Catalogs and Access Packages

Catalogs and Access Packages in Azure AD Identity Governance (SC-300)

Understanding Catalogs and Access Packages in Azure AD Entitlement Management

Why Are Catalogs and Access Packages Important?

In modern organizations, managing access to resources is one of the most critical security challenges. When employees join, change roles, or leave, their access must be granted, modified, or revoked efficiently. Without proper governance, organizations face:

• Access sprawl – Users accumulate permissions over time that they no longer need
• Security risks – Excessive or outdated permissions create attack surfaces
• Compliance violations – Regulatory requirements demand proof of proper access controls
• Administrative overhead – IT teams spend excessive time managing individual access requests

Catalogs and Access Packages, part of Azure AD Entitlement Management, solve these problems by enabling organizations to automate and govern identity lifecycle processes at scale.

---

What Are Catalogs?

A catalog is a container of resources and access packages in Azure AD Entitlement Management. Think of it as a folder or organizational boundary that groups related resources and access packages together.

Key characteristics of catalogs:

• A catalog is a logical grouping of resources (groups, applications, SharePoint sites) and access packages
• The first catalog created in an organization is called the General catalog, which is automatically created when the first admin interacts with Entitlement Management
• Catalogs allow delegation of administration – non-administrators can be assigned roles to manage catalogs
• Each catalog can have its own set of catalog owners, catalog readers, access package managers, and access package assignment managers
• Resources must be added to a catalog before they can be included in an access package within that catalog
• A resource can exist in multiple catalogs

Catalog Roles:

• Catalog owner – Can edit the catalog, add resources, add access packages, and manage policies
• Catalog reader – Can view access packages within the catalog but cannot make changes
• Access package manager – Can create and manage access packages within the catalog, but cannot add resources to the catalog itself
• Access package assignment manager – Can manage assignments (who has what access package) but cannot edit access package policies

Who can create catalogs?
• Global Administrators
• Identity Governance Administrators
• Users assigned the Catalog creator role
• By default, a Global Administrator or Identity Governance Administrator can create catalogs, and they can also delegate the catalog creator role to non-admin users

---

What Are Access Packages?

An access package is a bundle of resources that a user may need for a project, task, or role. Instead of assigning individual permissions, administrators create access packages that group all necessary resources together.

Key characteristics of access packages:

• An access package is always created within a catalog
• It bundles resource roles from groups, applications, and SharePoint Online sites
• Access packages have one or more policies that define who can request access, who approves it, and when it expires
• Users can request access packages through the My Access portal (myaccess.microsoft.com)
• Access can be time-limited with automatic expiration
• Access packages support access reviews to periodically validate that users still need access
• Access packages can be assigned to internal users, external users (B2B guests), or both

Access Package Policies:

Each access package contains one or more policies. Policies define the rules for requesting and receiving an access package. Key policy settings include:

• Who can request – Specific users, groups, all members in the directory, connected organizations, or users not yet in your directory
• Approval settings – No approval required, single-stage approval, or multi-stage approval (up to 3 stages)
• Approvers – Manager, specific users, or sponsor of connected organization
• Expiration – Never, specific date, specific number of days after approval, or specific number of hours
• Access reviews – Periodic reviews to validate continued need for access
• Requestor information – Questions the requestor must answer when requesting access
• Lifecycle settings – What happens when access expires (e.g., remove group membership)

An important distinction: An access package can have multiple policies targeting different populations. For example, one policy for internal employees (auto-approved, 1-year expiration) and another for external guests (requires approval, 90-day expiration).

---

How Do Catalogs and Access Packages Work Together?

Step-by-step workflow:

1. Create a catalog (or use the General catalog) – An administrator or catalog creator creates a catalog to group related resources

2. Add resources to the catalog – The catalog owner adds Azure AD groups, enterprise applications, and/or SharePoint Online sites to the catalog

3. Create an access package within the catalog – An access package manager or catalog owner creates an access package and selects resource roles from the catalog's resources

4. Define policies – Configure who can request, approval workflows, expiration, and access reviews

5. Users request access – Users navigate to myaccess.microsoft.com and request the access package

6. Approval process – If approval is required, designated approvers review and approve/deny the request

7. Access is granted – Upon approval, the user is automatically added to the groups, granted application access, and given SharePoint site permissions defined in the access package

8. Access expires or is reviewed – When the access period ends, access is automatically revoked. Periodic access reviews may also prompt re-certification


Separation of Duties (Incompatible Access Packages):

You can configure incompatible access packages or incompatible groups to prevent a user from requesting an access package if they already hold conflicting access. This enforces separation of duties controls.


Connected Organizations:

Entitlement Management supports connected organizations, allowing you to define trusted external organizations whose users can request access packages. This facilitates B2B collaboration while maintaining governance controls.


Automatic Assignment Policies:

Access packages can include automatic assignment policies that use rules based on user attributes. For example, if a user's department attribute equals "Marketing," they are automatically assigned a specific access package. When the attribute no longer matches, the access is automatically removed.

---

Key Scenarios for the SC-300 Exam:

• Delegated administration – An organization wants non-IT department heads to manage access for their teams. Solution: Make them catalog owners or access package managers

• External collaboration – A company wants to give partner organizations access to specific resources with time-limited access and approval. Solution: Create an access package with a policy for connected organizations, require approval, set expiration

• Project-based access – Temporary access needed for a project. Solution: Create an access package with a specific end date or duration

• Joiner/mover/leaver scenarios – Automatically grant access when users join a department and remove when they leave. Solution: Use automatic assignment policies based on user attributes

---

Exam Tips: Answering Questions on Catalogs and Access Packages

1. Remember the hierarchy: Catalog → Access Package → Policy. Resources belong to catalogs, access packages are created within catalogs, and policies are defined within access packages.

2. Know the roles and their boundaries:
• Catalog owners can add resources AND manage access packages
• Access package managers can manage access packages but CANNOT add resources to the catalog
• Access package assignment managers can ONLY manage assignments, not edit packages or policies
• If a question asks about adding resources to a catalog, the answer involves catalog owner or higher, NOT access package manager

3. Understand policy configuration: If a question describes different requirements for internal vs. external users for the same set of resources, the answer is one access package with multiple policies, NOT multiple access packages.

4. Approval stages: Entitlement Management supports up to 3 stages of approval. Know that you can configure different approvers at each stage, and you can set alternate approvers and escalation.

5. My Access portal: Users request access packages via myaccess.microsoft.com. This is the self-service portal. If a question asks how users request bundled resources, the answer involves access packages and the My Access portal.

6. External users and access packages: When external users from connected organizations request and receive access packages, B2B guest accounts are automatically created for them. When their access expires, the guest account can be automatically removed if configured.

7. Catalog creator role: If the question asks how to allow a non-admin user to create catalogs, assign them the Catalog creator role in Azure AD. This is different from being a catalog owner.

8. Separation of duties: If a question mentions preventing users from having conflicting access, look for answers involving incompatible access packages or incompatible groups.

9. Automatic assignment: If the scenario describes access that should be granted or removed based on user attributes (like department or job title) without user request, the answer is automatic assignment policy on an access package.

10. License requirements: Entitlement Management requires Azure AD Premium P2 (now Microsoft Entra ID P2) or Microsoft Entra ID Governance licenses. Questions about prerequisites may test this.

11. General catalog: The General catalog is automatically created. By default, a Global Administrator is the owner. Any resources added when no specific catalog is chosen go here. Know that you can create additional custom catalogs for delegation purposes.

12. Access reviews in access packages: You can configure recurring access reviews within access package policies. If a reviewer does not respond, you can configure the system to automatically remove access. This is a common exam scenario.

13. Read the question carefully for scope: If the question says "with the least administrative effort" or "minimum privilege," choose the role or approach that provides just enough access. For example, use access package assignment manager instead of catalog owner if the task is only about managing who has access.

14. Key differentiator from other governance tools: Access packages bundle multiple resources. If the scenario mentions granting access to multiple resources at once, think Entitlement Management. If it mentions reviewing existing access, think Access Reviews. If it mentions privileged role activation, think PIM (Privileged Identity Management).

15. Common trick questions: A resource must be in the catalog BEFORE it can be added to an access package. If a question describes a failure to add a resource to an access package, the likely answer is that the resource has not been added to the catalog first.