Azure AD Entitlement Management

Hi all,

Today’s post I will be discovering possibilities with Entitlement Management from Azure AD.

First you have to understand that this solution isn’t a complete Identity and Access Management product (IAM) If you are looking for these, please see Identity Governance Solutions | One Identity or Lifecycle Management and App Provisioning Software | Okta

And then to Azure AD Entitlement Management.

What it can do.

  • Delegate to non-administrators the ability to create access packages. These access packages contain resources that users can request, and the delegated access package managers can define policies with rules for which users can request, who must approve their access, and when access expires.
  • Select connected organizations whose users can request access. When a user who is not yet in your directory requests access, and is approved, they are automatically invited into your directory and assigned access. When their access expires, if they have no other access package assignments, their B2B account in your directory can be automatically removed.

The concept is that you will make Catalogs that contain the following:

Resources to be published



Access Packages for the resources


And the Catalog owner

With Access Packages you can give user permission for the following resources.

  • Membership of Azure AD security groups
  • Membership of Microsoft 365 Groups and Teams
  • Assignment to Azure AD enterprise applications, including SaaS applications and custom-integrated applications that support federation/single sign-on and/or provisioning
  • Membership of SharePoint Online sites


  • You can give users licenses for Microsoft 365 by using an Azure AD security group in an access package and configuring group-based licensing for that group.
  • You can give users access to manage Azure resources by using an Azure AD security group in an access package and creating an Azure role assignment for that group.
  • You can give users access to manage Azure AD roles by using groups assignable to Azure AD roles in an access package and assigning an Azure AD role to that group.

So there is many possibilities with this product inside Microsoft environment and third-party products that rely on your Cloud Identity. For example you can use dynamics groups for your needs. I wrote a blog about Dynamic Groups and using them to automate user rights and policies Azure Dynamic Groups and how to use Extended attribute.

You also have Lifecycle Management for external users that had their access revoked.

When you start adding Connected Organizations, you will see two options.

Proposed and Configured, these are the differences between these.

Configured org has full federation to access packages that you have made. And these organizations will be available in all target.

Proposed means that you created it on your end, but other end didn’t yet approve or configure it at their end.

When you add a domain to the list that don’t have Azure AD, it will show that OTP is used, you can change this authentication type later.

But when you add an organization that has Azure AD (like mine), it will show Azure Ad in the authentication type.

Then you can add sponsors (It’s optional). Sponsors are user inside the org or external users that already have access to the environment.

You can give them permissions to accept new users request for resources inside your organization.

And then inside the access package there is more settings for policies and also for access reviews.

In the initial policy you can set options for access reviews and user the organizational connection that was made in the previous part.

Request can be approved from inside or externally. Here where the sponsors have their say (if you added them in the previous steps) or can be only assigned by the admin.

Sponsors can be reviewers for the assigned groups and keep it up-to-date. 

So when you choose “in your directory”

When you choose “Require approval” you will be presented with another options for approval stages

And if that first approver didn’t react, you can flow the request to a second one.

And users NOT in your organization you will use the sponsors.

Internal or external, but again because it was optional you may not have them. You can also choose approvers from your directory.

And then in the life cycle, you can choose access package expiration and how often to require Access Reviews.

And finally on the reports page you can see reports based on access package.

There you go, that was Entitlement Management. Really nice tool to share info Azure B2B style. It offers easy and governed access to company predefined resource. Looking good Microsoft, looking good.

More info here

Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *