Microsoft Entra entitlement management operations

Microsoft Entra Access Packages Lifecycle Guide

Turn access to groups, applications, Teams, and SharePoint sites into a governed lifecycle with explicit catalogs, request policies, approvals, time limits, reviews, removal, and evidence—without treating a delivered assignment as proof that access still works or remains justified.

Catalog and resource rolesRequest and approvalTimed assignmentsAccess reviewsGuest lifecycle
Microsoft Entra access package lifecycle architecture showing catalogs, approval, timed assignment, review, external identity governance, and deprovisioning
A dependable access package connects resource roles to a policy-governed request, approval, assignment, review, and deprovisioning trail.

Operating model

Govern the complete entitlement—not only the user’s first request

Microsoft Entra entitlement management uses access packages to bundle resource roles and the policies that govern who can request them, who approves, how long assignments last, whether extension is allowed, and how continuing access is reviewed. Every package belongs to a catalog. The catalog determines which resources are available to package managers and creates a natural delegation boundary for the people who design and operate access.

A strong design begins with business outcomes and resource roles, not a convenient list of users. Define the work a person must perform, the minimum group/app/site role required, the requester population, the accountable sponsor, the expiration rule, and the exact evidence that closes the lifecycle.

Operational truth: an assignment shown as “Delivered” does not prove every underlying resource still grants access. Direct changes outside entitlement management can create drift; reconciliation and reprocessing tests belong in the operating model.

Minimum package record

  • Business purpose, data sensitivity, package ID, catalog ID, owners, backup owners, and review date
  • Every resource, resource role, owner, source system, dependency, and out-of-band access path
  • Each policy’s requestor scope, questions, approval stages, timeout, fallback, expiration, extension, and review
  • Internal or external identity path, connected organization, B2B and cross-tenant dependencies, and guest cleanup
  • Assignment, request, approval, delivery, review, removal, incident, change, and failback evidence

Catalog

Contains approved resources and delegates who can build and manage access packages without broad tenant administration.

Access package

Combines the resource roles that represent one useful business entitlement, project role, partner role, or operating function.

Assignment policy

Defines eligible requestors, approval, questions, duration, extension, reviews, automatic assignment, and lifecycle behavior.

Lifecycle architecture

Make every access state observable from design through deprovisioning

Stage 1

Model

Identify the business role, sensitivity, resources, minimum roles, owners, conflicts, and license scope.

Stage 2

Publish

Place governed resources in the right catalog; create a clearly named package and narrowly scoped policy.

Stage 3

Request

Collect useful justification and attributes; confirm that the correct policy is visible to the intended identity.

Stage 4

Approve

Route to accountable, available approvers with defined stages, timeout, escalation, and decision evidence.

Stage 5

Operate

Validate delivery, monitor drift, review assignments, manage extensions, and investigate resource failures.

Stage 6

Remove

Expire or revoke the assignment, prove resource removal, handle guest cleanup, and retain the closeout record.

Change control: editing a policy’s expiration setting does not retroactively change the expiration of requests already pending approval or approved. Inventory affected assignments and test the intended transition instead of assuming a policy edit rewrites history.

Resources and roles

Bundle only the roles that belong to one auditable business purpose

Resource typeDesign decisionLifecycle concernEvidence
Groups and TeamsSelect member or owner deliberately; use eligible access through PIM for Groups where licensed and appropriate.Manual membership changes can create drift. Dynamic groups allow only the owner role in an access package.Group ID, role, ownership, PIM settings, direct membership exceptions, delivery and removal tests.
Enterprise applicationsMap the package to the exact app role, not generic application presence or an oversized security group.Provisioning, app-side authorization, licenses, and nested groups can make a delivered assignment incomplete.Service principal, app role ID, provisioning result, sign-in test, app owner attestation, and revoke test.
SharePoint Online sitesSelect the minimum site role and align it with site sensitivity, sharing, retention, and owner accountability.Site groups, sharing links, Teams membership, and direct permissions can survive outside the package path.Site URL/ID, role, sensitivity, direct-permission scan, access test, removal test, and owner review.
Microsoft Entra rolesTreat preview or privileged resource-role options as a separate high-risk design with PIM, approval, activation, and recovery.Role eligibility, active assignment, Conditional Access, and emergency access need validation beyond package delivery.Role definition, scope, eligibility/activation, approver, MFA, audit events, and emergency procedure.
API permissions or Azure RBACConfirm current feature status, supported scope, license, service limits, and production support before use.Preview behavior and downstream authorization can change; automation may grant broader effective access than intended.Feature status, scope, permission/role ID, Graph response, test results, monitoring, and rollback approval.
Resource ownership: package managers can use resources already available in their catalog, but cannot simply add any resource they own to the catalog. Separate catalog resource curation from day-to-day package administration.

Request and approval policy

Design policies for a defined population, decision owner, and failure path

ControlWhat to defineFailure to testVerification
Requestor scopeSpecific users/groups, directory members, connected organizations, or other supported external populations.The wrong people discover a package, or intended users cannot see the correct policy in My Access.Test eligible and ineligible identities, tenant hint, hidden status, catalog enabled state, and policy visibility.
Questions and justificationCollect only decision-useful, non-sensitive information with owners, retention expectations, and answer choices.Approvers receive vague answers, sensitive data is placed in a request, or automation cannot interpret the response.Sample requests, privacy review, required/optional state, localized wording, export, and decision usefulness.
Approval stagesManager, sponsor, resource owner, external sponsor, alternate approvers, duration, and escalation route.Approvers are unavailable, self-approve, lack context, or allow requests to expire silently.Positive/negative routing, multiple approvers, timeout, alternate approver, notification, and audit history.
Assignment durationOn-date, number of days/hours, or never; requested period; extension; maximum end date; business reason.Temporary access becomes effectively permanent or an extension bypasses the intended sponsor decision.Start/end timestamps, time zone, expiry event, extension request, denial, and post-expiry resource removal.
Access reviewReviewer, recurrence, duration, decision helpers, justification, nonresponse action, and result application.A review records decisions but does not remove access, or reviewer selection has a conflict of interest.Reviewer assignment, decision samples, nonresponse test, apply-results outcome, removal, and exception evidence.

One policy, one intent

Use separate policies when internal employees, contractors, partners, and administrators require different approval or lifecycle rules.

Approval is not delivery

After approval, verify every resource role is provisioned and usable. Preserve failures and remediation, not only the approval decision.

Direct assignment is governed

Choose the governing policy and document justification. If approval must be bypassed, use a narrowly scoped approved policy designed for that path.

External identities

Coordinate access packages with B2B, connected organizations, and guest cleanup

Before enabling external requests

  • Confirm the catalog permits external users and the policy targets the intended connected organization or external population
  • Review external collaboration settings, email one-time passcode needs, domain restrictions, invitation controls, and sponsor responsibility
  • Validate inbound cross-tenant access for B2B collaboration, MFA/device trust claims, tenant restrictions, and application access
  • Test the tenant-hinted My Access link from a real partner identity and a blocked control identity
  • Record the guest object, home tenant, sponsor, assignment, resource delivery, last sign-in, and final removal path

When the final assignment ends

  • Entitlement-management guest lifecycle settings can block a governed external user and later remove the guest object
  • The default documented behavior may block sign-in when the final assignment ends and remove the account after 30 days; verify tenant configuration
  • Only governed external users are handled by this lifecycle; pre-existing guests can behave differently
  • Guest deletion can affect access granted outside access packages, so search for direct groups, app roles, SharePoint permissions, Teams, and sharing links first
  • Retain sponsor confirmation, assignment removal, guest action, resource cleanup, and exception evidence
Boundary warning: entitlement management can govern the package assignment and eligible guest lifecycle, but it does not automatically discover or remove every permission granted directly in Exchange, Teams, SharePoint, applications, or custom systems.

Operations, drift, and failback

Reconcile policy state, assignment state, and real resource access

Monitor requests

Track request status, policy, approver, justification, decision, expiration, errors, and suspicious volume. Removing a completed request record does not remove an active assignment.

Reconcile assignments

Export active assignments with policy, start/end, status, external identity state, and resources. Compare them with HR, sponsor, project, and app-owner records.

Prove delivery

Test membership, app role, site access, and sign-in. If outside changes removed resource access, reprocess the assignment only after confirming the entitlement remains valid.

Control package changes

Adding or removing resource roles affects existing assignees. Inventory the population, simulate impact, notify owners, preserve exports, and validate both grant and revoke behavior.

Close access

Remove or expire the assignment, then verify the underlying resources. Record residual direct access, guest action, application session/token behavior, and owner acceptance.

Preserve failback

Before edits, export catalog, package, resource roles, policies, assignments, requests, reviews, connected organizations, and identifiers. Define how to restore access without recreating excessive privilege.

Top risks and common misconfigurations

Stop access packages from becoming permanent, opaque, or disconnected from real access

Lifecycle governance succeeds only when business purpose, resource state, policy behavior, and removal evidence stay aligned.

Package bundles unrelated access

One package mixes multiple job functions, data sensitivities, owners, and review decisions.

Never-expiring assignment

Project, partner, or elevated access has no end date, extension decision, or periodic review.

Wrong requestor scope

A broadly visible policy lets unintended employees or external identities request sensitive access.

Unaccountable approver

The approver lacks resource ownership, context, availability, or a documented alternate.

Delivered status trusted blindly

Operators do not test the app, group, Team, or SharePoint site after provisioning or outside changes.

Direct access survives removal

Manual membership, sharing links, app roles, or site permissions remain after the package assignment ends.

Review results not applied

Decisions are collected but access is not removed, exceptions are not approved, or nonresponse is unsafe.

Guest lifecycle misunderstood

Teams assume every external account will be deleted or that deletion cannot affect out-of-package access.

No restorable configuration

Changes occur without package, policy, resource, assignment, and identifier exports or a tested recovery owner.

Evidence and measures

Produce a lifecycle record that survives audits, incidents, and owner turnover

Minimum evidence package

  • Catalog/package settings, IDs, descriptions, resource roles, owners, preview features, and license decision
  • Policy exports with requestor scope, questions, approval stages, expiration, extension, review, and visibility
  • Request, approval, assignment, provisioning, sign-in, review, extension, expiration, removal, and exception records
  • Resource reconciliation across groups, apps, SharePoint, Teams, direct grants, sessions, and external identities
  • Change tickets, test cases, failures, reprocessing, incident actions, failback results, residual risk, and next review

Review cadence

  • Daily or alert-driven review of failed delivery, expired approvals, privileged packages, bulk activity, and resource errors
  • Monthly reconciliation of assignments, package/resource changes, direct access drift, sponsors, and external identities
  • Quarterly owner attestation of package purpose, resource roles, policy scope, approval, expiration, review, and licensing
  • Event-driven review after application changes, mergers, partner termination, project closure, owner departure, or Microsoft feature change
Request qualityEligible visibility, approval turnaround, expiry rate, denial reason, and useful justification.
Delivery integritySuccessful resource grants, time to access, drift, reprocessing, errors, and unresolved failures.
Lifecycle controlTime-bounded assignments, extensions, review completion, removals, residual direct access, and exceptions.
Ownership healthActive package/catalog/resource owners, backup coverage, stale policies, and overdue attestations.

Authoritative resources

Use current Microsoft documentation for licensing, policy behavior, and lifecycle decisions

What is the difference between a catalog, an access package, and a policy?

A catalog contains approved resources. An access package bundles selected resource roles for a business purpose. One or more policies control who can request or receive the package, approval, duration, extension, reviews, and lifecycle behavior.

Does removing a completed request remove the user’s active access?

No. Microsoft documents that removing a completed request record does not remove the active assignment. Remove the assignment and verify the resulting access is removed from each resource.

Does a Delivered assignment prove every resource still works?

No. Resources can be changed outside entitlement management. Reconcile real group, app, and site access; use reprocessing only after confirming the assignment remains valid.

Can access packages govern external partner users?

Yes. Use catalogs enabled for external users, connected organizations or an appropriate external policy scope, B2B and cross-tenant controls, accountable sponsors, time limits, reviews, and tested guest cleanup.

What happens when an access-package policy expiration setting changes?

Microsoft states that changing the policy expiration does not change the expiration of requests already pending approval or approved. Inventory affected requests and assignments and manage the transition explicitly.

What should be tested before production rollout?

Test eligible and blocked requestors, policy visibility, questions, approval and timeout, delivery to every resource, expiration, extension, review results, direct access drift, removal, guest lifecycle, monitoring, and failback.

IT Perfection identity governance operations

Make Microsoft 365 access requestable, temporary, reviewable, and removable

IT Perfection helps organizations in Irvine, Orange County, Los Angeles County, and Southern California design access-package catalogs, resource roles, request policies, approvals, expiration, access reviews, external-user lifecycle, reconciliation, evidence, and tested failback.

Created by Ali Hassani, CISO — 25+ years of IT, cybersecurity, compliance, and infrastructure experience.

This guide is for initial planning and operational guidance only and does not replace a professional cybersecurity audit, compliance assessment, penetration test, Microsoft licensing review, legal/compliance review, privacy review, or tested change-management process.