That’s exactly the problem Microsoft Entra ID Access Packages are built to solve. Part of the Identity Governance suite, Access Packages let you group related permissions \u2014 apps, groups, resources \u2014 into a single unit that users can actually request themselves. Instead of chasing down admins for every individual permission, the whole process runs through a defined approval workflow with time limits and periodic reviews baked in. Every request, approval, and expiry is logged, reviewable, and auditable. That’s a meaningful shift from the traditional approach, where access often gets granted informally and quietly sticks around long after it should have been removed.<\/p>\n
Overview<\/h2>\n
This article walks through Access Packages from the ground up \u2014 what they are, how to set them up, how approval policies and lifecycle rules work, and how to actually test everything before it goes live. There’s also a section on governance practices worth building around from day one.<\/p>\n
1. What Are Access Packages?<\/h3>\n
Access Packages live inside Microsoft Entra ID’s Identity Governance feature set. The core idea is straightforward: instead of managing permissions individually across every system, administrators can group related resources together and treat them as a single unit.
\nThat bundle can include any combination of the following:<\/p>\n
- \n
- Security Groups<\/li>\n
- Enterprise Applications<\/li>\n
- SharePoint Sites<\/li>\n
- Teams Resources<\/li>\n<\/ul>\n
Once a package is configured, users request access through a self-service portal. From there, the request moves through whatever approval workflow you’ve defined \u2014 and if you’ve set an expiration, access disappears automatically when the time’s up, no manual cleanup needed.<\/p>\n
2. Prerequisites Before Creating an Access Package<\/h3>\n
- \n
- Applications must be integrated with Entra ID.<\/li>\n
- Security groups should be pre-created (Assigned membership recommended).<\/li>\n
- Create a Catalog (e.g., \u201cContractors\u201d).<\/li>\n
- Identify approvers (Manager, Application Owner, Cyber Security).<\/li>\n
- Define expiry duration and review cycles.<\/li>\n<\/ul>\n
3. Steps to Create an Access Package<\/h3>\n
Step 1: Basics Configuration<\/h4>\n
- \n
- Navigate to: Entra Admin Center \u2192 Identity Governance \u2192 Access Packages \u2192 New Access Package<\/strong><\/li>\n
- Provide a Name (e.g., \u201cBusiness Analyst\u201d).<\/li>\n
- Add a detailed description.<\/li>\n
- Select the appropriate Catalog.<\/li>\n<\/ul>\n
Step 2: Add Resource Roles<\/h4>\n
- \n
- Pull in the Security Groups that are relevant to this package \u2014 only the ones users actually need, not everything that looks loosely related.<\/li>\n
- Add the Enterprise Applications tied to the role; if an application isn’t in here, users won’t get provisioned access to it regardless of approval.<\/li>\n
- Once everything is added, verify the role-based access mapping carefully.<\/li>\n<\/ul>\n
Step 3: Configure Request Policy<\/h4>\n
- \n
- Define who’s allowed to request this package \u2014 in most cases, scoping it to Users in directory is the right starting point.<\/li>\n
- Switch on Self-Service Requests so users can initiate access themselves through the portal rather than routing everything through an admin.<\/li>\n
- Set Approval Required.<\/li>\n
- Enable Business Justification (Mandatory).<\/li>\n
- Configure Approval Stages:\n
- \n
- Stage 1 \u2013 Manager Approval<\/li>\n
- Stage 2 \u2013 Cyber Security Approval (Optional but Recommended
\n![\"ss\"](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2026\/02\/Screenshot-from-2026-02-03-11-21-59.png\")
<\/li>\n<\/ul>\n<\/li>\n - Decision Window: 14 Days.<\/li>\n<\/ul>\n
Step 4: Lifecycle Settings<\/h4>\n
- \n
- Set access expiry to 30 days \u2014 short enough to keep things clean, long enough that legitimate users aren’t constantly fighting renewal cycles.<\/li>\n
- Monthly recurring access reviews aren’t optional if you’re serious about governance.<\/li>\n
- The user’s direct Manager should be the primary reviewer.<\/li>\n
- Always configure a Backup Reviewer \u2014 either the App Owner or someone from IT Security \u2014 for situations where the Manager is on leave, has left the business, or simply doesn’t respond within the review window.<\/li>\n
- Automatic Removal on expiry should be non-negotiable; access that isn’t actively renewed should disappear without requiring anyone to manually step in.<\/li>\n<\/ul>\n
4. Assignment Methods<\/h3>\n
Self-Service Assignment (Recommended)<\/h4>\n
- \n
- Users initiate the process themselves via https:\/\/myaccess.microsoft.com \u2014 no helpdesk ticket, no chasing an admin, no waiting in a queue<\/li>\n
- From the portal they browse to the relevant Access Package and select it<\/li>\n
- Business Justification is a required field before the request progresses \u2014 keep it mandatory, it’s a lightweight step that pays dividends during audits and access reviews<\/li>\n
- The request routes automatically to the Manager for review and sign-off<\/li>\n
- Once approved, provisioning happens without any further manual involvement \u2014 every resource inside the package gets granted in one go<\/li>\n<\/ol>\n
Admin Direct Assignment<\/h4>\n
- \n
- Head to the Access Package and open the Assignments tab<\/li>\n
- Hit Add Assignment and select the user you’re provisioning for<\/li>\n
- Set the duration upfront \u2014 don’t leave it open-ended unless there’s a deliberate reason<\/li>\n
- Confirm the assignment and verify it reflects correctly before closing out<\/li>\n<\/ol>\n
Important Note on PIM:<\/strong> Privileged Identity Management (PIM) is built for elevated administrative roles \u2014 Global Administrator and equivalent \u2014 not for routine application access.<\/p>\n
5. Testing & Validation<\/h3>\n
Functional Testing<\/h4>\n
- \n
- Submit a request using a test user.<\/li>\n
- Approve request as Manager.<\/li>\n
- Verify assignment under Access Package \u2192 Assignments.<\/li>\n
- Confirm group membership.<\/li>\n
- Validate application login.<\/li>\n<\/ul>\n
Expiry Testing<\/h4>\n
- \n
- Assign short expiry (1\u20132 days).<\/li>\n
- Verify automatic removal post expiry.<\/li>\n<\/ul>\n
Access Review Testing<\/h4>\n
- \n
- Navigate to Identity Governance \u2192 Access Reviews.<\/li>\n
- Complete review as Manager.<\/li>\n
- Deny access and confirm automatic removal.<\/li>\n<\/ul>\n
6. Governance Best Practices<\/h3>\n
- \n
- Create one Access Package per job role.<\/li>\n
- Avoid direct group assignments outside packages.<\/li>\n
- Always enforce business justification.<\/li>\n
- Use time-bound access for contractors.<\/li>\n
- Enable recurring access reviews.<\/li>\n
- Use PIM only for privileged roles.<\/li>\n<\/ul>\n
Conclusion<\/h2>\n
Access Packages won’t solve every identity governance headache overnight, but they’re one of the more practical tools Microsoft Entra ID offers for bringing real structure to something that tends to get messy fast. Time-bound access, approval chains, recurring reviews \u2014 when those three things work together consistently, you stop relying on people remembering to clean things up and start relying on the system doing it for you. That’s a meaningful difference, especially at scale.
\nIf your organisation hasn’t touched Access Packages yet, don’t try to boil the ocean. Pick one role, one department, or one application \u2014 build a clean package around it, run it through the full lifecycle, and see where the gaps are. Expand from there once you trust the foundation.
\nFor a practical starting point: spin up a test Access Package, wire in a 2-stage approval flow with Manager and Security Team sign-off, and walk the entire lifecycle from request to expiry. You’ll catch configuration issues early, and your auditors will thank you later.<\/p>\n","protected":false},"excerpt":{"rendered":"Introduction Managing who has access to what \u2014 across applications, security groups, and enterprise resources \u2014 is one of those problems that sneaks up on you. Governance at this level is non-negotiable in\u00a0enterprise product engineering services, where security, compliance, and identity management must be designed into the product architecture from day one. That’s exactly the […]<\/p>\n","protected":false},"author":1747,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":12},"categories":[2348],"tags":[3457,8381],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/78518"}],"collection":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/users\/1747"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/comments?post=78518"}],"version-history":[{"count":4,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/78518\/revisions"}],"predecessor-version":[{"id":79494,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/78518\/revisions\/79494"}],"wp:attachment":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/media?parent=78518"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/categories?post=78518"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/tags?post=78518"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- Navigate to: Entra Admin Center \u2192 Identity Governance \u2192 Access Packages \u2192 New Access Package<\/strong><\/li>\n