What is an Access Package?
An Access Package bundles groups, apps, and SharePoint sites that users can request as a unit through Entra ID Governance. Learn how they work and how to design them.
What is an Access Package?
Definition
An Access Package is a unit of governable access in Microsoft Entra ID Governance's Entitlement Management feature. It bundles resources — groups, applications, SharePoint sites, Teams — that a user needs together for a role or scenario, and exposes them as a self-service request with policies for approval, expiration, and periodic review.
In simple terms:
An Access Package is a "package" of access a user requests once, with built-in approval and lifecycle.
Why Access Packages Matter
- Replace ad-hoc group additions with structured, reviewed access.
- Enable self-service so users request access through a portal instead of opening tickets.
- Bake in approval workflows, expiration, and recurring access reviews.
- Map cleanly to roles and projects.
- Provide an audit trail of who got what, when, and why.
Anatomy of an Access Package
1. Catalog
A container that holds Access Packages, their resources, and the people who can manage them. Common patterns:
- Per business unit (Finance, Sales, Engineering).
- Per project.
- Per application portfolio.
2. Resources
- Security groups.
- Microsoft 365 groups (and their backing SharePoint, Teams).
- Applications (Enterprise Apps).
- SharePoint sites directly.
3. Resource Roles
What the user gets in each resource (e.g., Member of Group X, User of App Y, Edit rights in SharePoint Z).
4. Policies
Govern who can request, what approvals, what reviews, and how long access lasts:
- Who can request — internal users in groups, users in connected organizations, anyone.
- Approval — single, multi-stage, alternate approvers.
- Requestor information — questions/justifications.
- Lifecycle — fixed duration, recurring access reviews, expiration handling.
How Access Packages Work
- Admin creates Catalog + adds Resources.
- Admin creates Access Package with Resource Roles and Policy.
- User browses the Access Portal (
myaccess.microsoft.com) and requests the package. - Approver reviews and approves (or denies).
- Resources are assigned automatically — group membership added, app role granted, SharePoint permission applied.
- At expiration or per recurring review, access is renewed or removed.
Common Access Package Patterns
New Hire Onboarding
Access Package "Engineering Day 1" includes default Engineering groups, dev tools (GitHub, Jira), and shared SharePoint sites. Manager approves on hire date.
Project Access
Access Package "Project Phoenix" includes Teams workspace, SharePoint site, and project app. Self-request; PMO approves; expires at project end.
Privileged Application
Access Package "Salesforce Admin" requires manager + app owner approval, 30-day expiration, recurring review every 90 days.
External Collaboration
Access Package for partner vendor includes shared Teams and document libraries. Approval by internal sponsor; 6-month expiration; quarterly review.
Access Package Best Practices
Design
- Map packages to real roles (job functions, projects).
- Avoid mega-packages — keep scope cohesive.
- Use catalogs to delegate management to BU owners.
- Document each package's purpose and owner.
Policies
- Always require approval for non-trivial access.
- Set expiration rather than allowing infinite access.
- Enable recurring access reviews for any privileged or sensitive package.
- Use multi-stage approval for sensitive resources.
- Require justification for sensitive packages.
Lifecycle
- Remove access automatically on expiration or denied review.
- Tie packages to lifecycle workflows for joiner/mover/leaver.
- Decommission unused packages.
Governance
- Quarterly review of catalogs and packages.
- Owner accountability — assign and rotate.
- Sign-in activity as input to access reviews.
Detection
- Audit log alerts on package changes and approvals.
- Monitor approval anomalies (same user approving unusually high volumes).
Real-World Examples
1. Replacing Email-Based Access Requests
Help desk used to receive 50+ "please add me to group X" emails per week. Migrating to Access Packages drops this to nearly zero — users self-serve, approvals automated, audit complete.
2. Project End-of-Life Cleanup
Project ends. The "Project Phoenix" Access Package expires; all 40 users automatically lose project resources without ticket-driven cleanup.
3. Compliance Win
SOX auditor asks "show me everyone who had access to Finance app and who approved them in 2025." Entitlement Management report answers in minutes.
4. Vendor Access
External vendor company onboarded as a Connected Organization. Access Packages limit them to specific resources with end dates. No more long-lived guest accounts with no expiration.
Common Pitfalls
- Treating Access Packages as static — never reviewed.
- Overly broad packages that grant excessive access "just in case."
- Approvers who rubber-stamp every request.
- No expiration policies.
- Manual group adds continuing in parallel — undermining governance.
- Catalog sprawl — hundreds of orphaned catalogs.
Access Package Checklist
- Catalogs aligned to business structure?
- Owners assigned and reviewed?
- Each package documented (purpose, approver, expiration)?
- Approvals required for non-trivial access?
- Expiration set with recurring review where appropriate?
- Manual group additions deprecated?
- Lifecycle workflows integrated with packages?
- Audit log monitoring on package and approval changes?
- Approval-completion metrics tracked?
How Forestall Helps
Forestall surfaces access outside governance:
- Privileged groups, roles, and apps without an Access Package.
- Stale assignments unreviewed for long periods.
- Access that confers privileged reach but isn't under governance.
This helps you prioritize what should be packaged and reviewed first.
Frequently Asked Questions
Do Access Packages replace SailPoint?
For cloud-centric scenarios in Microsoft environments, often yes. For complex on-premises and bespoke app governance, traditional IGA may still be needed.
Can guests request Access Packages?
Yes — via Connected Organizations, external users from approved organizations can request internal Access Packages.
Are Access Packages free?
They require Entra ID Governance licenses for assigned users.
Can I require multi-stage approval?
Yes — multi-stage approvals with escalation and timeouts are supported.
What happens to assigned resources on expiration?
Removed automatically per the policy.
Conclusion
Access Packages turn ad-hoc, ungoverned access into structured, self-service, reviewed access. Bundle resources by role or project, layer approvals and expiration on top, and review periodically — and access management becomes a measurable, auditable program instead of an endless ticket queue. Combined with Lifecycle Workflows and PIM, Access Packages anchor Microsoft Entra Governance in cloud-first IGA done right.
See ungoverned access where Access Packages should exist.
Forestall identifies privileged groups and apps without owners or reviews — prime candidates for governance.