An access package enables you to do a one-time setup of resources and policies that automatically administers access for the life of the access package. This article describes how to create an access package.

All access packages must be in a container called a catalog. A catalog defines what resources you can add to your access package. If you don't specify a catalog, your access package goes in the general catalog. Currently, you can't move an existing access package to a different catalog.

An access package can be used to assign access to roles of multiple resources that are in the catalog. If you're an administrator or catalog owner, you can add resources to the catalog while you're creating an access package. You can also add resources after the access package is created, and users assigned to the access package will also receive the extra resources.

If you're an access package manager, you can't add resources that you own to a catalog. You're restricted to using the resources available in the catalog. If you need to add resources to a catalog, you can ask the catalog owner.

All access packages must have at least one policy for users to be assigned to them. Policies specify who can request the access package, along with approval and lifecycle settings, or how access is automatically assigned. When you create an access package, you can create an initial policy for users in your directory, for users not in your directory, or for administrator direct assignments only.

Here are the high-level steps to create an access package with an initial policy:

1. In Identity Governance, start the process to create an access package.

2. Select the catalog where you want to put the access package and ensure that it has the necessary resources.

3. Add resource roles from resources in the catalog to your access package.

4. Specify an initial policy for users who can request access.

5. Specify approval settings and lifecycle settings in that policy.

Then once the access package is created, you can change the hidden setting, add or remove resource roles, and add additional policies.

[!INCLUDE portal updates]

1. Sign in to the Microsoft Entra admin center as at least an Identity Governance Administrator.

   [!TIP] Other least privilege roles that can complete this task include the Catalog owner or Access Package manager.

2. Browse to Identity governance > Entitlement management > Access package.

3. Select New access package.

   

On the Basics tab, you give the access package a name and specify which catalog to create the access package in.

1. Enter a display name and description for the access package. Users see this information when they submit a request for the access package.

2. In the Catalog dropdown list, select the catalog where you want to put the access package. For example, you might have a catalog owner who manages all the marketing resources that can be requested. In this case, you could select the marketing catalog.

   You see only catalogs that you have permission to create access packages in. To create an access package in an existing catalog, you must be at least an Identity Governance Administrator. Or you must be a catalog owner or access package manager in that catalog.

   

   If you're at least an Identity Governance Administrator, or catalog creator, and you want to create your access package in a new catalog that's not listed, select Create new catalog. Enter the catalog name and description, and then select Create.

   The access package that you're creating, and any resources included in it, are added to the new catalog. Later, you can add more catalog owners or add attributes to the resources that you put in the catalog. To learn more about how to edit the attributes list for a specific catalog resource and the prerequisite roles, read Add resource attributes in the catalog.

3. Select Next: Resource roles.

On the Resource roles tab, you select the resources to include in the access package. Users who request and receive the access package receive all the resource roles, such as group membership, in the access package.

If you're not sure which resource roles to include, you can skip adding them while creating the access package, and then add them later.

1. Select the resource type that you want to add (Groups and Teams, Applications, or SharePoint sites).

2. In the Select applications panel that appears, select one or more resources from the list.

   

   If you're creating the access package in the general catalog or a new catalog, you can choose any resource from the directory that you own. You must be at least an Identity Governance Administrator, or catalog creator.

   [!NOTE] You can add dynamic groups to a catalog and to an access package. However, you can select only the owner role when you're managing a dynamic group resource in an access package.

   If you're creating the access package in an existing catalog, you can select any resource that's already in the catalog without needing to be an owner of that resource.

   If you're at least an Identity Governance Administrator, or catalog owner, you have the additional option of selecting resources that you own or administer but that aren't yet in the catalog. If you select resources in the directory but not currently in the selected catalog, these resources are also added to the catalog for other catalog administrators to build access packages with. To see all the resources in the directory that can be added to the catalog, select the See all checkbox at the top of the panel. If you want to select only resources that are currently in the selected catalog, leave the See all checkbox cleared (the default state).

3. In the Role list, select the role that you want users to be assigned for the resource. For more information on selecting the appropriate roles for a resource, see how to determine which resource roles to include in an access package.

   

4. Select Next: Requests.

On the Requests tab, you create the first policy to specify who can request the access package. You also configure approval settings for that policy. Later, after creating the access package with this initial policy, you can add more policies to allow additional groups of users to request the access package with their own approval settings, or to assign access automatically.

Depending on which users you want to be able to request this access package, perform the steps in one of the following sections Allow users in your directory to request the access package, Allow users not in your directory to request the access package or Allow administrator direct assignments only. If you're not sure which request or approval settings you'll need, you plan to create assignments for users who already have access to the underlying resources, or you plan to use access package automatic assignment polices to automate access, then select the direct assignment policy as the initial policy.

[!INCLUDE Entitlement management request policy]

[!INCLUDE Entitlement management lifecycle policy]

On the Review + create tab, you can review your settings and check for any validation errors.

1. Review the access package's settings.

   

2. Select Create to create the access package and its initial policy.

   The new access package appears in the list of access packages.

3. If the access package is intended to be visible to everyone in scope of the policies, then leave the Hidden setting of the access package at No. Optionally, if you intend to only allow users with the direct link to request the access package, edit the access package to change the Hidden setting to Yes. Then copy the link to request the access package and share it with users who need access.

4. You can next add more policies to the access package, configure separation of duties checks, or directly assign a user.

There are two ways to create an access package programmatically: through Microsoft Graph and through the PowerShell cmdlets for Microsoft Graph.

You can create an access package by using Microsoft Graph. A user in an appropriate role with an application that has the delegated EntitlementManagement.ReadWrite.All permission can call the API to:

1. List the resources in the catalog and create an accessPackageResourceRequest for any resources that aren't yet in the catalog.
2. Retrieve the roles and scopes of each resource in the catalog. This list of roles will then be used to select a role, when subsequently creating a resourceRoleScope.
3. Create an accessPackage.
4. Create a resourceRoleScope for each resource role needed in the access package.
5. Create an assignmentPolicy for each policy needed in the access package.

You can also create an access package in PowerShell by using the cmdlets from the Microsoft Graph PowerShell cmdlets for Identity Governance module.

First, retrieve the ID of the catalog, and of the resource in that catalog and its scopes and roles, that you want to include in the access package. Use a script similar to the following example:

Connect-MgGraph -Scopes "EntitlementManagement.ReadWrite.All"

$catalog = Get-MgEntitlementManagementCatalog -Filter "displayName eq 'Marketing'" -All
if ($catalog -eq $null) { throw "catalog not found" }
$rsc = Get-MgEntitlementManagementCatalogResource -AccessPackageCatalogId $catalog.id -Filter "originSystem eq 'AadApplication'" -ExpandProperty scopes
if ($rsc -eq $null) { throw "resource not found" }
$filt = "(id eq '" + $rsc.Id + "')"
$rrs = Get-MgEntitlementManagementCatalogResourceRole -AccessPackageCatalogId $catalog.id -Filter $filt -ExpandProperty roles,scopes

Then, create the access package:

$params = @{
    displayName = "sales reps"
    description = "outside sales representatives"
    catalog = @{
        id = $catalog.id
    }
}
$ap = New-MgEntitlementManagementAccessPackage -BodyParameter $params

After you create the access package, assign the resource roles to it. For example, if you want to include the first resource role of the resource returned earlier as a resource role of the new access package, you can use a script similar to this one:

$rparams = @{
    role = @{
        id =  $rrs.Roles[0].Id
        displayName =  $rrs.Roles[0].DisplayName
        description =  $rrs.Roles[0].Description
        originSystem =  $rrs.Roles[0].OriginSystem
        originId =  $rrs.Roles[0].OriginId
        resource = @{
            id = $rrs.Id
            originId = $rrs.OriginId
            originSystem = $rrs.OriginSystem
        }
    }
    scope = @{
        id = $rsc.Scopes[0].Id
        originId = $rsc.Scopes[0].OriginId
        originSystem = $rsc.Scopes[0].OriginSystem
    }
}

New-MgEntitlementManagementAccessPackageResourceRoleScope -AccessPackageId $ap.Id -BodyParameter $rparams

Finally, create the policies. In this policy, only the administrators or access package assignment managers can assign access, and there are no access reviews. For more examples, see Create an assignment policy through PowerShell and Create an assignmentPolicy.

$pparams = @{
    displayName = "New Policy"
    description = "policy for assignment"
    allowedTargetScope = "notSpecified"
    specificAllowedTargets = @(
    )
    expiration = @{
        endDateTime = $null
        duration = $null
        type = "noExpiration"
    }
    requestorSettings = @{
        enableTargetsToSelfAddAccess = $false
        enableTargetsToSelfUpdateAccess = $false
        enableTargetsToSelfRemoveAccess = $false
        allowCustomAssignmentSchedule = $true
        enableOnBehalfRequestorsToAddAccess = $false
        enableOnBehalfRequestorsToUpdateAccess = $false
        enableOnBehalfRequestorsToRemoveAccess = $false
        onBehalfRequestors = @(
        )
    }
    requestApprovalSettings = @{
        isApprovalRequiredForAdd = $false
        isApprovalRequiredForUpdate = $false
        stages = @(
        )
    }
    accessPackage = @{
        id = $ap.Id
    }
}
New-MgEntitlementManagementAssignmentPolicy -BodyParameter $pparams

For more information, see Create an access package in entitlement management for an application with a single role using PowerShell.

• Share a link to request an access package
• Change resource roles for an access package
• Directly assign a user to an access package
• Create an access review for an access package