Entitlement Management
The object model: catalog, access package, policy
Picture a contractor joining a project who needs membership in one security group, a license that rides on it, access to a SaaS app, and a SharePoint site. With entitlement management you define that whole bundle once as an access package, the contractor requests it once, and Microsoft Entra ID provisions every piece as a single time-limited assignment. Entitlement management is the Microsoft Entra ID Governance[1] feature that automates this request, approval, assignment, and expiration lifecycle at scale, for internal identities and for people outside your organization.
Three containers stack in a fixed hierarchy, and getting them straight is the single most testable idea on this topic.
- A catalog is a container of resources and the access packages built from them. It is the delegation boundary: an administrator can add any resource, but a non-administrator can only add resources they own. A resource (a group, an app, or a site) must be in a catalog before any access package in that catalog can hand out a role on it.
- An access package lives inside exactly one catalog and lists the resource roles it grants. It is what a person actually requests.
- An access package assignment policy attaches to an access package and is the only thing that sets the rules: who may request, how many approval stages, how long the assignment lasts, and whether an access review recertifies it. One access package can carry several policies.
The overview documentation[2] defines an assignment as the link that gives an identity all the resource roles of an access package, and a resource role as a permission set defined by the resource itself: a group has member and owner roles, a SharePoint site has its site roles, and an application exposes whatever app roles its manifest declares.
What resources an access package can grant
Access packages manage four resource types: membership of Microsoft Entra security groups[2], membership of Microsoft 365 Groups and the Teams they back, assignment to Microsoft Entra enterprise applications (SaaS or custom apps that support federation or provisioning), and membership of SharePoint Online sites. The reach is wider than those four because access often rides on a group: put a security group in an access package and you can deliver Microsoft 365 group-based licensing[3], an Azure RBAC role assignment, or even an Entra role (via a role-assignable group) through that one group membership.
Licensing
Entitlement management requires the Microsoft Entra ID Governance or Microsoft Entra Suite[2] subscription for the users it governs, and that license must cover every user who benefits, requestors and approvers alike. Some individual capabilities operate with Microsoft Entra ID P2, but the access-package machinery as a whole is an ID Governance feature, so a Free or P1-only tenant cannot run it. Terms of use is the exception covered later: it needs only Microsoft Entra ID P1.
Build catalogs and access packages, then delegate
A catalog is where you group related resources, and creating one is the first build step. Create it from the Microsoft Entra admin center under ID Governance > Catalogs > New catalog; the person who creates a catalog becomes its first catalog owner[4]. Two switches matter at creation: Enabled (set to Yes so the catalog's packages can be requested as soon as they exist) and Enabled for external users (set to Yes to let users from connected organizations request packages here, which is the default for a new catalog). The build then proceeds in a fixed order, from creating the catalog through adding resources to publishing the access package, as the figure below traces.
Adding resources, and what cannot be added
To include a resource in an access package, the resource must first be added to the catalog as Groups and Teams, Applications, or SharePoint sites. The hard limit to remember: only cloud-created groups[4] qualify. A group synced from on-premises Active Directory cannot be added because Entra cannot change its membership; the same is true for an Exchange Online distribution group. The workaround is to create a cloud security group, or configure group writeback, rather than reaching for the synced object.
Adding a resource needs both a catalog role and permission over the resource itself. A Global Administrator can add anything. For everyone else, the required-roles table[5] pairs a directory role with the Catalog owner role, for example Groups Administrator plus Catalog owner to add groups, or SharePoint Administrator plus Catalog owner to add sites.
The delegation roles
Entitlement management splits roles into two scopes. Tenant-wide roles administer the feature itself: Catalog creator (create and own new catalogs, but cannot see catalogs they do not own) and Connected Organization Administrator (add connected organizations). Per-catalog roles govern one catalog: Catalog owner (edit the catalog, add resources, add more owners, delegate package managers), Catalog reader (view only), Access package manager (create and manage access packages and their policies in that catalog), and Access package assignment manager (only add or remove users on existing packages, cannot create packages or edit policies). The first four roles are summarized below.
| Role | Scope | Can do |
|---|---|---|
| Catalog creator | Tenant-wide | Create and own catalogs |
| Catalog owner | One catalog | Manage the catalog, resources, owners, package managers |
| Access package manager | One catalog | Create/edit access packages and policies |
| Access package assignment manager | One catalog | Add/remove users on existing packages only |
The directory role to grant a delegated administrator is Identity Governance Administrator. This is a trap on the exam: the delegation guidance[5] states that the User Administrator role can no longer create catalogs or manage access packages in catalogs it does not own, so any candidate who reaches for User Administrator has chosen the deprecated answer.
Creating the access package
With resources in the catalog, an administrator, catalog owner, or access package manager creates the access package, selects the resource roles to include, and configures its first assignment policy. Resources, catalogs, and policies can also be managed with the Microsoft Graph PowerShell cmdlets for Identity Governance (for example New-MgEntitlementManagementCatalog and New-MgEntitlementManagementResourceRequest) or the Microsoft Graph API[6], which use the EntitlementManagement.ReadWrite.All permission.
Requests, multi-stage approval, and access reviews
The assignment policy is where the access lifecycle is decided, and it always names one of three audiences. Lead with this rule: a single policy cannot mix internal and external identities, so collaboration scenarios need two policies on the same package.
- For users, service principals, and agent identities in your directory scopes to specific users and groups, all members excluding guests, or all users including guests.
- For users not in your directory targets specific connected organizations, all configured connected organizations, or All users (all connected organizations + any new external users).
- None (administrator direct assignments only) turns off self-service so only an admin, catalog owner, or assignment manager assigns the package directly.
Approval flow
If approval is required, requests run through one to three approval stages[7]. The progression rule is precise: only one approver in a stage needs to approve for the request to move to the next stage, but if any approver in a stage denies the request first (or no one acts), the request terminates and access is not granted. The figure below traces a request through that branchy progression. Approvers can be specific users or groups, the requestor's Manager, or, for external requestors, an Internal sponsor or External sponsor; an approver can never approve their own request.
Three timing controls round out the flow. Decision must be made in how many days sets a per-stage timeout, and a request not approved in that window is automatically denied[7]. Fallback approvers receive the request when the manager cannot be resolved from the Manager attribute. Alternate approvers receive the request if the primary approvers do not act, but using them requires a request timeout of at least four days because forwarding can only happen a day after the request starts. You can also require requestor justification, require approver justification, and collect custom requestor questions (short text, multiple choice, or long text) that are shown to approvers.
Recertifying with access reviews
The policy's lifecycle settings set an expiration (assignment duration, or no expiration) and can require a recurring access review so assignments are recertified instead of lingering. This is the seam between this subtopic and access reviews: entitlement management can launch a review on the assignments an access package has handed out, and reviewers confirm or revoke each one on the configured cadence. Pairing a finite duration with a recurring review is how you keep standing access from drifting.
External users: connected organizations and lifecycle cleanup
Collaboration with people who are not in your directory is the scenario entitlement management was built for, and it hinges on two objects: the connected organization that names the partner, and the lifecycle setting that cleans up afterward. A connected organization[8] is another organization you have a relationship with, specified one of four ways: another Microsoft Entra directory (any Microsoft cloud), a non-Microsoft directory federated through SAML/WS-Fed, a domain whose users authenticate with email one-time passcode, or a Microsoft account such as live.com.
Configured versus proposed
A connected organization is in one of two states[8]. A configured organization was created or approved by an administrator and appears in pickers; it is in scope for any policy targeting all configured connected organizations. A proposed organization was auto-created when a user requested an All users package without belonging to an existing connected organization; it is not in scope for all-configured policies and can only be used by policies targeting it specifically. Watch the trap: leaving a proposed social-identity organization marked configured can silently widen who an all-configured policy lets in.
Sponsors are the partner's point of contact. Internal sponsors are member users in your directory; external sponsors are guests from the connected organization already invited in. Both can be designated as approvers for that organization's requests.
How an external request becomes a governed guest
When an external user's request is approved (and the catalog is Enabled for external users and the package has a not-in-directory policy), entitlement management uses the B2B invite process[9] to create a guest account, but sends no invitation email; the user instead gets the access-delivered email. The B2B allow/blocklist still applies, so a blocked domain cannot be invited until the list is updated. The figure below follows that external request through onboarding to automatic cleanup.
Lifecycle of external users
The payoff is automatic cleanup. When a B2B guest brought in this way loses their last access package assignment, the lifecycle of external users[9] setting decides what happens. The default is to block the guest from signing in and remove the account after 30 days; you can change the Number of days before removing external user from directory (set it to 0 to delete immediately), or choose to block without removing, or neither. Crucially, this only governs guests that entitlement management invited or that were explicitly converted to governed: a guest who already existed in your directory before getting a package assignment is left in place.
Terms of use and exam patterns
Terms of use (ToU) is the one piece of this subtopic that lives outside the access-package object, so the exam likes to test the boundary. A terms of use policy[10] is a PDF you upload and present to users at sign-in; they must accept it before the targeted apps load. It is enforced as a Conditional Access grant control, not as a setting on an access package, which is exactly why scoping a ToU means writing Conditional Access assignments, not editing a catalog. The figure below traces that enforcement path from sign-in to the app.
The testable specifics: ToU requires Microsoft Entra ID P1 (note the lower bar than the rest of entitlement management, which needs ID Governance). A tenant can hold at most 40 ToU policies. You can force users to expand the document before accepting, require acceptance on every device (which needs the device registered in Entra), set consents to expire on a schedule (monthly, quarterly, annually) or after a fixed number of days, localize the PDF per language, and report on exactly who accepted or declined. You can edit a ToU's name and display name but you cannot modify an uploaded document; you upload a new version instead.
Exam-pattern recognition
Questions on this topic usually describe a scenario and ask for the right object or the least-privileged role. The reliable tells:
- "Partners we cannot list in advance must self-request access and be cleaned up when they leave" points to an access package with a not-in-directory policy plus a connected organization and the external-user lifecycle setting, not a manual B2B invite.
- "Delegate access management for one department without giving tenant-wide power" points to a per-catalog role (Catalog owner or Access package manager), and the delegated directory role is Identity Governance Administrator. If User Administrator is offered, it is the deprecated distractor.
- "A manager then a resource owner must both approve" points to a multi-stage approval policy (up to three stages), not two separate access packages.
- "Users must accept a legal notice before reaching an app" points to a terms of use policy enforced through Conditional Access, requiring only P1, not anything in the catalog.
- "On-premises AD group cannot be added to the access package" is correct by design: only cloud-created groups (or writeback) work, so the fix is a cloud group, not a permissions change.
The distractors most often dangled are reaching for Privileged Identity Management (that is just-in-time admin-role elevation, not resource bundling), reaching for a standalone access review when the scenario clearly needs a request workflow, and assuming a single policy can serve both employees and external partners (it cannot, you need two).
Catalog vs access package vs assignment policy
| Aspect | Catalog | Access package | Assignment policy |
|---|---|---|---|
| What it is | Container of resources and access packages | Bundle of resource roles people request | Rule set attached to an access package |
| Contains | Resources plus access packages | Selected roles on catalog resources | Request, approval, lifecycle settings |
| Cardinality | Many per tenant | Exactly one catalog as parent | One or more per access package |
| Sets who can request | No, only enables external users | No, the policy decides | Yes, the audience and scope |
| Sets approval and expiry | No | No | Yes, up to 3 stages plus duration |
| Delegation role | Catalog owner / Catalog creator | Access package manager | Access package manager edits it |
| Internal and external | Enabled for external users flag | Holds both audiences via policies | One policy is internal OR external |
Decision tree
Sharp facts the exam loves — give these one last read before exam day.
Cheat sheet
Sharp facts the exam loves — scan these before test day.
- Entitlement management needs the Entra ID Governance tier, not Free or P1
Access packages, catalogs, and connected organizations are part of Microsoft Entra ID Governance, so they require the Microsoft Entra ID Governance or Microsoft Entra Suite subscription for every governed user, including requestors and approvers. A few individual capabilities operate with Microsoft Entra ID P2, but a Free or P1-only tenant cannot run the access-package machinery. Terms of use is the one exception, needing only Entra ID P1.
Trap Assuming Microsoft Entra ID P2 alone unlocks access packages; the access-package feature requires the ID Governance tier, and only a few sub-capabilities work on P2.
- An access package bundles resource roles people request, instead of admins hand-assigning each
An access package is a named bundle of resource roles a person needs, drawn from three resource types: membership in Entra security and Microsoft 365 groups (and their Teams), assignment to enterprise applications, and membership in SharePoint Online sites. A requestor asks for the package once and Entra provisions every role inside it as a single time-limited assignment. Because licensing, Azure RBAC, and Entra roles can ride on a group inside the package, one request can deliver far more than the three literal resource types.
- The hierarchy is catalog, then access package, then assignment policy
A catalog is the container and delegation boundary that holds resources plus the access packages built from them. An access package lives in exactly one catalog and lists the resource roles it grants. An assignment policy attaches to an access package and is the only object that sets the rules: who can request, approval stages, duration, and whether an access review recertifies. One access package can carry several policies.
- Only cloud-created groups go in a catalog; on-prem AD and distribution groups cannot
A resource must be in a catalog before any access package can grant a role on it, and groups must be cloud-created (Entra security or Microsoft 365 groups). A group synced from on-premises Active Directory cannot be added because Entra cannot edit its membership, and an Exchange Online distribution group cannot be added either. The fix is to create a cloud security group or configure group writeback, not to change a permission.
Trap Trying to add an on-premises AD-synced security group as a catalog resource; Entra cannot modify its membership, so you must use a cloud-created group or group writeback.
- A single assignment policy serves internal OR external identities, never both
Each assignment policy names one audience: For users in your directory, For users not in your directory, or None (administrator direct assignments only). A single policy cannot mix internal employees and external partners, so collaboration scenarios need two policies on the same access package, one per audience. When multiple policies apply to a requestor, they pick which policy to request against.
Trap Assuming one policy can grant the same access package to both employees and external partners; internal and external audiences each need their own policy on the package.
- Delegate with catalog-scoped roles, not tenant-wide power
Entitlement management has tenant-wide roles (Catalog creator, Connected Organization Administrator) and per-catalog roles (Catalog owner, Catalog reader, Access package manager, Access package assignment manager). A Catalog creator builds and owns new catalogs but cannot see catalogs it does not own; an Access package manager creates and edits packages and policies in one catalog; an Access package assignment manager can only add or remove users on existing packages. Pick the narrowest role that covers the task.
- Identity Governance Administrator is the delegated admin role, not User Administrator
To grant a delegated administrator broad entitlement-management rights at the tenant level, assign the Identity Governance Administrator directory role. The User Administrator role can no longer create catalogs or manage access packages in catalogs it does not own, so it is the deprecated answer for these tasks. Global Administrator and Identity Governance Administrator can manage all of entitlement management by default.
Trap Reaching for User Administrator to configure catalogs or access packages; that role can no longer create catalogs or manage packages it does not own, so use Identity Governance Administrator.
- Adding a resource to a catalog needs both a catalog role and permission over the resource
Outside of Global Administrator, adding a group, app, or site to a catalog requires a directory role that can administer the resource plus the Catalog owner role on that catalog. For example, Groups Administrator plus Catalog owner adds groups; SharePoint Administrator plus Catalog owner adds sites; Application Administrator plus Catalog owner adds apps. A resource owner can add their own resource with just Catalog owner.
- Approval runs one to three stages; any deny in a stage terminates the request
An assignment policy can require up to three approval stages. Only one approver in a stage needs to approve for the request to advance, but if any approver in a stage denies it first, or no one acts, the request terminates and access is not granted. Approvers can be specific users or groups, the requestor's Manager, or, for external requestors, an Internal sponsor or External sponsor; an approver cannot approve their own request.
Trap Assuming all approvers in a stage must approve; only one approver per stage is needed to advance, but a single denial in the stage ends the request.
5 questions test this
- You have a Microsoft Entra tenant with entitlement management configured. You create an access package named Package1 with a policy that…
- You configure the User Administrator role in Microsoft Entra PIM to require approval for activation. User1 is designated as a delegated…
- You have a Microsoft Entra tenant that uses entitlement management. You create a connected organization for Fabrikam. You add User1, an…
- You configure a connected organization for a partner company named Fabrikam in Microsoft Entra entitlement management. You add sponsors to…
- You have a Microsoft Entra tenant that uses entitlement management. You configure an access package policy with two-stage approval. Stage 1…
- A stage decision timeout auto-denies; alternate-approver forwarding needs at least a four-day timeout
Each approval stage has a Decision must be made in how many days setting, and a request not approved in that window is automatically denied, forcing the user to re-request. Fallback approvers receive the request when the manager cannot be resolved from the Manager attribute. Alternate approvers receive it when the primary approvers do not act, but enabling alternate approvers requires the request timeout to be at least four days, because forwarding can only happen a day after the request starts.
Trap Confusing fallback approvers with alternate approvers; fallback covers a missing manager, while alternate approvers receive a forwarded request only after the primary approvers fail to act.
3 questions test this
- You have a Microsoft Entra tenant with entitlement management configured. You create an access package named Package1 with a policy that…
- You have a Microsoft Entra tenant that uses entitlement management. You configure an access package named AP1 with a policy that uses…
- You have a Microsoft Entra tenant that uses entitlement management. You create an access package named AP1 with a policy that requires…
- Pair an assignment duration with a recurring access review to keep access from drifting
An assignment policy's lifecycle settings set an expiration (a duration, or no expiration) and can require a recurring access review that recertifies the assignments the package handed out. Reviewers confirm or revoke each assignment on the configured cadence. Combining a finite duration with a recurring review is how standing access is kept from lingering past need.
- A connected organization names a partner whose users may request access
A connected organization is an external organization you have a relationship with, specified one of four ways: another Microsoft Entra directory in any Microsoft cloud, a non-Microsoft directory federated via SAML/WS-Fed, a domain whose users authenticate with email one-time passcode, or a Microsoft account such as live.com. A not-in-directory policy can then scope requests to specific connected organizations or all configured connected organizations.
- Connected organizations are configured or proposed, and only configured ones count for all-configured policies
A configured connected organization was created or approved by an admin and is in scope for any policy targeting all configured connected organizations. A proposed organization is auto-created when an All users policy approves someone who belongs to no existing connected organization; it is not in scope for all-configured policies and can only be used by policies that target it specifically. Leaving a proposed social-identity org marked configured can silently widen who an all-configured policy admits.
Trap Treating a proposed connected organization as in scope for an all configured connected organizations policy; only configured organizations are, and proposed ones must be targeted specifically.
3 questions test this
- You use Microsoft Entra entitlement management to collaborate with external partner organizations. You create an access package with a…
- You have a Microsoft Entra tenant with entitlement management configured. An access package has a request policy set to 'For users not in…
- You have a Microsoft Entra tenant that uses entitlement management. You create an access package with a policy set to All users (All…
- An approved external request invites a B2B guest automatically, with no invite email
When a not-in-directory policy approves an external requestor and the catalog is Enabled for external users, entitlement management uses the B2B invite process to create a guest account but sends no invitation email; the user instead gets the access-delivered email. The B2B allow/blocklist still applies, so a blocked domain cannot be invited until the list is updated. The catalog setting only governs self-service requests, not direct admin assignment.
- By default an external user is blocked and removed 30 days after losing their last assignment
The lifecycle of external users setting controls cleanup when a B2B guest brought in by entitlement management loses their last access package assignment. The default is to block sign-in and remove the account after 30 days; you can change Number of days before removing external user from directory (set 0 to delete immediately), or block without removing, or do neither. It only governs guests that entitlement management invited or that were converted to governed, so a pre-existing guest is left in place.
Trap Assuming the lifecycle cleanup deletes any guest who loses access; it only removes guests that entitlement management invited or that were explicitly converted to governed, leaving pre-existing guests untouched.
3 questions test this
- You have a Microsoft Entra tenant that uses entitlement management. Several guest users were previously invited through direct B2B…
- You use Microsoft Entra entitlement management to manage access for external users from a partner organization. An external user named…
- You have a Microsoft Entra tenant that uses entitlement management with default settings. External guest users from a partner organization…
- Enabled for external users gates self-service requests, not direct admin assignment
The catalog setting Enabled for external users (Yes by default on a new catalog) decides whether users from connected organizations can self-request the catalog's packages. It is not required for an administrator to directly assign an external user to a package; that path is governed by the access package's own policy. To lock down external self-service, set this to No and avoid not-in-directory request policies.
- Terms of use is a PDF enforced through Conditional Access, separate from the access package
A terms of use (ToU) policy is a PDF you upload and present at sign-in; the user must accept it before the targeted apps load. It is enforced as a Conditional Access grant control, not as a setting on an access package, so you scope it with Conditional Access assignments. You can require users to expand the document, demand per-device acceptance, and report on who accepted or declined.
Trap Looking for a terms of use toggle inside the access package or catalog; ToU is a separate object enforced through a Conditional Access grant control.
- Terms of use needs only Entra ID P1, and a tenant holds at most 40 policies
Unlike the rest of entitlement management, terms of use requires only Microsoft Entra ID P1, a lower bar than the ID Governance tier. A tenant can hold no more than 40 terms of use policies. You can set consents to expire on a schedule or after a fixed number of days, localize the PDF per language, and upload a new version, but you cannot modify an already-uploaded document.
Trap Assuming terms of use needs the ID Governance license like access packages; it works on Entra ID P1, and the tenant cap is 40 ToU policies.
- Use Privileged Identity Management for admin-role elevation, not an access package
Entitlement management grants standing, time-limited assignments to resources like groups, apps, and sites. For just-in-time activation of privileged Entra or Azure admin roles (eligible then activate), use Privileged Identity Management instead. The two are complementary: PIM elevates admin roles on demand, while access packages bundle and time-box resource access.
Trap Reaching for an access package to give just-in-time elevation of an admin role; that is Privileged Identity Management, since access packages grant standing resource assignments, not eligible-then-activate role elevation.
- Requestor justification and custom questions feed approvers their decision context
A policy can require requestor justification and collect custom requestor questions (short text, multiple choice, or long text) that are shown to approvers to inform the decision. You can also require approver justification, which is visible to other approvers and to the requestor. Catalog resources can additionally require attributes that the requestor must answer before the request can be submitted.
- Only an Identity Governance Administrator can create an automatic assignment policy
An automatic assignment policy assigns an access package by an attribute-driven membership rule (like a dynamic group), adding or removing assignments as the attribute changes. Creating one needs at least the Identity Governance Administrator role; catalog owners and access package managers can manage everything else but cannot add this policy type.
Trap Catalog owner or Access Package Manager looks sufficient because they manage the package, but neither can create an automatic assignment policy.
4 questions test this
- You have a Microsoft Entra tenant with Microsoft Entra ID Governance licenses. You manage an access package named AP-Marketing. A catalog…
- You have a Microsoft Entra tenant with Microsoft Entra ID Governance licenses. You need to configure an access package named AP1 so that…
- You have a Microsoft Entra tenant that uses entitlement management. You have an access package named AP1 in a catalog. You need to…
- You have a Microsoft Entra tenant that uses entitlement management. A user named User1 is assigned the Catalog owner role for a catalog…
- Separation of duties blocks a request by marking access packages or groups incompatible
On an access package's Separation of duties tab you list incompatible access packages or incompatible security groups. A user who already holds an assignment to an incompatible package, or is a member of an incompatible group, is then blocked from requesting that package. Configure the incompatibility on the package you want to protect.
Trap This is request-time prevention only, not a Conditional Access or access-review control.
5 questions test this
- You have a Microsoft Entra tenant that uses entitlement management. You have two access packages named Sales Access and Accounting Access…
- You have a Microsoft Entra tenant that uses entitlement management. You have two access packages: AP-Finance and AP-Procurement. Your…
- You have a Microsoft Entra tenant that uses entitlement management. You have two access packages in a catalog: Finance-AP and…
- You have a Microsoft Entra tenant that uses entitlement management. You have two access packages named AP-Finance and AP-Procurement. A…
- You have a Microsoft Entra tenant that uses entitlement management. You create an access package named AP-Finance. Employees in the…
- Require reaccept on updated terms of use does not prompt until the current session expires
To force re-acceptance you edit the terms, select Update for the language, upload the new PDF, and enable Require reaccept. Users who already accepted are not prompted for the new version until their existing session expires, so they keep working under the old acceptance until then.
Trap It is not an enforcement bug; deleting and recreating the terms (or creating a new one) is the way to force an immediate prompt.
References
- What is Microsoft Entra ID Governance?
- What is entitlement management?
- Group-based licensing in Microsoft Entra ID
- Create and manage a catalog of resources in entitlement management
- Delegation and roles in entitlement management
- Create accessPackageCatalog (Microsoft Graph API)
- Change approval and requestor information settings for an access package
- What is a connected organization in entitlement management?
- Govern access for external users in entitlement management
- Set up Microsoft Entra terms of use with Conditional Access