Azure AD entitlement management is now generally available
Published Nov 25 2019 09:00 AM 15.4K Views

Howdy folks,


As we announced at Ignite, Azure AD entitlement management is now generally available—providing customers an important addition to Privileged Identity Management (PIM), Terms of use, and Access reviews to deliver core cloud-based Identity Governance capabilities.


For a truly complete solution, most organizations need a way to govern employee and business partner access to resources at enterprise scale. Azure AD entitlement management removes barriers to internal and external collaboration by automating employee and partner access requests, approvals, auditing, and review for Office 365, for thousands of popular SaaS apps like Workday, Google Apps, and as well as any line of business app.


With the rapid adoption of SaaS apps and cloud services by business units, many central IT teams don’t have the knowledge to know which access rights which users should have. They must delegate management of access approvals and review, for example, having someone in the sales department determine what access rights employees in the sales team needs while maintaining strong compliance and security policies.


For example, if the Contoso sales division needs to enable more employees to work on sales support, they can create a “Sales support” access package, which includes the relevant memberships in Office 365 and Azure AD security groups, Microsoft Teams, role assignments in SaaS apps such as Salesforce, roles in their own apps, and access to SharePoint Online sites. They can configure policies to include who can request this access package, who must approve, and how long the users who request will have access to these specific resources.


Azure AD Entitlement Management is now generally available 1.png


When an employee requests an access package and their request is approved, the employee is automatically provisioned access to the groups, apps, and other resources in the access package. Based on feedback from customers during the preview, we added more options for workflow—such as having the user's manager as the approver—and will continue to expand the workflow choices for scenarios such as multi-stage approval.


Azure AD Entitlement Management is now generally available 2.png


Azure AD entitlement management works with Azure AD B2B to enable collaboration across business partners. Employees from a business partner can request access to resources using the same access packages and our policy engine, including provisioning their accounts upon approval by a business sponsor. This makes it simple to grant access to a specified set of resources for your business partners while knowing your processes are compliant and secure. 


Azure AD Entitlement Management is now generally available 3.png


Regardless of how a user got access, their access rights are automatically removed when the access package assignment expires, so you don’t need to remember to remove it manually when a project is done.


We’ve been working with many customers and partners, including Avanade and Centrica, who use entitlement management to simplify and orchestrate collaboration.


Here’s what one customer had to say about the feature:


"This solution proves valuable both to our IT teams and all the users who are trying to collaborate. The solution is easy, quick, and agile, all while requiring minimal involvement from our IT team and being properly (if not better) controlled." —James Simms, Senior Solutions Architect for Centrica


Entitlement management is an Azure AD Premium P2 feature, part of Enterprise Mobility + Security (EMS) E5.


To learn more, watch these recordings from Ignite:



And check out our documentation, video, and API reference guide.


Please let us know what you think in the comments below. We look forward to hearing from you!


Best regards,

Alex Simons (@Alex_A_Simons)

Corporate VP of Program Management

Microsoft Identity Division

1 Comment
Version history
Last update:
‎Jul 24 2020 01:28 AM
Updated by: