跳到主要内容

Create Access Packages for Agent Resource Assignments

Implementation Effort: Medium – Requires defining catalogs, selecting resource roles, configuring approval policies, and setting expiration and lifecycle rules for each access package.
User Impact: Low – Sponsors and administrators interact with access packages through the My Access portal and admin center; agents receive access grants without end-user involvement.

Overview

Agent identities need access to organizational resources — group memberships, OAuth API permissions, Microsoft Entra roles — but granting those permissions directly creates standing privilege that persists indefinitely and bypasses any approval process. Access packages in Microsoft Entra entitlement management solve this by channeling all agent resource assignments through governed bundles with approval workflows, expiration policies, and separation of duties checks. Without access packages, agent permissions are granted ad hoc, accumulate over time, and become exactly the kind of unmanaged standing access that threat actors target when they compromise a non-human identity.

This activity supports Verify explicitly by routing every agent resource assignment through an approval workflow that validates business justification before granting access. It supports Use least privilege access through time-bounded expiration that forces periodic re-justification — sponsors are notified as assignments approach expiry and must actively extend or allow access to lapse. It supports Assume breach by ensuring that access granted to a compromised agent identity automatically expires and can be immediately revoked by removing the access package assignment. If access packages are not created for agent resource assignments, permissions are granted through direct assignments that lack expiration, approval, and audit controls.

Reference