Step-by-Step : Assign access packages automatically based on user properties in Microsoft Entra ID

Microsoft Entra ID Governance offers the capability to manage the access lifecycle of resources through access packages, which are organized into catalogs and define the resources available within them. Each access package includes at least one policy that outlines who can request access to it, the approval process, and access lifecycle settings such as assignment expiration and access review configuration.

For more detailed information on Access Packages, you can refer to this link:

Traditionally, during the setup of an access package, you could specify who can request access, including users and groups in the organization's directory or guest users. Now, you have the option to use an automatic assignment policy to manage access packages. This policy includes membership rules that evaluate user attribute values to determine access. You can create one automatic assignment policy per access package, which can assess built-in user attributes or custom attribute values generated by third-party HR systems and on-premises directories. Behind the scenes, Entitlement Management automatically creates dynamic security groups based on the policy rules, which are adjusted as the rules change.

To implement an automatic assignment policy, you need to meet the following prerequisites:

  1. Microsoft Governance licenses – Ensure you have the necessary licenses in place. For more information on licensing, visit
  2. Global administrator or Identity Governance administrator account.
  3. An existing access package.

Once these prerequisites are met, you can proceed with setting up the automatic assignment policy. To do that,

1) Log in to Entra at as a Global administrator or Identity Governance administrator

2) Select Identity governance | Entitlement management | Access package


3) Choose the access package and then click on Policies


4) Select + add auto assignment policy


5) Choose Edit, located on the top right of the Rule Syntax box


6) In the new window, you can build the rule by using operators. Once the rule syntax is defined click on Save.

ap5.png7) Once returned to the policy window select Next to proceed.

ap6.png8) On the Review page, provide the name and description for the policy. Choose Create to proceed with policy creation.  

ap7.png9) Once the policy is created, you can view it under the policies list in the access package. 


Please note that you can't remove the initial access package policy, as this automatic access policy is not a replacement for it. The initial policy also holds other configuration settings such as the approval process and access reviews, among others. You can adjust the user scope in the initial policy but you can't completely remove the user scope in the policy. 


After the policy is created, entitlement management automatically creates a dynamic group to match the membership rules. 



If you go to Assignments under the access package, you can see the users who have been processed by the automatic assignment policy.


As you can see the automatic assignment policy is working as expected and users have been assigned to access the package automatically. The article explains create an automatic assignment policy for an access package in Microsoft Governance entitlement management. An automatic assignment policy allows users to get access to resources based on their attributes or roles, without requiring any request or approval process.

Learn more:

Microsoft Governance licensing fundamentals – 

Microsoft Entra ID Governance service limits –  


This article was originally published by Microsoft's ITOps Talk Blog. You can find the original article here.