A few days ago, I received a ticket regarding three users from the same department who were missing access to an application. I knew this application was assigned to them through an access package. Since all three were new users, I wondered what had happened when the access package was assigned.
The first thing I checked was the delivery status in the assignment tab of the access package, and all three users had “partially delivered” as their status. The access to the application that the users were missing should have been assigned to them via a Custom Extension that runs a PowerShell script. However, the PowerShell script requires the status to be “Delivered,” and as a result, the users were not assigned the permissions.
I was able to resolve the issue by looking in the Request history for each assignment in the request tab of the access package. The reason for the partially delivered status was that an Exchange Online mail-enabled security group was added as a resource. Entra ID Governance access packages can’t handle Exchange Online resources (as of this writing). By removing the mail-enabled security group from the access package and then selecting Reprocess for the three users, their status changed to Delivered. I then needed to run the PowerShell script manually because the custom extension didn’t trigger as the trigger is “access granted,” and the users were already granted access.
So, the big question after a short time of troubleshooting: How can I get ahead of this next time?
The solution I came up with is to create a KQL query that looks like this:
This KQL query will return results of access packages where the operation name contains “Partially” or “Failed“
This is a more simple version:
I then created a new alert by selecting New alert rule at the top of the page.
In the next window, you need to add a 0 to the Threshold value. This means that when the query runs (every 5 minutes), if the result is greater than 0, the alert will be triggered. (Please keep the cost in mind)
In the next window, you need to choose between an existing action group or create a new one. I’m going to select the existing action group that I created the first time I configured a monitor rule in this blog post: Monitor Lifecycle Workflows status in Entra ID Governance.
Next up, and as the last step, provide your alert with a name and a description:
When you are done, select Review + create. The alert rule has now been created.
When the alert is triggered, I receive an email, and by clicking View query results (either one), I can see information about which access package has an issue with delivery.
Next time, I can be proactive about such cases and resolve them before the user(s) notice anything (hopefully)
Please note that it takes about 12 hours for the delivery status to change from “Delivering” to “Partially Delivered” in the access package assignment interface.