Entitlement Management Planning

Entitlement Management Planning

Entitlement Management Planning

Why Is Entitlement Management Planning Important?

In modern organizations, managing access to resources across departments, partners, and external collaborators is one of the most complex identity governance challenges. Without proper planning, organizations face security risks from over-provisioned access, compliance violations from uncontrolled permissions, and operational inefficiency from manual access request processes. Entitlement Management Planning is critical because it ensures that the right people have the right access to the right resources for the right duration — and that this access is automatically governed throughout its lifecycle.

For the SC-300 (Microsoft Identity and Access Administrator) exam, understanding Entitlement Management Planning is essential because it falls directly under the Plan and Implement Identity Governance domain, which represents a significant portion of the exam objectives.

What Is Entitlement Management?

Entitlement Management is a feature of Microsoft Entra ID Governance (formerly Azure AD Identity Governance) that automates access request workflows, access assignments, reviews, and expiration. It allows organizations to manage the identity and access lifecycle at scale for both internal users and external (B2B) guest users.

The core components of Entitlement Management include:

• Access Packages: A bundle of resources (groups, applications, SharePoint sites) that a user can request access to. Access packages are the fundamental building block of Entitlement Management.

• Catalogs: Containers that group related access packages and their resources together. Catalogs define the scope of resources and delegate management to catalog owners. There is a default General catalog, and administrators can create custom catalogs.

• Policies: Rules attached to access packages that define who can request access, who approves it, the duration of access, and whether access reviews are required. A single access package can have multiple policies (e.g., one for internal users, one for external users).

• Connected Organizations: External organizations (identified by their domain or tenant) whose users can be allowed to request access packages. This is fundamental for B2B collaboration scenarios.

• Access Reviews: Periodic reviews integrated into access packages to ensure continued need for access. Reviewers can be managers, resource owners, self-reviewers, or specific users.

• Separation of Duties (Incompatible Access Packages): You can configure rules so that a user who already has one access package cannot request another that would create a conflict of interest.

How Does Entitlement Management Work?

The workflow for Entitlement Management follows these key steps:

1. Planning and Setup:
• Identify the resources (apps, groups, SharePoint sites) that need governed access
• Determine who should be catalog owners and access package managers
• Decide on approval workflows (single-stage, multi-stage, with specific approvers)
• Define access duration and expiration policies
• Plan whether external users (guests) need access

2. Creating Catalogs:
• Create catalogs to logically group resources (e.g., by department or project)
• Assign Catalog Owners who can manage resources and access packages within the catalog
• Assign Catalog Readers who can view but not modify
• Add resources (groups, applications, SharePoint Online sites) to the catalog

3. Creating Access Packages:
• Create access packages within a catalog
• Add resource roles (e.g., Member of a group, User role of an application)
• Define one or more policies for the access package

4. Configuring Policies:
Each policy defines:
• Who can request: Users in your directory, specific connected organizations, all connected organizations, all users (including external), or no one (admin-assigned only)
• Approval settings: No approval required, single-stage approval, or multi-stage approval (up to 3 stages). Approvers can be specific users, managers, or sponsors.
• Requestor information: Custom questions the requestor must answer
• Lifecycle settings: Expiration (specific date, number of days, or never), access reviews schedule
• Automatic assignment: Policies can use dynamic rules to automatically assign access based on user attributes

5. Requesting Access:
• Eligible users navigate to the My Access portal (myaccess.microsoft.com)
• They browse or search for available access packages
• They submit a request, answer any required questions, and provide justification
• The request flows through the configured approval workflow

6. Ongoing Governance:
• Access reviews periodically verify that users still need access
• Access automatically expires based on policy settings
• When access expires for external guests, their guest account can be automatically removed (blocked from sign-in and then deleted)

Key Planning Considerations:

• Delegation Model: Entitlement Management supports delegation of responsibilities. You can delegate catalog creation to non-administrators by assigning the Catalog Creator role. Within catalogs, you can delegate to Catalog Owners, Access Package Managers, and Access Package Assignment Managers.

• Licensing: Entitlement Management requires Microsoft Entra ID Governance licenses (or the legacy Azure AD Premium P2 licenses). Users who request and are assigned access packages need appropriate licenses.

• External User Lifecycle: Plan how external guest accounts are managed. Entitlement Management can automatically block sign-in and delete guest accounts when their last access package assignment expires.

• Custom Extensions: You can integrate Logic Apps as custom extensions to trigger workflows at various stages (e.g., when access is granted or when it is about to expire).

• Separation of Duties: Plan incompatible access packages to enforce compliance requirements where certain access combinations are prohibited.

• Verified ID Integration: You can require users to present Verifiable Credentials as part of the access request process for enhanced identity verification.

Roles in Entitlement Management:

• Global Administrator / Identity Governance Administrator: Can manage all aspects of Entitlement Management
• Catalog Creator: Can create and manage catalogs (delegated role)
• Catalog Owner: Can edit and manage a specific catalog, add resources, and create access packages
• Access Package Manager: Can create and manage access packages within a catalog, but cannot add resources to the catalog
• Access Package Assignment Manager: Can manage assignments (who has access) but not the access package definition itself


Exam Tips: Answering Questions on Entitlement Management Planning

1. Know the hierarchy: Remember the relationship: Catalog → Access Packages → Policies → Resource Roles. Questions often test whether you understand which component serves which purpose.

2. Understand delegation: The SC-300 exam frequently tests who can do what. Remember that Catalog Creators can create catalogs, Catalog Owners manage resources within catalogs, and Access Package Managers manage access packages but cannot add new resources to the catalog.

3. Multiple policies per access package: A common exam scenario involves different groups of users (internal vs. external) needing different request/approval workflows. The answer is to create multiple policies on the same access package — not separate access packages with duplicate resources.

4. External user scenarios: Pay attention to questions about B2B guest users. Entitlement Management is the recommended way to govern external access. Remember that connected organizations must be configured to allow specific external organizations to request access.

5. My Access portal: Users request access through myaccess.microsoft.com, not through the Azure portal or Entra admin center. This is a common distractor in exam questions.

6. Automatic assignment policies: If a question describes a scenario where access should be automatically granted based on user attributes (like department), the answer involves configuring an automatic assignment policy with dynamic rules — not a request-based policy.

7. Access expiration and guest cleanup: When questions involve removing external user access after a project ends, look for answers that combine access package expiration with the setting to block and delete guest accounts when their last assignment is removed.

8. Licensing questions: Remember that Entitlement Management requires Microsoft Entra ID Governance (or Azure AD Premium P2). If a question asks about prerequisites, licensing is often the correct answer.

9. Separation of duties: If a scenario describes a compliance requirement where a user should not have two conflicting roles, the answer involves configuring incompatible access packages or separation of duties checks.

10. Approval stages: Entitlement Management supports up to 3 stages of approval. Multi-stage approvals are common in exam scenarios involving sensitive resources. Also note that you can configure alternate approvers and set escalation timeframes if primary approvers do not respond.

11. Read the scenario carefully: Many questions will describe a situation where the simplest Entitlement Management feature solves the problem. Avoid overcomplicating your answer — if the question is about packaging resources for self-service request, the answer is almost always access packages.

12. Distinguish from Access Reviews: While access reviews can be configured as part of an access package policy, standalone access reviews are a separate feature. Exam questions may try to blur this distinction — understand that Entitlement Management includes access reviews as part of its lifecycle management but access reviews also exist independently.