Simplify Resource Access with Entra Access Packages
About
Authored by one of our 3rd Line Service Engineers, Curtis Cannon, this blog was originally posted on his website https://traversecloud.co.uk/.
Curtis has kindly given us permission to repost this article on our blog for you to enjoy.
Please do visit Curtis’ website for more articles and help guides just like this one.
Contents
What are Entra Access Packages
Access Packages are one of the several tools available within the Identity Governance section of Microsoft Entra. This is a tool that can be used to bundle together a variety of groups, applications, and SharePoint sites and then give users in your organisation the ability to request access to this bundle.
Reviewing the requests for access can then be delegated to other members of your organisation so you can offload the task of providing access to resources and free up some of the administrator’s valuable time.
Access Packages can also be used to automate the process of inviting external accounts to become guests of your organisation’s tenant making this a very efficient way of managing your collaboration with external organisations. Not only that, but you can configure the access package to then revoke access to the resources after a set period of time and even remove the guest accounts once they no longer have access to cleanup the accounts that are no longer required.
The Access Packages blade can be found in the Microsoft Entra ID portal under Identity Governance > Entitlement Management > Access Packages
https://entra.microsoft.com/#view/Microsoft_AAD_ERM/DashboardBlade/~/elmEntitlement?Microsoft_AAD_IAM_legacyAADRedirect=true
What is required to use Access Packages?
Access Packages is a feature that is not included in the Free version of Entra ID, in order to access this feature you will need to have access to a Microsoft Entra ID P2 license or the Microsoft Entra ID Governance add on license.
The Access Packages features fall under the Entitlement Management features of the governance licensing model, Microsoft Entra ID P2 will give you access to the basic features of Access Packages (everything within this guide can be accomplished with P2 licensing), however the more advanced features will require the Microsoft Entra ID Governance add on license
Feature | Free | Microsoft Entra ID P1 | Microsoft Entra ID P2 | Microsoft Entra ID Governance |
Entitlement management – Basic entitlement management | x | x | ||
Entitlement management – Conditional Access Scoping | x | x | ||
Entitlement management MyAccess Search | x | x | ||
Entitlement management with Verified ID | x | |||
Entitlement management + Custom Extensions (Logic Apps) | x | |||
Entitlement management + Auto Assignment Policies | x | |||
Entitlement management – Directly Assign Any User(Preview) | x | |||
Entitlement management – Guest Conversion API | x | |||
Entitlement management – Grace Period(Preview) | x | x | ||
My Access portal | x | x | ||
Entitlement management – Sponsors Policy(Preview) | x |
As for the number of licenses that you will need this will depend on the scenario, simply put all users that will require the ability to request access to an Access Package that has been created should be licensed. Meaning if you have an organisation of 1000 users and you would like a department of 300 users to be able to request access to these packages, you will require a total of 300 licenses.
Something to consider is that currently there are no licensing requirements in Entra ID Governance for Guest user accounts (this is subject to change however). Meaning you currently do not need to license the guest accounts that are being added to resources using an Access Package. However, this is currently being worked on by Microsoft, and a new monthly usage based Governance License for Guest accounts is expected to be released in Spring 2024.
More information on the licensing model for Identity Governance can be found on Microsoft’s page: https://learn.microsoft.com/en-us/entra/id-governance/licensing-fundamentals
Setting up a New Access Package
The first step in setting up your access package is deciding what you would like to allow users to request access to. This step is very important to making efficient Access Packages, while providing users access to request access to a singular resource, more often than not, there will be other resources tied to this that the user would require access to as well in order to accomplish the tasks they require.
Therefore, you need to consider how these tie together and then add them to the same access package so, once requested and approved, they do not need to request even more access to accomplish the one task.
An example of this could be access to document libraries within a SharePoint site. While some sites do simply use the built-in Owners, Members, and Visitors groups, often for larger sites with many document libraries, access to each library is separated by group membership. Therefore you will need to consider what you package is intended to give access to within the site, and add all groups that the user would require.
Once you made a decision on how to group together your resources into an access package you can get started, to do this you will need to go to the Access Packages Page in the Entra ID Portal and select New Access Package
You will first be prompted to enter a Name and a description for your Access Package, once more it is fairly important that you provide a clear description of what this package will provide access to as this will be seen by those that have the option to request access.
At this stage you can also add this package to a Catalog, this is essentially a tag used to categorise you packages so that you can group them together and delegate management. It is worth creating a Catalog when starting to create packages for resources so that you can add them to future packages you create. To do this, select ‘Create new catalog’ at the bottom of this page, then fill in the details.
From here, you can also choose to disable the Catalog, which will prevent all packages in the catalog from being requestable for users. And you can also disable the Catalog just for external users. which will prevent users outside of your organisation from requesting access to the related packages
You can create and manage your Catalogs prior to making your Access Package from the Entra ID Portal by going to Identity Governance > Entitlement Management > Catalogs. From here, you can assign resources (Groups, Apps, and Sites) to the catalog so that they are ready for you to use in later Access Packages
The next step on the Access Package is to select the resources you want to be available in the package. This can either be a Group/Team, Enterprise Application, or SharePoint site. If you have already configured the Catalog that was selected at the start of the process, the resources assigned to that Catalog will be displayed for you to quickly select.
When you select ‘+Group and Teams’ or ‘+Applications’ you will be presented with the same search section, in this it will display all Users, Groups, Devices, Applications, and Administrative units assigned to the Catalog, you can filter down by resource type to find exactly what you are looking for
If the resource you are looking for is not assigned to the packages Catalog it will not be listed initially, to view all available resources select the check box above the search bar and you will then be able to select any Group or Application that is available on the tenant (Please note you need to have access to the resource yourself to add it to an Access Package)
If you select to add a SharePoint site you will be shown a different search section, this one will either list the sites already included in the Catalog, or you can search and select all sites within your tenant.
In this example I will be granting access to 2 Document Libraries in a SharePoint site which is managed via a security group, this group was already assigned to the Catalog so it is displayed in the list without having to search all Resources.
Make sure only to select the resources you want to be made available with your current Access Package, if you want to setup access to additional resources in the same catalog you will have to create a new Access Package.
Requests
Now that the resources have been selected you can configure the request policy that is applied to them, this will determine the process that end users will following when requesting access via this package.
To start off with there are 3 options you can select from which will decide who within your organisation can request access using the current Package, the 3 options you get are as follows:
For users in your directory
This selection is used to allow you to assign the package to any users within your directory already, this includes Guest accounts that have already been created. This option basically restricts the ability to add and create new guest accounts through the package.
When this option is selected, you can then proceed with selecting who will be able to request access to this resource. You will be presented with 3 options, which will be to select specific groups of users that can request access, to select all users but not include any Guest accounts, and finally to include all users, including existing guest accounts (not new guest accounts)
For users not in your directory
This selection is used to allow users from other organisations to request access to the Access Package instead of your internal users, meaning if you would like Guest accounts to be created using the policy, you will have to select this option.
When this option is selected, you can then proceed to select who will be able to request access to this resource. This time you will be presented with the option to specify a connected organisation, this is an organisation that your organisation has a relationship with and is able to share resources with. These can be added in the ‘Connected Organisations’ tab in Entitlement Management.
You can also select to allow access to all Connected Organisations, and finally, all Connected Organisations as well as any new guest accounts from organisations you have not listed.
None (Administrator direct assignment only)
This option removes the ability to request access to the package for end users, instead the resources in the package can only be assigned directly to chosen users by an administrator. Useful if you are looking to assign temporary administrator roles using an Access Package
Approvals
Once you have selected who it is that can access the new resource package, you can move on to configuring your approval settings. When approvals have been configured, a user will have to send a request in order to use an Access Package, and therefore it is strongly advised when using these packages to share resources with external organisations. Approvals are not compulsory, unless you have selected to allow access to ‘All Users (All connected organisations + Any new external users)’, at which point you have to have an approval policy in place (to avoid just anyone gaining access to your company resource).
When starting to configure your approval settings, you will be presented with various options:
- Require Approval
This is a simple yes/no option to enable the approval process. - Require Justification
Enabling this option will require the user that is requesting access to the package to provide some justification for gaining access. While not necessary, I would strongly advise using this as it requires the end user to think about why they are asking for access. - How many stages
Here you can select between 1-3 stages of approval. If more than one stage of approvals is selected, the request will go through the approvers sequentially. All approvers must accept the request in order for access to be given, meaning if one rejects the request, then access is denied.
If enabled, you can then move on to selecting the approvers for this Access Package. For each stage, you can select from one of various options which will depend on the options you have selected in the Request options. The options that will be available are as follows:
- Manager as approver
This option will send the approval message to the selected user’s manager. This option can only be selected when you select to provide access to this package to internal users only, and it can only be selected as the first stage approval. Something to consider is that this option users the ‘Manager’ attribute from the user’s account, meaning if this field is not filled in, there will not be an approver to send this to. - External Sponsor
An external sponsor is a trusted individual from the connected organisation that can approve the access request, for this option to be used the Connected Organisation must have an External Sponsor added in the Connected Organisation page (this also requires them to be added as a guest in your tenant prior to creating the Access Package)
This option can be used as the first stage approval for any request that includes users outside of your organisation - Internal Sponsor
An internal sponsor is a trusted individual from within your organisation that manages the relationship between your organisation and the Connected Organisation, for this option to be used the Connected Organisation must have an Internal Sponsor added in the Connected Organisation page. This option can be used as the 1st approval step in 1 or 2 step approvals and the 2nd step in 3 step approvals. - Chosen Specific Sponsor
This option simply allows you to identify a user that the approvals will be sent to, the selected user account has to be listed in your directory already however, you can use Guest accounts as approvers using this option. This can be selected at any approval stage for any form of approval.
For each stage of approval, there are also some additional settings that are available. The first is to select a Fallback Approver, this is essentially a specified user account that the approval request will be sent to if the selected approver cannot be found. This selection is compulsory for all approval options except for ‘Chosen Specific Approvers’. This is so that there is a fallback option should the chosen field not exist (the manager field for a user account being blank or the external sponsor for a Connected Organisation not being listed, for example)
The next option is how long the approval step will wait before rejecting the request by default, this option can be a maximum of 14 days and will require the approver to accept or reject the access request within the specified amount of days. If the approver does not accept or reject the request within the time frame, it will be rejected by default (unless an alternate approver is selected, see below for more info)
You then have the option to require the approver to provide justification as to why they have accepted or rejected the approval request. I would recommend using this option for all but the last step in approvals with multiple steps. This is so that the next stage approver can see why the previous step was accepted if it is past on, and it will also show in the reports to show why the user in question was granted access.
Finally, you have a ‘Show advanced request settings’ selection and by expanding this, you will be able to configure an ‘Alternate Approver’ for the request. This approver is then used if the selected approver for this step does not respond within the given time frame, allowing another chance for this to go through if it was missed. You can then also specify the time frame in which this approval can be completed. Should this not be done, then the request is automatically rejected.
Once the approvers have been selected (if any) you then have the option to enable or disable new requests for this Access Package. This will allow you to keep the Access Package in place but prevent new user accounts from gaining access using it, allowing you to effectively modify the package or prepare to remove the package without disrupting users already using it.
The final step available on this page is to use Verified IDs as a part of the request, this is a feature only available using a full Microsoft Entra ID Governance license and therefore will not be included in this guide. However, it will essentially require the requestee to provide documents and forms of identification that you have specified. This can be a very useful feature if you are planning on using Access Packages as a part of a user onboarding process.
More information regarding Verified IDs can be found on Microsoft’s website:
Requester Information
The next step in the process is to specify any questions or information that you have for the user requesting access to the resource. This is so that you can collect data that you may require in order to verify whether or not the approver should be granting access via this package, or to fill in user attributes once access has been granted so that the account then shows in relevant searches and/or Dynamic groups.
You can ask any question you would like in this step by entering it into the Question box, if you are expecting that this resource may be requested by users that are in different languages to yours you can use the add Localisation option, which will then allow you to specify other languages and enter the relevant text for that language. When a user with language settings matching the localisation you have added views the questions, the alternate text will be displayed.
There are 3 different answer formats being short text, Long Text, and Multiple Choice answers. For short and long text options the user will be presented with a text box in which to type. The multiple choice option will add an ‘Edit and localise’ option, this will allow you to add your possible answers as well as the same answers in different languages that you select. If you have selected multiple languages, then only the answers in the language set in the user’s language settings will be displayed.
You can also set the question to require an answer from the end user when completing their request, if this option is not selected, then the end user can choose not to answer the question and can still submit the request. If the option is selected, they will have to enter an answer of some kind before they can submit the request.
The Attributes section is not something that can be adjusted from the Access Package page, these are attributes that you have listed as required when adding resources to the selected Catalog. In the Catalog you can specify attributes that would be required on user accounts that have access to that resource. The requestee can then fill in that information upon making the request for access, and the answer will be saved back to the respective user account once access is granted.
This can be particularly helpful when enrolling new guest accounts via the Access Package, as you can fill out some important information regarding the guest user and the organisation they are from so you can better categorise and manage your guest accounts later.
Lifecycle
The Lifecycle options can be used to determine how long the package can be used for, either for all users accessing via this package or on an individual basis. You can choose to have the entire package expire on a particular date, the users access to the package expire after a number of days or hours, or finally, you can set the package to never expire.
You can then enable the option for the end user to specify a custom timeline for their request. This will allow all the end users to provide a date and time at which they will need access to the resources to start. In doing so, if and when the access is approved (if approvals are in place) the access to the resources in the package will not be added until the time the user has specified. The user cannot however specify an end time that extends further than the number of days or hours that you have set in the policy.
Under ‘Advanced Expiration Options’ you can enable the option to allow the end user to extend their access to the resources granted within the Access Package (this is done from the My Access page). The follow up option for this is to require an additional approval process to be followed upon the user asking for extended access, which will go through the same approval process as listed in the Access Package. If this is granted, then access will be granted again, the timeline for which will start from the date the extension approval went through.
The final option on this page is to add an Access Review for this Access Package, this step may not be necessary unless you select the ‘Never’ expiration option, as the access will be removed after the specified time frame regardless. And it can also be skipped if you already have access reviews configured for the resources that are being provided in this package. However, it can be useful to configure a review for all of the resources being provided in one go.
For more information on configuring Access Reviews, please use the following link:
https://traversecloud.co.uk/delegate-group-membership-reviews-with-access-reviews-in-entra/
Once your lifecycle settings are in place, you are ready to review and create your policy. There is an additional step for Custom Extensions which would allow you to start workflows from specific triggers however, that will not be covered in this guide.
One thing to look out for before you press ‘Create’ on your Access Package is to make sure you are not missing any required fields. You will be prompted to fill them in before the package can be created however, there appears to be a bug currently where the error message saying you need to correct some settings will not clear even after they have been created and prevent you from completing the process. Not a game changing issue, but it can be annoying to have to recreate an intricate Access Package from scratch because of this.
Sharing with External Accounts
If you have created an Access Package that external organisations can also use to request access to a resource, then you will have to make a slight consideration. While users within your organisation and Connected Organisations will be able to see the resource package and request access from their My Access page (as long as it is assigned to them) by default, you may not want this to be the case.
The workaround for this is to hide the access package, this can be done from the Access Package Overview page, select Edit at the top of the page, and this will reveal a ‘Hidden’ slider. By default this is set to ‘No’ meaning all assigned users can see the package. However, if you change this to ‘Yes’, it will hide this package from the My Access page and prevent users from requesting access freely.
If the package is hidden, you will then have to provide users you do want to be able to access with a link to the package so that they can request access. To do this, copy the ‘My Access Portal Link’ from the Access Package Overview page and share this with those you want to be able to request access. This link will take them directly to the Access Package so they can complete the request accordingly.
This is particularly useful for sharing access packages with Connected Organisations so that the package does not show up for all users in their directory, only those that have the shared link which you can provide to the External Sponsor to give out to those that need it.
Direct Assignments
From the assignments page, you can also add direct assignments to the resource package, this allows administrators to add users that are not included in the request assignments sections to the Access Package directly and provide access to its resources. This method is required in order to add users that are not either in your own directory or in the directory of a listed Connected Organisation.
If you choose to add an assignment directly, you will be asked to select a policy to enroll them under (you can also choose to create a new policy), you will then be asked for some information, which includes the user’s name and email (this information will be used to create the guest account in your tenant). From here, you can choose to bypass the approval process (if this is being added by a trusted user, for example), provide a time frame for the access to occur (lifecycle policies will still apply here) and also provide justification for the access.
If there are questions that need to be answered as part of the request, these can be viewed by selecting the ‘View and Edit user information’. Here you can answer the required questions and fill in the required attributes that would normally be done as part of the request process.
Once the required information has been filled in, you can select to add the assignment. If you have not chosen to bypass the approval process, this must first be approved at each step before further action is taken. If the assignment is approved, the user is then added to the Access Package and can access resources as required. If the user did not already have a Guest account within your directory, one is then created, and an invitation is sent to the user email you provided during the assignment configuration.
What the end user sees
Once the Access Package has been complete, users can start making requests through this package, assuming that the package is not hidden, the assigned users can view the access package in the My Access portal (https://myaccess.microsoft.com/ ). From here they will see all access packages they have the ability to request through as well as the Active and Expired access requests.
When the user first presses the ‘Request’ option they are presented with the details of the Access Package that they are about to request access to, which will include the description of the package, as well as the resources included in the package and their descriptions (which is why its important to give groups a relevant description)
If the user in question decides to select ‘Continue’ to request access to the resource(s) they will then be prompted to fill out the question that were configured in the requestor information section, complete any attribute fields that are linked to any of the resources in the package, and also provide justification if you have chosen for this to be required
Once the information has been provided the user can submit their request. If Approvals for this package have been enabled, an approval request will be sent to the designated approver, and the user will be notified that their request is being processed. If no approval is required, the user will be granted access to the resources included.
If the approval process went through successfully and access to the resource was approved, the user will be able to view this from their My Access page. If no specific date was provided, this Access Package will be shown under Access Packages > Active. If a time frame was specified and the date has not yet been reached, this will instead show under Request History, where it will show the status as ‘Scheduled’. The user can then check what date this will be active by selecting ‘View’ and find the scheduled time under history.
If the Access Package has expired due to going over the time limit, the user can then send another request from their My Access > Access Packages > Expired page. From here, they can re-submit the access request, and this will go back through the approval process if this has been configured to require it.
What the approver sees
Once a request to an Access Package has been sent and it requires an approval to complete, the designated approver(s) will receive an email to suggest that action is required in order to grant or deny access to the resources. If the approver selects the ‘Approve or Deny’ link in the email, they are taken to the My Access > Approvals Page.
The approver can then choose to approve or deny each user from this page, or they can choose to review the information provided in the request. By selecting ‘Review’ they can then go through the Request details (which include the answers to the questions the user had to fill in), package details (which show the resources being requested), and the Approval History (which shows approval results and justifications from previous stages, if any).
Once reviewed, the approver can then select to either approve or deny the request and then enter a justification for their decision. Once done, the request will be handed onto the next approver in the process, or if this was the only approver, their decision will be actioned upon and either provide access or not.
The approver will then receive another notification email to say report the outcome of their approval, the details for which can be found in the My Access > Approvals page under History.
What happens next?
Once the Access Package is in place, the administrators can then proceed to add more request policies for this resource package. While the resources that are being issued with this package will stay the same, you will have the option to use a different option for the ‘Who can request access’ section, meaning you can create a separate policy for both Internal and External user accounts if you want them to be processed differently (for example, different approvers and lifecycles). To do this, go to your Access Package and select ‘Add Policy’.
From here, you will be able to go through and create another new policy and setup different request, requester information, lifecycle and custom extension settings to fit the additional requirements.
Administrators can view all of the assignments that have been issued using an Access Package from within the Access Package > Assignments page. From here, an administrator can check who has been given access to the selected resources using the configured package, what policy was used to provide that access, and when the access ends (if ever). This page will also allow you to export a report of all of the assignments that have been issued using the download option.
From the assignments page, you can also extend the access for the assignments that have now expired so that they do not have to submit a request for this, reprocess an assignment which will start the approval process again and ask them to submit answers to the required questions, and also remove assignments manually from the Access Package. Finally, you can export a list of the assignments that have been issued via this Access Package for reporting purposes.
If you select one of the assignments, you will then be able to view more information related to it, such as who approved the assignment, when the assignment starts and ends, and the assignment history.
From the requests page, you can view the history of requests made using this Access Package, which will include who requested the access, the date in which they requested access, which policy they were processed by, and what the current status is. The status will tell you if the request has been approved (marked as delivered or scheduled), was rejected (marked as rejected), is currently being processed (marked as pending), or if it was cancelled by the user (marked as cancelled).
Summary
Overall I believe that Access Packages in Entra are a very powerful and flexible tool that if used correctly can streamline the process of providing access to your organisation’s resources without requiring additional administrative input which in turns means they can focus their attention elsewhere.
I can see there being many different applications for the features discussed above, whether it be used for onboarding new staff members into departmental role, granting time limited access to internal resources for external organisations, onboarding new users to your organisation, or even using it for license distribution.
Just like any other tool that allows you to delegate the task of granting access to resources, there is an element of care that needs to be taken when setting up Access Packages. You will need to ensure that you are not opening the door for internal or external users to access data that they are not meant to see. With that in mind I would always strongly recommend using the approval processing whenever you can to ensure someone is checking the access being granted, and that the approval are sent to someone who not only knows what data is being provided, but understands how access is being granted and the implications that can come with getting it wrong.
The features themselves are locked behind a minimum of Microsoft Entra ID P2 licensing (this in particular is included in Microsoft 365 E5), however the Microsoft Entra ID Governance add on license is slightly cheaper than the Entra ID P2 counterpart so could it could be justified to have a few of these available in your tenant to manage Guest user accounts , until the reveal of the new guest usage based licensing Microsoft have hinted to in Spring 2024.
About ADM
Founded in 1984, ADM Computing is Kent’s largest and longest established IT services company specialising in IT support services that help to reduce IT costs as well as improve network efficiency. We have a long history of charity work and won’t be slowing down any time soon!
To keep up to date with all our latest updates, follow us on LinkedIn: ADM Computing LinkedIn