetId - Specifies the ID of the Requestor1 user account that you created.
AssignmentPolicyId - Specifies the ID of the assignment policy.
AccessPackageId - Specifies the ID of the access package.
RequestType - Specifies the type of request. For a non-administrator user to request to create their own assignment for either a first assignment or renew assignment, the value of the requestType property is UserAdd.
After the request has been granted, you can use the Id that you recorded for the Marketing resources group to see that the Requestor1 user account has been added to it.
Id DeletedDateTime
-- ---------------
6c42590f-fcf0-4922-bac6-205f7c6aa89c
Step 5: Clean up the resources
In this step, remove the changes you made and delete the Marketing Campaign access package.
Remove an access package assignment
You must delete any assignments to the access package before you can delete it. Use the Id of the assignment request that you recorded to delete the access package itself.
When new users or external users join your site, quickly assigning them access to Azure solutions is a must. Explore how to entitle users to access your site and resources.