In my blog post a few weeks ago about creating an access package in Entra ID Governance with PowerShell, I wrote about how you can programmatically create access packages with PowerShell and create templates to make it easier to create access packages in the future. In this blog post, I want to share how you can add resources to an access package with PowerShell, as the resources are an equally important part. Without resources in the access package, it wouldn’t be of much use.
In this blog post, I will share how you can add a group (Security or Microsoft 365), an Enterprise application, and a SharePoint Online site to an access package as a resource
Prerequisites:
- EntitlementManagement.Write.All permissions in the Microsoft Graph
(Connect-MgGraph -Scopes “EntitlementManagement.ReadWrite.All”)
The trick to adding resources to an access package is that you need to add the resource to the catalog where the access package is created before the resource can be added to the access package.
Add resources (group) to a Catalog:
Security or Microsoft 365 added to a Catalog – You need to provide the PowerShell script with the Object ID of group you want to add and the Catalog Id you want the group like so
This script will output the information you need to run the next two PowerShell scripts. This information can also be found in the Entra ID portal by navigating to the resources.
Once you have acquired both the Catalog Id and the Group Id, you can paste them into the PowerShell script and run it. The group will then be added to the Catalog
Now that the group has been added to the Catalog, we can add the group to the Access package. You need to add the same Catalog ID and the same group object ID to the PowerShell script, and then add the ID of the Access package as well.
We can now see that the security group (in my case) has been added to the Access package. What we have covered so far is how to add a resource (group) to a Catalog in Entitlement Management and then add the same resource to an Access package in the same Catalog.
The next PowerShell scripts can be considered templates to add an Enterprise Application or a SharePoint Online site to a Catalog and then to an Access package.
Add Enterprise Application to Access package
In order to add an Entra Enterprise application to an Access package, you need the Application ID. This can be found by navigating to Enterprise Applications in Entra, then selecting and copying the Application ID. You also need the Catalog ID and Access package ID. These two are needed in every PowerShell script.
Add SharePoint Online Site to Access package
In order to add a SharePoint Online site to an Access package, you need to have the URL of the SharePoint Online site, the Catalog ID, and the Access package ID. This code will then add the SharePoint Online site to the Catalog and to the Access package with Visitors permissions. If you need another permission set, you can change this as you like. See line 10 for options (and possibly lines 13 & 14)
With these PowerShell scripts, you should now be able to more easily automate the adding of resources to your Access package. In the coming days, I will also create the HTTP versions of these PowerShell scripts. I will update this blog at the bottom with a link to each of them when they are ready. You can also watch my GitHub repository if you like at https://github.com/ChrFrohn/Entra