Azure AD – You can easily and automatically manage access to groups, applications and SharePoint sites for your users (internal and external)

As part of the identity and access control management on Azure AD, you can now use Azure AD Entitlement (also known as Azure AD Identity Governance) (in preview) to easily and automatically manage access to your groups or applications by your users, both internal (corporate) or external (guest).

By using Azure AD Entitlement, you can create a package of resources, define rules for request and access expiration, assign the package and keep track of activities while governing the access lifecycle.

You need to have Azure AD Premium P2 or Enterprise Mobility + Security E5 (EMS).

To start evaluating and using it, connect to your Azure AD portal ( or Azure portal ( to access the Identity Governance blade


From there you can create a package of resources (one of the listed below)

  • Azure AD security groups (including the synchronized security groups if you are synching your Active Directory)
  • Office 365 groups
  • Azure AD enterprise applications (including application proxy)
  • SaaS applications
  • Custom-integrated applications
  • SharePoint Online site collections
  • SharePoint Online sites

Create a package


When creating a package you will define the resource(s), policy and assignment (assignment, access expiration)A as well as a package catalog (you can use the default one or create a new catalog using the Create new catalog link available in the Basic tab)

When creating a new catalog, you can define if the catalog will be also available for external users (guest) to request access

image image image

The role associated with the resource you have added to the package depend of the resource type:

  • when you add a group, you can define either owner or member of the group
  • when you add an application, you can define a user role
  • when you add a SharePoint site you can define any of the SharePoint role defined for the site (members, owners, visitors…); you can only select a SharePoint Online site collection, access to a sub site is defined when you select the appropriate role

Enable and create a catalog

Then you need to enable the catalog (if you use the default one for the first time) by accessing the Catalog configuration blade (you can also use this blade to create new catalog)

To enable the default catalog (or any custom catalog not yet enabled), click on the catalog name and edit it using the Overview tab to enable it


Access catalog and package

You end-user will logon to

From there they will see all package they have access to, have the history of their request (either request to access or request management if they have been defined as approver)


If you are an external user (guest) invited to a different organization you can easily switch using the Switch organization button available at the top right of the window


Advanced Settings

If you want to manage external user (blocking access, automatically deleting guest account after x days), access the Settings blade below the Entitlement Management to edit the configuration


Leave a Comment

Your email address will not be published. Required fields are marked *