As working remotely and collaborating with internal and external parties via Microsoft Teams becomes more common, it’s important to keep our environment secure. Many organizations have started using sensitivity labels to control guest access and have even turned off the option to add guests to teams. However, we still need a way to manage guest access for important collaborations. This is where Access Packages from Microsoft Entra entitlement management can help.
Access packages make it possible to manage guest user access by letting the guests request and get access to the resources they need while keeping things secure for your organization. These packages are also handy for local users, helping them quickly access important resources without sacrificing security. Since the solution also supports governance of the users it is an easy way to keep track of access over time as well. All this, without having IT manage access except for setting up the packages to begin with.
An access package is essentially a bundle of resources and permissions that users can request to gain access to. Think of it as a pre-defined package that includes the necessary permissions to groups, teams, sites and more. When a user needs to access specific resources, they can simply request the access package instead of individually seeking permissions for each resource. This way, everything they need is provided in one go, making the process faster and more streamlined.
One of the benefits of using Access Packages is that there is build-in approval and governance flows in the package itself. For instance, you can require both the requestor and approver to justify the delegation of access, and this naturally logged. As for life cycle management you can either have the requestor re-apply after a predetermined time period or have the approver, or someone else, review the access over time by using the standard Access Review flow. Users that no longer should have access are automatically removed from the resource, and if they are guest and have no other active access delegations their guest account in Entra is disabled.
Access packages can be used for a number of different scenarios. Here are some examples:
- Membership in Microsoft Entra security groups
- Membership in Microsoft 365 Groups and Teams
- Membership in SharePoint Online sites
- Access to Enterprise Applications
The functionality requires Microsoft Entra ID Governance or Microsoft Entra Suite subscriptions for your users to fully operate but in many cases a Microsoft Entra ID P2 subscription is enough to get going. Microsoft has a great page that explains the licensing here.
If you need help or more information regarding Access Packages in Microsoft Entra Entitlement Management, send me an email and I would be happy to show you the ropes.
I have also published a guide to get you started with Access Packages