|
| 1 | +--- |
| 2 | +title: Create a new access package in Azure AD entitlement management (Preview) - Azure Active Directory |
| 3 | +description: Learn how to create a new access package of resources you want to share in Azure Active Directory entitlement management (Preview). |
| 4 | +services: active-directory |
| 5 | +documentationCenter: '' |
| 6 | +author: rolyon |
| 7 | +manager: mtillman |
| 8 | +editor: |
| 9 | +ms.service: active-directory |
| 10 | +ms.workload: identity |
| 11 | +ms.tgt_pltfrm: na |
| 12 | +ms.devlang: na |
| 13 | +ms.topic: conceptual |
| 14 | +ms.subservice: compliance |
| 15 | +ms.date: 04/24/2019 |
| 16 | +ms.author: rolyon |
| 17 | +ms.reviewer: |
| 18 | +ms.collection: M365-identity-device-management |
| 19 | + |
| 20 | + |
| 21 | +#Customer intent: As an administrator, I want detailed information about the options available when creating a new access package so that the access package can be managed with minimal effort. |
| 22 | + |
| 23 | +--- |
| 24 | +# Create a new access package in Azure AD entitlement management (Preview) |
| 25 | + |
| 26 | +> [!IMPORTANT] |
| 27 | +> Azure Active Directory (Azure AD) entitlement management is currently in public preview. |
| 28 | +> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. |
| 29 | +> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). |
| 30 | +
|
| 31 | +An access package enables you to do a one-time setup of resources and policies that automatically administers access for the life of the access package. This article describes how to create a new access package. |
| 32 | + |
| 33 | +## Overview |
| 34 | + |
| 35 | +All access packages must be put in a container called a catalog. A catalog defines what resources you can add to your access package. If you don't specify a catalog, your access package will be put into the General catalog. Currently, you can't move an existing access package to a different catalog. |
| 36 | + |
| 37 | +All access packages must have at least one policy. Policies specify who can request the access package and also approval and expiration settings. When you create a new access package, you can create an initial policy for users in your directory, for users not in your directory, for administrator direct assignments only, or you can choose to create the policy later. |
| 38 | + |
| 39 | +The following diagram shows the high-level process to create a new access package. |
| 40 | + |
| 41 | + |
| 42 | + |
| 43 | +## Start new access package |
| 44 | + |
| 45 | +**Prerequisite role:** User administrator or Catalog owner |
| 46 | + |
| 47 | +1. Sign in to the [Azure portal](https://portal.azure.com). |
| 48 | + |
| 49 | +1. Click **Azure Active Directory** and then click **Identity Governance**. |
| 50 | + |
| 51 | +1. In the left menu, click **Access packages**. |
| 52 | + |
| 53 | +  |
| 54 | + |
| 55 | +1. Click **New access package**. |
| 56 | + |
| 57 | +## Basics |
| 58 | + |
| 59 | +On the **Basics** tab, you give the access package a name and specify which catalog to create the access package in. |
| 60 | + |
| 61 | +1. Enter a display name and description for the access package. Users will see this information when they submit a request for the access package. |
| 62 | + |
| 63 | +1. In the **Catalog** drop-down list, select the catalog you want to create the access package in. For example, you might have a catalog owner that manages all the marketing resources that can be requested. In this case, you could select the marketing catalog. |
| 64 | + |
| 65 | + You will only see catalogs you have permission to create access packages in. To create access package in an existing catalog, you must be at least a User administrator, catalog owner, or access package manager. |
| 66 | + |
| 67 | +  |
| 68 | + |
| 69 | + If you would like to create your access package in a new catalog, click **Create new**. Enter the Catalog name and description and then click **Create**. |
| 70 | + |
| 71 | + The access package you are creating and any resources included in it will be added to the new catalog. Additionally, you will automatically become the first owner of the catalog. You can add additional catalog owners. |
| 72 | + |
| 73 | + To create a new catalog, you must be at least a User administrator or Catalog creator. |
| 74 | + |
| 75 | +1. Click **Next**. |
| 76 | + |
| 77 | +## Resource roles |
| 78 | + |
| 79 | +On the **Resource roles** tab, you select the resources to include in the access package. |
| 80 | + |
| 81 | +1. Click the resource type you want to add (**Groups**, **Applications**, or **SharePoint sites**). |
| 82 | + |
| 83 | +1. In the Select pane that appears, select one or more resources from the list. |
| 84 | + |
| 85 | +  |
| 86 | + |
| 87 | + If you are creating the access package in the General catalog or a new catalog, you will be able to pick any resource from the directory that you own. You must be at least a User administrator or Catalog creator. |
| 88 | + |
| 89 | + If you are creating the access package in an existing catalog, you can select any resource that is already in the catalog without owning it. |
| 90 | + |
| 91 | + If you are a User administrator or catalog owner, you have the additional option of selecting resources you own that are not yet in the catalog. If you select resources not currently in the selected catalog, these resources will also be added to the catalog for other catalog administrators to build access packages with. If you only want to select resources that are currently in the selected catalog, check the **Only see** check box at the top of the Select pan. |
| 92 | + |
| 93 | +1. Once you have selected the resources, in the **Role** list, select the role you want users to be assigned for the resource. |
| 94 | + |
| 95 | +  |
| 96 | + |
| 97 | +1. Click **Next**. |
| 98 | + |
| 99 | +## Policy |
| 100 | + |
| 101 | +On the **Policy** tab, you create the first policy to specify who can request the access package and also approval and expiration settings. Later, you can create more policies to allow additional groups of users to request the access package with their own approval and expiration settings. You can also choose to create the policy later. |
| 102 | + |
| 103 | +1. Set the **Create first policy** toggle to **Now** or **Later**. |
| 104 | + |
| 105 | +  |
| 106 | + |
| 107 | +1. If you select **Later**, skip down to the [Review + create](#review--create) section to create your access package. |
| 108 | + |
| 109 | +1. If you select **Now**, perform the steps in one of the following policy sections. |
| 110 | + |
| 111 | +[!INCLUDE [Entitlement management policy](../../../includes/active-directory-entitlement-management-policy.md)] |
| 112 | + |
| 113 | +## Review + create |
| 114 | + |
| 115 | +On the **Review + create** tab, you can review your settings and check for any validation errors. |
| 116 | + |
| 117 | +1. Review the access package's settings |
| 118 | + |
| 119 | +  |
| 120 | + |
| 121 | +1. Click **Create** to create the access package. |
| 122 | + |
| 123 | + The new access package appears in the list of access packages. |
| 124 | + |
| 125 | +## Next steps |
| 126 | + |
| 127 | +- [Edit and manage an existing access package](entitlement-management-access-package-edit.md) |
| 128 | +- [Create and manage a catalog](entitlement-management-catalog-create.md) |
0 commit comments