Domain 4 of 4 · Chapter 1 of 4

Entitlement Management

The object model: catalog, access package, policy

Picture a contractor joining a project who needs membership in one security group, a license that rides on it, access to a SaaS app, and a SharePoint site. With entitlement management you define that whole bundle once as an access package, the contractor requests it once, and Microsoft Entra ID provisions every piece as a single time-limited assignment. Entitlement management is the Microsoft Entra ID Governance[1] feature that automates this request, approval, assignment, and expiration lifecycle at scale, for internal identities and for people outside your organization.

Three containers stack in a fixed hierarchy, and getting them straight is the single most testable idea on this topic.

  • A catalog is a container of resources and the access packages built from them. It is the delegation boundary: an administrator can add any resource, but a non-administrator can only add resources they own. A resource (a group, an app, or a site) must be in a catalog before any access package in that catalog can hand out a role on it.
  • An access package lives inside exactly one catalog and lists the resource roles it grants. It is what a person actually requests.
  • An access package assignment policy attaches to an access package and is the only thing that sets the rules: who may request, how many approval stages, how long the assignment lasts, and whether an access review recertifies it. One access package can carry several policies.

The overview documentation[2] defines an assignment as the link that gives an identity all the resource roles of an access package, and a resource role as a permission set defined by the resource itself: a group has member and owner roles, a SharePoint site has its site roles, and an application exposes whatever app roles its manifest declares.

What resources an access package can grant

Access packages manage four resource types: membership of Microsoft Entra security groups[2], membership of Microsoft 365 Groups and the Teams they back, assignment to Microsoft Entra enterprise applications (SaaS or custom apps that support federation or provisioning), and membership of SharePoint Online sites. The reach is wider than those four because access often rides on a group: put a security group in an access package and you can deliver Microsoft 365 group-based licensing[3], an Azure RBAC role assignment, or even an Entra role (via a role-assignable group) through that one group membership.

Licensing

Entitlement management requires the Microsoft Entra ID Governance or Microsoft Entra Suite[2] subscription for the users it governs, and that license must cover every user who benefits, requestors and approvers alike. Some individual capabilities operate with Microsoft Entra ID P2, but the access-package machinery as a whole is an ID Governance feature, so a Free or P1-only tenant cannot run it. Terms of use is the exception covered later: it needs only Microsoft Entra ID P1.

Catalogdelegation boundaryResourcesgroups, apps, SharePoint sitesAccess packagebundle of resource rolesroles drawn fromResource rolesmember, owner, site role, app rolegoverned byAssignment policy (1 or more)who can request, approval stages,duration, access review
The fixed hierarchy: a catalog holds resources and access packages; each package draws resource roles and is governed by one or more assignment policies.

Build catalogs and access packages, then delegate

A catalog is where you group related resources, and creating one is the first build step. Create it from the Microsoft Entra admin center under ID Governance > Catalogs > New catalog; the person who creates a catalog becomes its first catalog owner[4]. Two switches matter at creation: Enabled (set to Yes so the catalog's packages can be requested as soon as they exist) and Enabled for external users (set to Yes to let users from connected organizations request packages here, which is the default for a new catalog). The build then proceeds in a fixed order, from creating the catalog through adding resources to publishing the access package, as the figure below traces.

Adding resources, and what cannot be added

To include a resource in an access package, the resource must first be added to the catalog as Groups and Teams, Applications, or SharePoint sites. The hard limit to remember: only cloud-created groups[4] qualify. A group synced from on-premises Active Directory cannot be added because Entra cannot change its membership; the same is true for an Exchange Online distribution group. The workaround is to create a cloud security group, or configure group writeback, rather than reaching for the synced object.

Adding a resource needs both a catalog role and permission over the resource itself. A Global Administrator can add anything. For everyone else, the required-roles table[5] pairs a directory role with the Catalog owner role, for example Groups Administrator plus Catalog owner to add groups, or SharePoint Administrator plus Catalog owner to add sites.

The delegation roles

Entitlement management splits roles into two scopes. Tenant-wide roles administer the feature itself: Catalog creator (create and own new catalogs, but cannot see catalogs they do not own) and Connected Organization Administrator (add connected organizations). Per-catalog roles govern one catalog: Catalog owner (edit the catalog, add resources, add more owners, delegate package managers), Catalog reader (view only), Access package manager (create and manage access packages and their policies in that catalog), and Access package assignment manager (only add or remove users on existing packages, cannot create packages or edit policies). The first four roles are summarized below.

Role Scope Can do
Catalog creator Tenant-wide Create and own catalogs
Catalog owner One catalog Manage the catalog, resources, owners, package managers
Access package manager One catalog Create/edit access packages and policies
Access package assignment manager One catalog Add/remove users on existing packages only

The directory role to grant a delegated administrator is Identity Governance Administrator. This is a trap on the exam: the delegation guidance[5] states that the User Administrator role can no longer create catalogs or manage access packages in catalogs it does not own, so any candidate who reaches for User Administrator has chosen the deprecated answer.

Creating the access package

With resources in the catalog, an administrator, catalog owner, or access package manager creates the access package, selects the resource roles to include, and configures its first assignment policy. Resources, catalogs, and policies can also be managed with the Microsoft Graph PowerShell cmdlets for Identity Governance (for example New-MgEntitlementManagementCatalog and New-MgEntitlementManagementResourceRequest) or the Microsoft Graph API[6], which use the EntitlementManagement.ReadWrite.All permission.

1. Create catalogcreator becomes catalog owner2. Add resourcescloud groups, apps, sites only3. Create access packageselect resource roles4. Configure first policythen publish for requestsAdding a resource needs both a catalog role (Catalog owner) and a directory role over the resource
The build order: create the catalog (the creator becomes its owner), add cloud-created resources, create the access package and pick its roles, then configure the first policy and publish.

Requests, multi-stage approval, and access reviews

The assignment policy is where the access lifecycle is decided, and it always names one of three audiences. Lead with this rule: a single policy cannot mix internal and external identities, so collaboration scenarios need two policies on the same package.

  • For users, service principals, and agent identities in your directory scopes to specific users and groups, all members excluding guests, or all users including guests.
  • For users not in your directory targets specific connected organizations, all configured connected organizations, or All users (all connected organizations + any new external users).
  • None (administrator direct assignments only) turns off self-service so only an admin, catalog owner, or assignment manager assigns the package directly.

Approval flow

If approval is required, requests run through one to three approval stages[7]. The progression rule is precise: only one approver in a stage needs to approve for the request to move to the next stage, but if any approver in a stage denies the request first (or no one acts), the request terminates and access is not granted. The figure below traces a request through that branchy progression. Approvers can be specific users or groups, the requestor's Manager, or, for external requestors, an Internal sponsor or External sponsor; an approver can never approve their own request.

Three timing controls round out the flow. Decision must be made in how many days sets a per-stage timeout, and a request not approved in that window is automatically denied[7]. Fallback approvers receive the request when the manager cannot be resolved from the Manager attribute. Alternate approvers receive the request if the primary approvers do not act, but using them requires a request timeout of at least four days because forwarding can only happen a day after the request starts. You can also require requestor justification, require approver justification, and collect custom requestor questions (short text, multiple choice, or long text) that are shown to approvers.

Recertifying with access reviews

The policy's lifecycle settings set an expiration (assignment duration, or no expiration) and can require a recurring access review so assignments are recertified instead of lingering. This is the seam between this subtopic and access reviews: entitlement management can launch a review on the assignments an access package has handed out, and reviewers confirm or revoke each one on the configured cadence. Pairing a finite duration with a recurring review is how you keep standing access from drifting.

Requestuser asks for packageApproval stageup to 3; one approver advancesapproveddeny or timeoutTerminatedno accessNext stage?repeat until final stage clearsyes, another stagefinal stage clearedAssignedall resource roles grantedLifecycle: set a duration and add a recurring access review to recertify
The approval flow: each stage advances on one approval, any denial or timeout terminates the request, and once the final stage clears the package is assigned.

External users: connected organizations and lifecycle cleanup

Collaboration with people who are not in your directory is the scenario entitlement management was built for, and it hinges on two objects: the connected organization that names the partner, and the lifecycle setting that cleans up afterward. A connected organization[8] is another organization you have a relationship with, specified one of four ways: another Microsoft Entra directory (any Microsoft cloud), a non-Microsoft directory federated through SAML/WS-Fed, a domain whose users authenticate with email one-time passcode, or a Microsoft account such as live.com.

Configured versus proposed

A connected organization is in one of two states[8]. A configured organization was created or approved by an administrator and appears in pickers; it is in scope for any policy targeting all configured connected organizations. A proposed organization was auto-created when a user requested an All users package without belonging to an existing connected organization; it is not in scope for all-configured policies and can only be used by policies targeting it specifically. Watch the trap: leaving a proposed social-identity organization marked configured can silently widen who an all-configured policy lets in.

Sponsors are the partner's point of contact. Internal sponsors are member users in your directory; external sponsors are guests from the connected organization already invited in. Both can be designated as approvers for that organization's requests.

How an external request becomes a governed guest

When an external user's request is approved (and the catalog is Enabled for external users and the package has a not-in-directory policy), entitlement management uses the B2B invite process[9] to create a guest account, but sends no invitation email; the user instead gets the access-delivered email. The B2B allow/blocklist still applies, so a blocked domain cannot be invited until the list is updated. The figure below follows that external request through onboarding to automatic cleanup.

Lifecycle of external users

The payoff is automatic cleanup. When a B2B guest brought in this way loses their last access package assignment, the lifecycle of external users[9] setting decides what happens. The default is to block the guest from signing in and remove the account after 30 days; you can change the Number of days before removing external user from directory (set it to 0 to delete immediately), or choose to block without removing, or neither. Crucially, this only governs guests that entitlement management invited or that were explicitly converted to governed: a guest who already existed in your directory before getting a package assignment is left in place.

External requestfrom connected org, approvedB2B guest invitedno invite email sentHolds assignmentaccess package grantedloses last assignmentLifecycle cleanupblock sign-in, remove after 30 days (default)Only guests entitlement management invited or converted to governed; a pre-existing guest is left in place
The external-user lifecycle: an approved request invites a B2B guest; when that guest loses its last assignment the lifecycle setting removes it after 30 days.

Terms of use and exam patterns

Terms of use (ToU) is the one piece of this subtopic that lives outside the access-package object, so the exam likes to test the boundary. A terms of use policy[10] is a PDF you upload and present to users at sign-in; they must accept it before the targeted apps load. It is enforced as a Conditional Access grant control, not as a setting on an access package, which is exactly why scoping a ToU means writing Conditional Access assignments, not editing a catalog. The figure below traces that enforcement path from sign-in to the app.

The testable specifics: ToU requires Microsoft Entra ID P1 (note the lower bar than the rest of entitlement management, which needs ID Governance). A tenant can hold at most 40 ToU policies. You can force users to expand the document before accepting, require acceptance on every device (which needs the device registered in Entra), set consents to expire on a schedule (monthly, quarterly, annually) or after a fixed number of days, localize the PDF per language, and report on exactly who accepted or declined. You can edit a ToU's name and display name but you cannot modify an uploaded document; you upload a new version instead.

Exam-pattern recognition

Questions on this topic usually describe a scenario and ask for the right object or the least-privileged role. The reliable tells:

  • "Partners we cannot list in advance must self-request access and be cleaned up when they leave" points to an access package with a not-in-directory policy plus a connected organization and the external-user lifecycle setting, not a manual B2B invite.
  • "Delegate access management for one department without giving tenant-wide power" points to a per-catalog role (Catalog owner or Access package manager), and the delegated directory role is Identity Governance Administrator. If User Administrator is offered, it is the deprecated distractor.
  • "A manager then a resource owner must both approve" points to a multi-stage approval policy (up to three stages), not two separate access packages.
  • "Users must accept a legal notice before reaching an app" points to a terms of use policy enforced through Conditional Access, requiring only P1, not anything in the catalog.
  • "On-premises AD group cannot be added to the access package" is correct by design: only cloud-created groups (or writeback) work, so the fix is a cloud group, not a permissions change.

The distractors most often dangled are reaching for Privileged Identity Management (that is just-in-time admin-role elevation, not resource bundling), reaching for a standalone access review when the scenario clearly needs a request workflow, and assuming a single policy can serve both employees and external partners (it cannot, you need two).

Sign-in to apptargeted by policyConditional Accessgrant control presents ToU PDFApp loadson acceptacceptdeclineAccess blocked
Terms of use enforcement: a Conditional Access grant control presents the PDF at sign-in; accepting loads the app, declining blocks access. The PDF is not a setting on the access package.

Catalog vs access package vs assignment policy

AspectCatalogAccess packageAssignment policy
What it isContainer of resources and access packagesBundle of resource roles people requestRule set attached to an access package
ContainsResources plus access packagesSelected roles on catalog resourcesRequest, approval, lifecycle settings
CardinalityMany per tenantExactly one catalog as parentOne or more per access package
Sets who can requestNo, only enables external usersNo, the policy decidesYes, the audience and scope
Sets approval and expiryNoNoYes, up to 3 stages plus duration
Delegation roleCatalog owner / Catalog creatorAccess package managerAccess package manager edits it
Internal and externalEnabled for external users flagHolds both audiences via policiesOne policy is internal OR external

Decision tree

Who is the requestor?one audience per policyIn your directoryNot in your directoryFor users in your directorymembers, guests, or specific groupsLimit to known partners?connected organization scopeSpecific orgsAll configuredAnyoneSpecific connected orgsconfigured orgs you selectAll configured orgsevery configured partnerAllusersSensitive enough for layered sign-off?e.g. manager then resource ownerYesNoMulti-stage approval (up to 3)each stage one approver, timeout deniesSingle or no approvalset duration to time-box accessAlways: set an expiration; add a recurring access review to recertify

Sharp facts the exam loves — give these one last read before exam day.

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Entitlement management needs the Entra ID Governance tier, not Free or P1

Access packages, catalogs, and connected organizations are part of Microsoft Entra ID Governance, so they require the Microsoft Entra ID Governance or Microsoft Entra Suite subscription for every governed user, including requestors and approvers. A few individual capabilities operate with Microsoft Entra ID P2, but a Free or P1-only tenant cannot run the access-package machinery. Terms of use is the one exception, needing only Entra ID P1.

Trap Assuming Microsoft Entra ID P2 alone unlocks access packages; the access-package feature requires the ID Governance tier, and only a few sub-capabilities work on P2.

An access package bundles resource roles people request, instead of admins hand-assigning each

An access package is a named bundle of resource roles a person needs, drawn from three resource types: membership in Entra security and Microsoft 365 groups (and their Teams), assignment to enterprise applications, and membership in SharePoint Online sites. A requestor asks for the package once and Entra provisions every role inside it as a single time-limited assignment. Because licensing, Azure RBAC, and Entra roles can ride on a group inside the package, one request can deliver far more than the three literal resource types.

The hierarchy is catalog, then access package, then assignment policy

A catalog is the container and delegation boundary that holds resources plus the access packages built from them. An access package lives in exactly one catalog and lists the resource roles it grants. An assignment policy attaches to an access package and is the only object that sets the rules: who can request, approval stages, duration, and whether an access review recertifies. One access package can carry several policies.

1 question tests this
Only cloud-created groups go in a catalog; on-prem AD and distribution groups cannot

A resource must be in a catalog before any access package can grant a role on it, and groups must be cloud-created (Entra security or Microsoft 365 groups). A group synced from on-premises Active Directory cannot be added because Entra cannot edit its membership, and an Exchange Online distribution group cannot be added either. The fix is to create a cloud security group or configure group writeback, not to change a permission.

Trap Trying to add an on-premises AD-synced security group as a catalog resource; Entra cannot modify its membership, so you must use a cloud-created group or group writeback.

1 question tests this
A single assignment policy serves internal OR external identities, never both

Each assignment policy names one audience: For users in your directory, For users not in your directory, or None (administrator direct assignments only). A single policy cannot mix internal employees and external partners, so collaboration scenarios need two policies on the same access package, one per audience. When multiple policies apply to a requestor, they pick which policy to request against.

Trap Assuming one policy can grant the same access package to both employees and external partners; internal and external audiences each need their own policy on the package.

1 question tests this
Delegate with catalog-scoped roles, not tenant-wide power

Entitlement management has tenant-wide roles (Catalog creator, Connected Organization Administrator) and per-catalog roles (Catalog owner, Catalog reader, Access package manager, Access package assignment manager). A Catalog creator builds and owns new catalogs but cannot see catalogs it does not own; an Access package manager creates and edits packages and policies in one catalog; an Access package assignment manager can only add or remove users on existing packages. Pick the narrowest role that covers the task.

2 questions test this
Identity Governance Administrator is the delegated admin role, not User Administrator

To grant a delegated administrator broad entitlement-management rights at the tenant level, assign the Identity Governance Administrator directory role. The User Administrator role can no longer create catalogs or manage access packages in catalogs it does not own, so it is the deprecated answer for these tasks. Global Administrator and Identity Governance Administrator can manage all of entitlement management by default.

Trap Reaching for User Administrator to configure catalogs or access packages; that role can no longer create catalogs or manage packages it does not own, so use Identity Governance Administrator.

Adding a resource to a catalog needs both a catalog role and permission over the resource

Outside of Global Administrator, adding a group, app, or site to a catalog requires a directory role that can administer the resource plus the Catalog owner role on that catalog. For example, Groups Administrator plus Catalog owner adds groups; SharePoint Administrator plus Catalog owner adds sites; Application Administrator plus Catalog owner adds apps. A resource owner can add their own resource with just Catalog owner.

2 questions test this
Approval runs one to three stages; any deny in a stage terminates the request

An assignment policy can require up to three approval stages. Only one approver in a stage needs to approve for the request to advance, but if any approver in a stage denies it first, or no one acts, the request terminates and access is not granted. Approvers can be specific users or groups, the requestor's Manager, or, for external requestors, an Internal sponsor or External sponsor; an approver cannot approve their own request.

Trap Assuming all approvers in a stage must approve; only one approver per stage is needed to advance, but a single denial in the stage ends the request.

5 questions test this
A stage decision timeout auto-denies; alternate-approver forwarding needs at least a four-day timeout

Each approval stage has a Decision must be made in how many days setting, and a request not approved in that window is automatically denied, forcing the user to re-request. Fallback approvers receive the request when the manager cannot be resolved from the Manager attribute. Alternate approvers receive it when the primary approvers do not act, but enabling alternate approvers requires the request timeout to be at least four days, because forwarding can only happen a day after the request starts.

Trap Confusing fallback approvers with alternate approvers; fallback covers a missing manager, while alternate approvers receive a forwarded request only after the primary approvers fail to act.

3 questions test this
Pair an assignment duration with a recurring access review to keep access from drifting

An assignment policy's lifecycle settings set an expiration (a duration, or no expiration) and can require a recurring access review that recertifies the assignments the package handed out. Reviewers confirm or revoke each assignment on the configured cadence. Combining a finite duration with a recurring review is how standing access is kept from lingering past need.

A connected organization names a partner whose users may request access

A connected organization is an external organization you have a relationship with, specified one of four ways: another Microsoft Entra directory in any Microsoft cloud, a non-Microsoft directory federated via SAML/WS-Fed, a domain whose users authenticate with email one-time passcode, or a Microsoft account such as live.com. A not-in-directory policy can then scope requests to specific connected organizations or all configured connected organizations.

Connected organizations are configured or proposed, and only configured ones count for all-configured policies

A configured connected organization was created or approved by an admin and is in scope for any policy targeting all configured connected organizations. A proposed organization is auto-created when an All users policy approves someone who belongs to no existing connected organization; it is not in scope for all-configured policies and can only be used by policies that target it specifically. Leaving a proposed social-identity org marked configured can silently widen who an all-configured policy admits.

Trap Treating a proposed connected organization as in scope for an all configured connected organizations policy; only configured organizations are, and proposed ones must be targeted specifically.

3 questions test this
An approved external request invites a B2B guest automatically, with no invite email

When a not-in-directory policy approves an external requestor and the catalog is Enabled for external users, entitlement management uses the B2B invite process to create a guest account but sends no invitation email; the user instead gets the access-delivered email. The B2B allow/blocklist still applies, so a blocked domain cannot be invited until the list is updated. The catalog setting only governs self-service requests, not direct admin assignment.

By default an external user is blocked and removed 30 days after losing their last assignment

The lifecycle of external users setting controls cleanup when a B2B guest brought in by entitlement management loses their last access package assignment. The default is to block sign-in and remove the account after 30 days; you can change Number of days before removing external user from directory (set 0 to delete immediately), or block without removing, or do neither. It only governs guests that entitlement management invited or that were converted to governed, so a pre-existing guest is left in place.

Trap Assuming the lifecycle cleanup deletes any guest who loses access; it only removes guests that entitlement management invited or that were explicitly converted to governed, leaving pre-existing guests untouched.

3 questions test this
Enabled for external users gates self-service requests, not direct admin assignment

The catalog setting Enabled for external users (Yes by default on a new catalog) decides whether users from connected organizations can self-request the catalog's packages. It is not required for an administrator to directly assign an external user to a package; that path is governed by the access package's own policy. To lock down external self-service, set this to No and avoid not-in-directory request policies.

1 question tests this
Terms of use is a PDF enforced through Conditional Access, separate from the access package

A terms of use (ToU) policy is a PDF you upload and present at sign-in; the user must accept it before the targeted apps load. It is enforced as a Conditional Access grant control, not as a setting on an access package, so you scope it with Conditional Access assignments. You can require users to expand the document, demand per-device acceptance, and report on who accepted or declined.

Trap Looking for a terms of use toggle inside the access package or catalog; ToU is a separate object enforced through a Conditional Access grant control.

2 questions test this
Terms of use needs only Entra ID P1, and a tenant holds at most 40 policies

Unlike the rest of entitlement management, terms of use requires only Microsoft Entra ID P1, a lower bar than the ID Governance tier. A tenant can hold no more than 40 terms of use policies. You can set consents to expire on a schedule or after a fixed number of days, localize the PDF per language, and upload a new version, but you cannot modify an already-uploaded document.

Trap Assuming terms of use needs the ID Governance license like access packages; it works on Entra ID P1, and the tenant cap is 40 ToU policies.

Use Privileged Identity Management for admin-role elevation, not an access package

Entitlement management grants standing, time-limited assignments to resources like groups, apps, and sites. For just-in-time activation of privileged Entra or Azure admin roles (eligible then activate), use Privileged Identity Management instead. The two are complementary: PIM elevates admin roles on demand, while access packages bundle and time-box resource access.

Trap Reaching for an access package to give just-in-time elevation of an admin role; that is Privileged Identity Management, since access packages grant standing resource assignments, not eligible-then-activate role elevation.

Requestor justification and custom questions feed approvers their decision context

A policy can require requestor justification and collect custom requestor questions (short text, multiple choice, or long text) that are shown to approvers to inform the decision. You can also require approver justification, which is visible to other approvers and to the requestor. Catalog resources can additionally require attributes that the requestor must answer before the request can be submitted.

1 question tests this
Only an Identity Governance Administrator can create an automatic assignment policy

An automatic assignment policy assigns an access package by an attribute-driven membership rule (like a dynamic group), adding or removing assignments as the attribute changes. Creating one needs at least the Identity Governance Administrator role; catalog owners and access package managers can manage everything else but cannot add this policy type.

Trap Catalog owner or Access Package Manager looks sufficient because they manage the package, but neither can create an automatic assignment policy.

4 questions test this
Separation of duties blocks a request by marking access packages or groups incompatible

On an access package's Separation of duties tab you list incompatible access packages or incompatible security groups. A user who already holds an assignment to an incompatible package, or is a member of an incompatible group, is then blocked from requesting that package. Configure the incompatibility on the package you want to protect.

Trap This is request-time prevention only, not a Conditional Access or access-review control.

5 questions test this
Require reaccept on updated terms of use does not prompt until the current session expires

To force re-acceptance you edit the terms, select Update for the language, upload the new PDF, and enable Require reaccept. Users who already accepted are not prompted for the new version until their existing session expires, so they keep working under the old acceptance until then.

Trap It is not an enforcement bug; deleting and recreating the terms (or creating a new one) is the way to force an immediate prompt.

2 questions test this

References

  1. What is Microsoft Entra ID Governance?
  2. What is entitlement management?
  3. Group-based licensing in Microsoft Entra ID
  4. Create and manage a catalog of resources in entitlement management
  5. Delegation and roles in entitlement management
  6. Create accessPackageCatalog (Microsoft Graph API)
  7. Change approval and requestor information settings for an access package
  8. What is a connected organization in entitlement management?
  9. Govern access for external users in entitlement management
  10. Set up Microsoft Entra terms of use with Conditional Access