แก้ไข

แชร์ผ่าน


Request access package on-behalf-of other users (Preview)

Entitlement Management enables admins to create access packages to manage their organization’s resources. Admins can either directly assign users to an access package, or configure an access package policy that allows users and group members to request access. This option to create self-service processes is useful, especially as organizations scale and hire more employees. However, new employees joining an organization might not always know what they need access to, or how they can request access. In this case, a new employee would likely rely on their manager to guide them through the access request process.

Instead of having new employees navigate the request process, managers can request access packages for their employees, making onboarding faster and more seamless. To enable this functionality for managers, admins can select an option when setting up an access package policy that allows managers to request access on their employees' behalf.

Expanding self-service request flows to allow requests on behalf of employees ensures that users have timely access to necessary resources, and increases productivity.

Scenarios for managers requesting on behalf of employees

Imagine your organization hires hundreds of new employees each year, and you're being tasked with training new hires on IT processes, including how to request access for resources in My Access. Training sessions are only at the beginning of each month, so managers of new hires who start later in the month often reach out for ad-hoc training. This is becoming increasingly common.

Instead of conducting numerous ad-hoc training sessions to ensure new hires know how to request access in their first week or weeks at the organization, you can set up access package policies that allow managers to request access on behalf of their employees.

Screenshot of request on behalf of options.

Now, managers are empowered to request access on behalf of new hires who haven't gone through the IT training. This ensures that employees have the tools and resources necessary to start on day one, and increases new hire satisfaction as they don’t need to wait for access or navigate the request process on their own.

Prerequisites

Using this feature requires Microsoft Entra ID Governance or Microsoft Entra Suite licenses. To find the right license for your requirements, see Microsoft Entra ID Governance licensing fundamentals.

Configure an access package policy allowing on behalf of requests

Follow these steps to edit the policies, allowing on behalf of requests, for an existing access package:

  1. Sign in to the Microsoft Entra admin center as at least an Identity Governance Administrator.

  2. Browse to Identity governance > Entitlement management > Access packages.

  3. Select the access package you want to set up for on behalf of requests.

  4. Select the policy you wish to edit or create a new policy.

  5. On the Requests tab, set Enable new requests to Yes. This should show you the option Allow managers to request on behalf of employees (preview). Set that option to Yes.
    Screenshot of editing an access package;s request on behalf of policy.

  6. Save your policy.

Request an access package on behalf of an employee

As a manager, you can request an access package for a direct report by doing the following steps:

  1. Sign in to the My Access portal at https://myaccess.microsoft.com. For US Government, the domain in the My Access portal link is myaccess.microsoft.us.

  2. On the My Access Portal page, select Access packages.

  3. On the Access packages page, locate the access package you want to request for a direct report and select Request.

  4. On the Request pane under Request details select requesting for Someone else. Screenshot of manager requesting access package for direct employee.

  5. Fill in additional information needed to request an access package for the direct report. Screenshot of justification questions for requesting an access package for a direct report.

  6. Select Submit request.

Approve access on behalf of employee requested by manager

When a manager requests an access package on behalf of their employee, you'd do the following steps to approve access:

  1. Sign in to the My Access portal at https://myaccess.microsoft.com. For US Government, the domain in the My Access portal link is myaccess.microsoft.us.

  2. In the left menu, select Approvals to see a list of access requests pending approval.

  3. On the Pending tab, find the request. Screenshot of the pending approval requests in my access.

  4. Either approve, or deny, the request on behalf of the employee.

Next steps