Introduction
Managing access to resources in any organization is crucial for security, compliance, and operational efficiency. Microsoft Entra ID (formerly Azure AD) provides governance features to help organizations control who has access to what and ensure that access is granted appropriately.
Two key features that help with access management are:
- Access Reviews
- Access Packages
Although both play a role in identity governance, they serve different purposes. In this article, we’ll break down the key differences, use cases, and how they fit into your security and compliance strategy.
What is an Access Review?
An Access Review is used to periodically validate and ensure that users still require access to a specific resource (e.g., groups, Teams, apps, or privileged roles).
Purpose:
- Prevents unnecessary access by reviewing existing permissions.
- Ensures compliance with security policies and regulatory requirements.
- Reduces risks of privilege creep (users accumulating unnecessary permissions over time).
Key Features:
✔️ Scheduled Reviews – Can be set to run at regular intervals (e.g., quarterly, annually).
✔️ Reviewer Assignment – Access can be reviewed by managers, resource owners, or users themselves.
✔️ Automated Decision Making – Can recommend removals based on inactivity.
✔️ Integration with Conditional Access – Helps enforce Zero Trust principles.
Common Use Cases:
📌 Annual Security Review – Ensuring employees still need access to sensitive HR systems.
📌 Privileged Role Review – Reviewing admin roles like Global Admin or Security Admin.
📌 Contractor Offboarding – Removing access from temporary employees or vendors after project completion.
What is an Access Package?
An Access Package is a predefined bundle of permissions, groups, applications, and roles that users can request access to. It is managed under Entitlement Management in Entra ID.
Purpose:
- Allows users to request access to multiple resources at once.
- Automates approvals based on predefined policies.
- Ensures access is granted and revoked based on business needs.
Key Features:
✔️ Self-Service Requests – Employees or external users can request access via a portal.
✔️ Approval Workflow – Access can be auto-approved or require manager approval.
✔️ Lifecycle Management – Access can be time-limited and automatically revoked.
✔️ Cross-Tenant Collaboration – Helps manage guest access in B2B scenarios.
Common Use Cases:
📌 Employee Onboarding – A new hire requests an “IT Onboarding” package, which includes access to Teams, SharePoint, and HR applications.
📌 Project-Based Access – A user needs temporary access to a Finance project for 6 months.
📌 External Collaboration – A partner company needs access to a specific Microsoft 365 group.
Key Differences: Access Review vs. Access Package
| Feature | Access Review | Access Package |
|---|---|---|
| Purpose | Periodically review and validate existing access | Provide users with a way to request and obtain access |
| Use Case | Ensures that users still need the access they have | Allows users to request access based on business needs |
| Triggers | Can be scheduled or manually initiated | Users request access; admins define policies |
| Governance | Helps remove unnecessary access to meet compliance requirements | Provides self-service access based on policies |
| Who Initiates? | Admins set up reviews, and reviewers (managers, owners) approve/reject | Admins create packages; users request access |
| Scope | Used for reviewing access to groups, teams, applications, and privileged roles | Used for bundling multiple resources (groups, apps, roles) into a package |
| Automation | Can be automated based on recommendations and conditions | Includes lifecycle policies (auto-expiration, reapproval) |
| Example Scenario | A manager must review and approve access to a SharePoint site every 6 months | A new employee requests access to an “IT Onboarding” package containing Teams, SharePoint, and applications |
When to Use Access Review vs. Access Package?
✅ Use Access Review when:
- You need to re-evaluate existing access regularly.
- You want to enforce compliance and remove unnecessary permissions.
- You have privileged users with high-risk access that requires periodic reviews.
✅ Use Access Package when:
- You need to provide on-demand access to groups, apps, or roles.
- You want to automate onboarding/offboarding for employees and external users.
- You need a self-service solution that reduces IT admin overhead.
Real-World Example
Scenario:
A multinational company wants to manage access efficiently while maintaining security and compliance.
1️⃣ Access Packages for Onboarding:
- A new Finance Analyst joins and requests an “Accounting Access Package” that includes access to SAP, Teams, and SharePoint.
- Their request follows an approval workflow where their manager must approve it.
- The package is set to expire in one year, requiring renewal if needed.
2️⃣ Access Reviews for Compliance:
- Every six months, the IT team runs an Access Review for all Finance employees.
- The manager checks whether employees still need SAP and SharePoint access.
- Inactive users are automatically removed to enforce least privilege access.
Outcome:
🔹 New users get access quickly and securely through Access Packages.
🔹 Existing access is continuously monitored and cleaned up via Access Reviews.
🔹 The company reduces security risks and ensures compliance with minimal manual effort.
Conclusion
Both Access Reviews and Access Packages are essential for Identity Governance in Microsoft Entra ID.
- Access Reviews help organizations audit and remove unnecessary access.
- Access Packages streamline the process of granting access efficiently.
By using both effectively, organizations can enhance security, reduce IT overhead, and ensure compliance with governance policies.
