L15. Entitlement Management: Access Packages and Catalogs

What Is Entitlement Management?

Entitlement management automates the access request, approval, and lifecycle process. Instead of having users request access to individual resources one by one, you bundle related resources into access packages that users can request through a self-service portal. Licensing: Entra ID P2 or Entra ID Governance add-on.

Key Components

Catalogs

A catalog is a container for related resources and access packages. Catalogs enable delegation: a catalog owner can manage the resources and policies within their catalog without needing Entra ID admin roles.

• General catalog: Created by default, managed by Global Administrators
• Custom catalogs: Created for specific departments, projects, or partner organizations

Resources

Resources that can be added to a catalog:

• Entra ID security groups
• Applications (enterprise apps)
• SharePoint Online sites

Access Packages

An access package bundles resources from a catalog with policies that govern who can request, how requests are approved, and how long access lasts.

Access Package Policies

Each access package has one or more policies that define:

Exam tip: An access package can have multiple policies. A common pattern: one policy for internal employees (auto-approved) and a separate policy for external users (requires manager approval). Each policy targets a different requestor group.

Connected Organizations

Connected organizations represent external partner companies. When you create a connected organization, you link it to the partner's Entra ID tenant (or other identity provider). Users from connected organizations can then request access packages. Exam tip: Connected organizations are specifically used in entitlement management for external access. This is different from B2B cross-tenant access settings, which control collaboration at the tenant level.

Self-Service Request Portal

Users request access packages through the My Access portal (https://myaccess.microsoft.com):

1. User browses available access packages
2. User selects a package and submits a request
3. The request follows the approval workflow defined in the policy
4. If approved, access is automatically provisioned
5. When access expires or is revoked, resources are automatically removed

Separation of Duties

Entitlement management supports incompatible access packages: you can mark two access packages as incompatible so that a user cannot hold both simultaneously. This enforces separation of duties without manual checking. Exam tip: Incompatible access packages are the entitlement management answer to separation of duties. If a question asks how to prevent a user from having two conflicting access sets, configure the packages as incompatible.

Custom Extensions

Access packages support custom extensions through Logic Apps. When an access package is assigned, renewed, or removed, a Logic App can be triggered to perform additional actions (e.g., create a mailbox, send a Teams notification, provision an account in a third-party system).