The management of access to resources such as Teams, applications, SharePoint site can be a pain in the lifecycle of a user. When the user starts his first day you have to add it to the right groups, to the right Teams. Then if this user has a promotion, you have to add or remove him from each group, Teams or application regarding his new position. If you do that for dozens of users, it is a full-time job.

In Azure AD you can leverage Access Package to handle the onboarding, cross boarding and offboarding a user. Thanks to Access Package, you can provide to users a self-service catalog to request access to resources. An Access Package is a definition of groups, applications, and sites that a user will belong if the request to the Access Package is approved.

The approval to the Access Package can be limited in the time and the request can be approved by the manager. The user can request to Access Package from the MyApps portal.

In this topic, we’ll see how to create an access package and how the user can make the request.

Create the Access Package

To create an Access Package, navigate to Azure AD, Identity Governance and Access Packages. Then click on New access package.

Azure AD, Identity Governance

Provide a name to your access package and a description. You can also create several catalogs.

Provide a name to your access package and a description

Now you can add the resources to the access package. If you have permissions associated to each resource, you can change the permission level with roles.

Now you can add the resources to the access package

In requests, you can set the approval workflow and who can request the access. In this example, I chose users in the directory. You can also create specific access package for guests and external users.


You can filter who can request the access. For example, it can be specific users or groups, all users or only members by excluding guests.

After that you can set the workflow approval. First choose if you want an approval to get access. You can also require a justification to get access. Next choose how many approvers you require to provide access. Then you can specify the approvers including the manager of the user.

In the case the approver doesn’t answer until a specific number of days, you can set a failback approver.

Approval wp-image-19219

In requestor information, you can ask to users to answer to questions.

Requestor information

In lifecyle, you can set expiration and access review. Thanks to access review, user’s access can be reviewed on a regular basis to make sure only the right people have continued access.


In preview, you can also set a workflow that is triggered regarding an event. For example, you if a user is approved to get access, you can send an E-mail to a specific user.

Custom Extension

Finally, you get a summary of your access package. If all settings are good, just click on create.

Summary of your access package

First Approver

How a user request access

From a user account, connect to Then select My Access as in the following screenshot:

Select My Access

Now you get the catalog of access and user can make a request for each access package.

You get the catalog of access

Back to blog