Roll out access packages for guests
Implementation Effort: High – Identity governance teams must define access requirements, configure access packages, and establish approval workflows and approvers tailored to external collaboration scenarios.
User Impact: High – Guest users will need guidance to a self-service onboarding process.
Overview
Configuring access packages for guest users in Microsoft Entra ID involves creating structured and policy-driven access pathways that align with the organization's collaboration needs. This process begins by identifying common external collaboration scenarios and determining the specific resources—such as Microsoft Teams, SharePoint sites, or enterprise applications—that external users require access to based on their business roles, and model those as catalogs, connected organizations, and approvals.
Utilizing Microsoft Entra ID Governance's entitlement management, administrators can create access packages that bundle these resources. Each access package is associated with a catalog and includes policies that define who can request access, whether approval is required, and the duration of access. For instance, an access package can be configured to allow users from connected organizations to request access, with an internal sponsor's approval and an automatic expiration after a set period.
This approach aligns with the Zero Trust principles by enforcing "Verify explicitly" through authentication and approval processes, and "Use least privilege access" by granting only the necessary permissions for a defined duration. Failure to implement structured onboarding access packages can lead to inconsistent access controls, increased administrative overhead, and potential security risks due to over-provisioned or unmanaged guest access.