Why use entitlement management?
In large organizations, managing access manually becomes error-prone and inefficient. Common challenges include:
Entitlement management addresses these challenges by enforcing structured access requests, approval workflows, and automatic expiration.
Core capabilities of entitlement management
| Capability | Description |
|---|---|
| Delegation | Non-admins can manage access packages for their resources. |
| Self-service access | Users request access through a portal. |
| Approval workflows | Requests can require manager or sponsor approval. |
| Time-bound access | Access automatically expires if not renewed. |
| External collaboration | External users are invited and removed automatically. |
Key terminology (exam-critical)
| Term | Description |
|---|---|
| Catalog | A container for related resources and access packages. |
| Access package | A bundle of resources and roles users can request. |
| Policy | Rules that define who can request access, approvals, and duration. |
| Access request | A user’s request to receive an access package. |
| Assignment | The granted access package, usually time-limited. |
| Connected organization | An external directory or domain allowed to request access. |
| Resource | A group, app, or SharePoint site included in a package. |
| Resource role | Permissions granted on a resource (for example, group member). |
What resources can access packages manage?
Access packages can include:
Indirectly, access packages can also control:
How access is controlled
Access packages always include one or more policies, which define:
A single access package can have multiple policies, for example:
When should you use access packages?
Access packages are ideal when:
They do not replace permanent access mechanisms like dynamic groups for baseline access.