GOV-06: Entitlement Management

Overview

Without a structured way to grant access, users accumulate permissions over time and no one is accountable for removing them. People request access ad hoc, approvers grant it informally, and the access lingers long after the need has passed. This is how privilege creep and orphaned access build up.

Microsoft Entra ID Governance entitlement management replaces ad hoc grants with governed access packages. An access package bundles the groups, applications, and SharePoint sites a role needs, wraps them in an approval workflow, and applies an expiration policy so access is time-bound and reviewed. Users request the package, the right approver decides, and access is removed automatically when the policy lapses.

This control assesses whether entitlement management is in use. The expected state is:

  • Access packages are configured for structured provisioning.
  • Approval workflows are defined for sensitive resources.
  • Access packages include expiration policies.

Control ID: GOV-06 Category: Governance & Hygiene Baseline Level: Level 2 (Enhanced Security) Severity: Medium License Required: Microsoft Entra ID P2, or Microsoft Entra ID Governance. Entitlement management is a governance feature and is not available on lower tiers.

This is an advisory, manual control. TrueConfig reports whether entitlement management is configured, but the design of catalogs, access packages, approval flows, and expiration policies reflects your organization's structure and must be built by an administrator.


Prerequisites

Required Roles

  • Identity Governance Administrator - Recommended, can manage catalogs and access packages
  • Global Administrator - Full access, use only when a scoped role is not available
  • Catalog owner / Access package manager - Delegated roles for teams that manage their own packages

Required Licenses

  • Microsoft Entra ID P2 or Microsoft Entra ID Governance for every user who is assigned an access package

Pre-Configuration Requirements

  1. Identify a first use case. Start with one well-understood access scenario (for example, onboarding to a project or a department toolset) rather than modeling the whole tenant at once.
  2. Inventory the resources that use case needs: the groups, applications, and SharePoint sites to bundle.
  3. Decide who approves. Determine the approver (manager, resource owner, or a named approver) and whether multi-stage approval is required for sensitive resources.

Time Estimate

TaskDuration
Verify licensing and enable Identity Governance15-30 minutes
Create a catalog and add resources30-60 minutes
Build the first access package with policy45-90 minutes
Test the request and approval flow30 minutes

Step-by-Step Instructions

Step 1: Confirm Licensing

Entitlement management requires Entra ID P2 or Entra ID Governance. Confirm the users who will receive access packages are licensed before building anything, since assignments to unlicensed users are not supported.

Step 2: Create a Catalog

A catalog is the container for the resources an access package can grant.

  1. Navigate to the Microsoft Entra admin center (https://entra.microsoft.com).
  2. Go to Identity governance > Entitlement management > Catalogs.
  3. Click New catalog, give it a clear name and description, and decide whether it is enabled for external users.
  4. Open the catalog and add resources under Resources: the groups, applications, and SharePoint sites this catalog can hand out.

Step 3: Create an Access Package

  1. In the catalog, go to Access packages > New access package.
  2. Name the package after the role or scenario it serves.
  3. Under Resource roles, select the specific role for each resource (for example, member of a group, or a specific application role).
  4. Continue to the request and lifecycle policy.

Step 4: Define the Request, Approval, and Expiration Policy

  1. Who can request: scope requests to a specific set of users, a connected organization, or all members, depending on the audience.
  2. Approval: require approval for anything sensitive. Configure the approver (manager or a named approver) and add a second stage for higher-risk access.
  3. Lifecycle: set an expiration so access is time-bound (for example, 90 or 180 days). Enable access reviews on the package so continued need is confirmed rather than assumed.
  4. Save the policy.

Step 5: Publish and Test

  1. Share the My Access portal link with a test user.
  2. Have the user request the package and confirm the approval routes to the correct approver.
  3. Confirm the resources are provisioned on approval and that the assignment shows the expected expiration date.

Verification Checklist

  • Entra ID P2 or Entra ID Governance licensing is confirmed for assigned users.
  • At least one catalog exists with its resources added.
  • At least one access package is configured for a real access scenario.
  • Sensitive access packages require approval, with multi-stage approval where warranted.
  • Access packages have expiration policies (access is time-bound, not permanent).
  • Access reviews are enabled on packages that grant sensitive access.
  • The request and approval flow has been tested end to end.
  • TrueConfig reflects that entitlement management is configured for GOV-06.

Troubleshooting

Issue: A user cannot be assigned an access package

Cause: The user is not licensed for Entra ID P2 or Entra ID Governance.

Solution:

  1. Confirm the user has the required license assigned.
  2. Entitlement management assignments require governance licensing per assigned user, not just per administrator.

Issue: Approvals are not routing to the right person

Cause: The approval stage is set to manager, but the requestor has no manager attribute populated, or the wrong named approver was chosen.

Solution:

  1. For manager-based approval, ensure the manager attribute is set on user accounts.
  2. Add a fallback approver so requests do not stall when the primary approver is unavailable.

Issue: Access is not being removed when it should be

Cause: No expiration policy or access review was configured on the package.

Solution:

  1. Edit the access package policy and set an expiration.
  2. Enable a recurring access review so continued need is confirmed and unused access is removed automatically.

Issue: Too many catalogs and packages to maintain

Cause: Modeling grew faster than the team can govern.

Solution:

  1. Delegate catalog ownership to resource owners so the load is distributed.
  2. Consolidate overlapping packages and standardize naming to keep the inventory understandable.

Cost Considerations

Entitlement management is a paid governance feature. It requires Microsoft Entra ID P2 or the standalone Microsoft Entra ID Governance add-on, licensed per user who is assigned an access package.

  • Licensing scope. Budget for every user who will receive access packages, not just administrators. This is the main cost driver and should be sized against how broadly you plan to roll out packages.
  • Setup effort. Modeling catalogs and packages takes design time up front, but it replaces recurring manual provisioning and de-provisioning work.
  • Return. Time-bound, reviewed access reduces standing privilege, cuts the manual effort of joiner-mover-leaver processes, and produces an audit trail that supports access certification requirements.

Because of the P2 / Governance requirement, GOV-06 is a Level 2 control aimed at organizations that have already licensed identity governance.


Related Controls

  • GOV-03: Conduct Quarterly Privileged Access Reviews (recertify standing access)
  • GOV-08: Administrative Unit Boundaries (scope who administers whom)
  • EXT-04: Configure Guest Access Expiration (time-bound external access)

Related Resources