--- name: Entitlement Management Access Package Audit description: "Audit Microsoft Entra entitlement management access packages: policies, separation of duties, approvals and expirations for identity governance." --- # Entitlement Management Access Package Audit > **TL;DR:** This skill inspects Microsoft Entra entitlement management access packages, policies, approval workflows and expirations, then produces a ranked findings table so you can spot weak separation-of-duties controls and ungoverned standing access. ## What is a Microsoft Entra access package? A Microsoft Entra access package is the unit of identity governance that bundles groups, applications, SharePoint sites and other resources together with the policies that decide who can request them, who approves, and when access expires. This skill reviews those packages and policies in your Microsoft Entra ID Governance tenant, focusing on separation-of-duties (incompatible access package) settings, approval requirements and access review or expiration enforcement. It complements Conditional Access and Microsoft Purview by ensuring entitlements are time-bound, justified and reviewed. ## When should you run this skill? - "Show me which access packages let users request access with no approval step." - "Are our separation-of-duties rules stopping incompatible access package combinations?" - "Which access package assignments never expire or have no access review scheduled?" - "Audit entitlement management before our next identity governance attestation." - "Find access packages where external guests can self-request sensitive resources." - "Check that privileged resource bundles require justification and multi-stage approval." - "Prepare an Essential Eight restrict-administrative-privileges evidence pack for access packages." ## How this skill works, step by step 1. Connect read-only to Microsoft Entra ID Governance using delegated Microsoft Graph permissions scoped for entitlement management reporting. 2. Enumerate all access packages and their parent catalogues, recording the resources (groups, applications, sites) each package grants. 3. Retrieve each access package assignment policy, capturing requestor scope (internal users, connected organisations, external guests), approval stages and expiration settings. 4. Inspect separation-of-duties configuration, listing any incompatible access packages or incompatible groups declared on each package. 5. Pull current assignments and pending requests to identify standing access, long-lived assignments and approvals that bypass review. 6. Evaluate each policy against governance baselines: approval required, justification required, defined expiration, scheduled access review and enforced incompatible-access rules. 7. Derive a risk score for each finding by weighting missing approval, missing expiration, broad external requestor scope and absent separation-of-duties controls. 8. Rank findings from highest to lowest residual risk and map each to the relevant control reference. 9. Compile the results into a findings table and summary, with no changes written back to the tenant. ## Output format The skill returns a prioritised findings table followed by a short summary. | Access package | Finding | Risk | Control reference | | --- | --- | --- | --- | | Finance-Privileged-Apps | Policy grants access with no approval stage and no expiration | High | Essential Eight: Restrict administrative privileges | | Project-Collaboration-Guests | External guests self-request with no separation-of-duties rule | Medium | ISM-1175 (privileged access management) | - Total access packages and policies analysed, and the count of high, medium and low risk findings. - Access packages missing an approval stage, justification or defined expiration. - Packages with no incompatible-access (separation-of-duties) rules where sensitive resources are bundled. - Assignments that are standing or long-lived with no scheduled access review. ## Scope and safety This skill is read-only by default and makes no changes to your tenant, access packages, policies or assignments. It only reads entitlement management configuration and assignment metadata to produce an audit report. This skill does NOT: - Create, modify or delete access packages, catalogues or assignment policies. - Approve, deny, grant or revoke any access request or assignment. - Alter separation-of-duties, approval or expiration settings. - Change Conditional Access, Microsoft Purview or any other tenant configuration. ## Licensing and permissions ### Licences and add-ons | Capability used | Minimum licence | | --- | --- | | Microsoft Entra entitlement management (access packages, catalogues, policies) | Microsoft Entra ID Governance (or Microsoft Entra ID P2) | | Separation-of-duties incompatible-access rules and access reviews on packages | Microsoft Entra ID Governance (or Microsoft Entra ID P2) | ### Least-privilege roles - Global Reader — read-only visibility across entitlement management configuration and assignments. - Identity Governance Administrator (or a delegated catalogue Access package manager) where Global Reader does not surface a required catalogue. ### Microsoft Graph permissions (read-only) - `EntitlementManagement.Read.All` — reads access packages, catalogues, assignment policies, separation-of-duties rules, assignments and requests. - `Directory.Read.All` — resolves the users, groups and applications that packages grant and that policies scope requestors to. - `AccessReview.Read.All` — confirms whether scheduled access reviews govern package assignments. ## Sources and compliance - [Microsoft Entra entitlement management overview](https://learn.microsoft.com/en-us/entra/id-governance/entitlement-management-overview) - [Entitlement management reports and logs](https://learn.microsoft.com/en-us/entra/id-governance/entitlement-management-reports) - Maps to the Essential Eight control "Restrict administrative privileges" by verifying that access to privileged resources is approved, justified, time-bound and reviewed: [ASD Essential Eight Maturity Model](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model) - Supports ISM privileged access management expectations by evidencing separation-of-duties and expiration enforcement on access packages. - Output in Australian English.