Automating Access Package Creation in Entra ID: A Step-by-Step Guide

Table of Contents

In today’s fast-paced IT environments, automation is key to maintaining efficiency and consistency. This blog post will walk you through a PowerShell script that automates the creation of Access Packages in Entra ID (formerly Azure AD). This script is particularly useful for organizations that need to manage access to multiple resources across different groups.

Prerequisites

Before we dive into the script, ensure you have the following:

  1. PowerShell 5.1 or later
  2. The following PowerShell modules installed:
    • Microsoft.Graph.Identity.Governance
    • Microsoft.Graph.Beta.Identity.Governance
    • Microsoft.Graph.Groups
  3. Appropriate permissions in Entra ID (EntitlementManagement.ReadWrite.All, Group.Read.All)

Script Overview

Our script performs the following main tasks:

  1. Connects to Microsoft Graph
  2. Adds Azure AD groups as resources to a specified catalog
  3. Creates an Access Package for each group
  4. Sets up an assignment policy for each Access Package

Let’s break down each section of the script.

1. Importing Modules and Connecting to Graph

# Import modules
Import-Module Microsoft.Graph.Identity.Governance
Import-Module Microsoft.Graph.Beta.Identity.Governance
Import-Module Microsoft.Graph.Groups

# Connect to Graph with necessary permissions
Connect-MgGraph -Scopes "EntitlementManagement.ReadWrite.All", "Group.Read.All"

This section imports the necessary modules and connects to Microsoft Graph with the required permissions.

2. Setting Up Variables

# Your existing catalog ID
$catalogId = "<catalogid>" # Pre created catalog

# List of group names to add
$groupNames = @(
    "aad-gropu1",
    "aad-gropu2",
    "aad-gropu3"
    # Add more group names as needed
)

Here, we define the catalog ID where the Access Packages will be created and list the Azure AD groups we want to add as resources.

3. Main Loop: Creating Resources and Access Packages

foreach ($groupName in $groupNames) {
    # Get group ID and exact display name
    $group = Get-MgGroup -Filter "displayName eq '$groupName'"
    if (-not $group) {
        Write-Warning "Group '$groupName' not found. Skipping..."
        continue
    }
    $groupId = $group.Id
    $groupName = $group.DisplayName

    # Extract the server name from the group name
    $serverName = $groupName.Split("-")[-1]

    # Add AAD group as resource to the catalog
    $resourceParams = @{
        requestType = "adminAdd"
        resource = @{
            displayName = $groupName
            originId = $groupId
            originSystem = "AadGroup"
        }
        catalog = @{
            id = $catalogId
        }
    }
    $resourceRequest = New-MgEntitlementManagementResourceRequest -BodyParameter $resourceParams

    # Create access package with custom name format
    $accessPackageParams = @{
        displayName = "$serverName"
        description = "access to $serverName"
        isHidden = $false
        catalog = @{
            id = $catalogId
        }
    }
    $accessPackage = New-MgEntitlementManagementAccessPackage -BodyParameter $accessPackageParams
}

This loop performs the following for each group:

  1. Retrieves the group’s ID and exact display name
  2. Adds the group as a resource to the specified catalog
  3. Creates an Access Package for the group with a custom name format

4. Creating Assignment Policy

# Define group that will see the access pack
$groupIT = @{
    Id = "<group object id>"
    DisplayName = "aad-dynamic-group"
}


# Define the policy parameters
$policyParams = @{
    accessPackageId = $accessPackage.Id
    displayName = "Auto-approve 3-day policy"
    description = "Auto-approve policy with 3-day access"
    durationInDays = 3
    requestorSettings = $requestorSettings
    requestApprovalSettings = $requestApprovalSettings
}

# Create the assignment policy
$policy = New-MgBetaEntitlementManagementAccessPackageAssignmentPolicy -BodyParameter $policyParams

This section creates an assignment policy for each Access Package. It sets up an auto-approve policy with a 3-day access duration, allowing members of a specified group to request access.

5. Adding Group to Its Specific Access Package

# Add group to its specific access package (using Beta module)
$resources = Get-MgBetaEntitlementManagementAccessPackageCatalogAccessPackageResource -AccessPackageCatalogId $catalogId
$resource = $resources | Where-Object { $_.OriginId -eq $groupId }

if ($resource) {
    # ... (code to add the group to the access package)
    New-MgBetaEntitlementManagementAccessPackageResourceRoleScope @roleParams
} else {
    Write-Warning "Resource $groupName not found in catalog. It may not have been added successfully."
}

This final section adds each group to its specific Access Package, ensuring that the correct resources are associated with each package.

Conclusion

This script provides a powerful way to automate the creation of Access Packages in Entra ID. By using this script, you can quickly set up access management for multiple groups, saving time and reducing the potential for human error.

Remember to test this script in a non-production environment first and adjust it to fit your organization’s specific needs and naming conventions.

Happy automating!