Entitlement Management
Entitlement Management is an identity governance feature in Microsoft Entra ID Governance that enables organizations to manage identity and access lifecycles at scale by automating access request workflows, access assignments, reviews, and expiration.
Why Use Entitlement Management?
Organizations need to manage access to various resources — groups, applications, and SharePoint Online sites — to allow people to perform their jobs. Common challenges include:
- Hard to discover access: Difficult to know who has access to what resources
- Unclear approval processes: No clear owner to approve access requests
- Overstayed access: Access rights persist even after they are no longer needed
- External user complexity: Managing guest user invitations and access from partner organizations is cumbersome
Entitlement Management addresses these challenges. It supports both internal users and users from external organizations (B2B collaboration).
Key Capabilities
- Centrally govern access to groups, applications, Teams, SharePoint sites, SAP IAG access rights, and more
- Multi-stage approval with time-limited assignments and recurring access reviews
- Automatic assignment and removal of access based on changes to user attributes (e.g., department or cost center)
- Delegation of access package creation to non-administrators
- Support for access requests from external organizations (Connected Organizations), with automatic B2B account cleanup when access expires
Core Concepts
Access Package
An access package is a bundle of resources and access roles needed to work on a project or perform a task. Access packages must always reside within a catalog.
Supported resource types:
| Resource Type | Description |
|---|---|
| Microsoft Entra security groups | Group membership |
| Microsoft 365 Groups and Teams | Collaboration tool access |
| Enterprise applications | Assignments to SaaS or SSO-integrated apps |
| SharePoint Online sites | Site membership |
| API permissions (preview) | For agent IDs and service principals |
| SAP IAG business roles (preview) | SAP access rights |
Through Microsoft Entra security groups or Microsoft 365 Groups, you can also indirectly govern:
- Microsoft 365 licenses (via group-based licensing)
- Azure RBAC role assignments
- Microsoft Entra roles (via role-assignable groups)
Catalog
A catalog is a container for access packages. It serves as a delegation mechanism, allowing non-administrators to create their own access packages using resources they own.
| Privilege Level | Description |
|---|---|
| Standard | Catalog containing regular resources |
| Privileged | Catalog containing resources that grant elevated permissions |
Catalog owners can add other users as catalog co-owners or access package managers.
Policy
A policy is a set of rules that defines the access lifecycle. Policies are linked to access packages and control:
- Who can request access: Users, groups, or partner organization members
- Approval flow: Approvers and stages (up to 3 stages)
- Expiration: Duration of the access assignment
- Automatic assignment: Based on user attribute rules
A single access package can have multiple policies (e.g., one for internal users and one for external users).
Approval Workflow
Approval workflows can be configured on access request policies. Up to three stages of approval are supported.
Approver types:
- Manager as approver: The requestor's manager is automatically assigned as approver
- Sponsor: Internal sponsor or external sponsor
- Specific user/group: Individually designated approvers
Requestor
↓ (access request)
Stage 1 Approval (e.g., direct manager)
↓ (approved)
Stage 2 Approval (e.g., resource owner)
↓ (approved)
Stage 3 Approval (e.g., security reviewer)
↓ (approved)
Access assignment (with expiration)
If approval is not completed within the specified number of days, the request is automatically denied. Alternate approvers can be configured to prevent timeouts.
Connected Organization
A connected organization is an external Microsoft Entra directory or domain with which you have a relationship. Users from connected organizations can request access to access packages. When approved, they are automatically invited as B2B guests. Their accounts are automatically removed when all access assignments expire.
Entitlement Management Roles
Delegation roles allow non-administrators to manage access within appropriate scopes.
| Role | Description |
|---|---|
| Identity Governance Administrator | Full access to all entitlement management features |
| Connected Organization Administrator | Manage connected organizations |
| Catalog creator | Create new catalogs |
| Catalog owner | Manage owned catalogs and their resources |
| Access package manager | Create and manage access packages |
| Access package assignment manager | Directly assign users to access packages |
Terminology Reference
| Term | Description |
|---|---|
| access package | A bundle of resources and access roles. Always contained in a catalog. |
| access request | A request for access to an access package. Typically goes through an approval workflow. |
| assignment | An access package assigned to an identity. Usually has an expiration date. |
| catalog | A container for related resources and access packages. Used for delegation. |
| catalog creator | A collection of identities authorized to create new catalogs. |
| connected organization | An external Microsoft Entra directory or domain with a defined relationship. |
| policy | A set of rules defining the access lifecycle linked to an access package. |
| resource | An asset such as a group, application, or SharePoint site. |
| resource role | A collection of permissions associated with a resource (e.g., member or owner of a group). |
When to Use Access Packages
Entitlement Management is most appropriate for:
- Time-limited access: Access needed only for a specific project or period
- Approval-gated access: Access requiring manager or designated approver sign-off
- External collaboration: Providing resource access to users from partner organizations (B2B)
- Decentralized access management: Allowing departments to manage their own access policies without IT involvement
- Migration from third-party role management: Moving existing role definitions into Microsoft Entra ID
Integration and Automation
Entitlement Management integrates with other governance capabilities and services:
| Scenario | Method |
|---|---|
| Auto-assign based on attribute changes | Automatic assignment policy |
| Manage access expiration | Lifecycle settings |
| Custom workflows on request/grant/removal | Azure Logic Apps integration |
| Periodic review of external guests | Access reviews |
| Programmatic management | Microsoft Graph API (EntitlementManagement.ReadWrite.All) |
License Requirements
Entitlement Management requires a Microsoft Entra ID Governance or Microsoft Entra Suite subscription (some capabilities work with Microsoft Entra ID P2).
For details, see Microsoft Entra ID Governance licensing fundamentals.