Unit 8: Review Per-User Entitlements

Purpose of reviewing entitlements

Following Zero Trust principles, access must be reviewed regularly to ensure:

• Users still need the access.
• Access was provisioned correctly.
• Expired or incorrect assignments are removed.

Microsoft Entra entitlement management provides built-in tools for visibility, auditing, and cleanup.

View who has an access package assignment

Required roles

Any of the following roles can perform this review:

• Identity Governance administrator.
• User administrator.
• Catalog owner.
• Access package manager.
• Access package assignment manager.

Step-by-step: Review assignments

• Open the Microsoft Entra admin center.
• Select ID Governance.
• Select Entitlement management.
• Select Access packages.
• Open the desired access package.
• Select Assignments.

You can now see all active assignments and their status.

Assignment status filters

• Active: Access is successfully provisioned.
• Delivering: One or more resource roles failed provisioning.
• Expired: Access duration has ended.

For delivery errors:

• Open the Requests page.
• Review the specific error details.

Export assignment data

• Select Download to export a CSV of assignments.
• Useful for audits, compliance, and reporting.

Review per-user assignments with PowerShell

PowerShell enables automation and large-scale reviews.

Connect-MgGraph -Scopes "EntitlementManagement.Read.All"

Select-MgProfile -Name "beta"

$accesspackage = Get-MgEntitlementManagementAccessPackage -DisplayNameEq "Marketing Campaign"

$assignments = Get-MgEntitlementManagementAccessPackageAssignment `

-AccessPackageId $accesspackage.Id `

-ExpandProperty target `

-All `

-ErrorAction Stop

$assignments | ft Id,AssignmentState,TargetId,{$_.Target.DisplayName}

Remove an access package assignment

When to remove assignments

• User no longer needs access.
• Access was granted in error.
• Project or engagement ended.
• Security review identified excessive access.

Step-by-step: Remove an assignment

• Open ID Governance → Entitlement management.
• Select Access packages.
• Open the relevant access package.
• Select Assignments.
• Select the checkbox next to the user.
• Select Remove.

Access is revoked according to entitlement lifecycle rules.