Microsoft Entra ID Governanceoffers the capability to manage the access lifecycle of resources through accesspackages, which are organized into catalogs and define the resources available within them. Each accesspackage includes at least one policy that outlines who can request access to it, the approval process, and access lifecycle settings such as assignment expiration and access review configuration.
Traditionally, during the setup of an access package, you could specify who can request access, including users and groups in the organization's directory or guest users. Now, you have the option to use an automatic assignment policy to manage access packages. This policy includes membership rules that evaluate user attribute values to determine access. You can create one automatic assignment policy per access package, which can assess built-in user attributes or custom attribute values generated by third-party HR systems and on-premises directories. Behind the scenes, Entitlement Management automatically creates dynamic security groups based on the policy rules, which are adjusted as the rules change.
To implement an automatic assignment policy, you need to meet the following prerequisites:
3) Choose the access package and then click on Policies
4) Select + add auto assignment policy
5) Choose Edit,located on thetop right of theRule Syntax box
6) In the new window, you can build the rule by using operators. Once the rule syntax is defined click on Save.
7) Once returned to the policy window select Next to proceed.
8) On the Review page, provide the name and description for the policy.Choose Create to proceed with policy creation.
9) Once the policy is created, you can view it under the policies list in the access package.
Please note that you can’t remove the initial access package policy, as this automatic access policy is not a replacement for it. The initial policy also holds other configuration settings such as the approval process and access reviews, among others.You can adjust the user scope in the initial policy but youcan’t completely remove the user scope in the policy.
After the policy is created, entitlement management automatically creates a dynamic group to match the membership rules.
If you go to Assignments under the access package, you can see the users who have been processed by the automatic assignment policy.
As you can see the automatic assignment policy is working as expected and users have been assigned to access the package automatically. The article explains how to create an automatic assignment policy for an access package in Microsoft Entra ID Governance entitlement management. An automatic assignment policy allows users to get access to resources based on their attributes or roles, without requiring any request or approval process.