Edit

Share via


Request access package on-behalf-of other users

Entitlement Management enables admins to create access packages to manage their organization’s resources. Admins can either directly assign users to an access package, or configure an access package policy that allows users and group members to request access. This option to create self-service processes is useful, especially as organizations scale and hire more employees. However, new employees joining an organization might not always know what they need access to, or how they can request access. In this case, a new employee would likely rely on their manager to guide them through the access request process.

Instead of having new employees navigate the request process, managers can request access packages for their employees, making onboarding faster and more seamless. To enable this functionality for managers, admins can select an option when setting up an access package policy that allows managers to request access on their employees' behalf.

Expanding self-service request flows to allow requests on behalf of employees ensures that users have timely access to necessary resources, and increases productivity.

Scenarios for managers requesting on behalf of employees

Imagine your organization hires hundreds of new employees each year, and you're being tasked with training new hires on IT processes, including how to request access for resources in My Access. Training sessions are only at the beginning of each month, so managers of new hires who start later in the month often reach out for ad-hoc training. This is becoming increasingly common.

Instead of conducting numerous ad-hoc training sessions to ensure new hires know how to request access in their first week or weeks at the organization, you can set up access package policies that allow managers to request access on behalf of their employees.

Screenshot of request on behalf of options.

Now, managers are empowered to request access on behalf of new hires who haven't gone through the IT training. This ensures that employees have the tools and resources necessary to start on day one, and increases new hire satisfaction as they don’t need to wait for access or navigate the request process on their own.

Prerequisites

Using this feature requires Microsoft Entra ID Governance or Microsoft Entra Suite licenses. To find the right license for your requirements, see Microsoft Entra ID Governance licensing fundamentals.

Configure an access package policy allowing on behalf of requests

Follow these steps to edit the policies, allowing on behalf of requests, for an existing access package:

  1. Sign in to the Microsoft Entra admin center as at least an Identity Governance Administrator.

  2. Browse to ID Governance > Entitlement management > Access packages.

  3. Select the access package you want to set up for on behalf of requests.

  4. Select the policy you wish to edit or create a new policy.

  5. On the Requests tab, set Enable new requests to Yes. This should show you the option Allow managers to request on behalf of employees. Set that option to Yes.
    Screenshot of editing an access package;s request on behalf of policy.

  6. Save your policy.

Request an access package on behalf of an employee

As a manager, you can request an access package for a direct report by doing the following steps:

  1. Sign in to the My Access portal at https://myaccess.microsoft.com. For US Government, the domain in the My Access portal link is myaccess.microsoft.us.

  2. On the My Access Portal page, select Access packages.

  3. On the Access packages page, locate the access package you want to request for a direct report and select Request.

  4. On the Request pane under Request details, select requesting for Someone else. Screenshot of manager requesting access package for direct employee.

  5. Fill in additional information needed to request an access package for the direct report. Screenshot of justification questions for requesting an access package for a direct report.

  6. Select Submit request.

Approve access on behalf of employee requested by manager

To approve an access package on behalf of an employee as a manager, do the following steps to approve access:

  1. Sign in to the My Access portal at https://myaccess.microsoft.com. For US Government, the domain in the My Access portal link is myaccess.microsoft.us.

  2. In the left menu, select Approvals to see a list of access requests pending approval.

  3. On the Pending tab, find the request. Screenshot of the pending approval requests in my access.

  4. Either approve, or deny, the request on behalf of the employee.

Manage team assignments using the My Access portal

For access package assignments with policies that support on behalf of requests, managers can also manage access package assignments of their direct reports using the My Access portal when admins elect to turn on the feature. Management capabilities include:

  • The ability to see active access package assignment of all of their direct reports.
  • The ability to remove assignments for reports if the policy supports on behalf of requests.

Before managing teams in the My Access Portal, make sure you have the manage team settings configured by doing the following steps:

  1. Sign in to the Microsoft Entra admin center as at least an Identity Governance Administrator.

    Tip

    Other least privilege roles that can complete this task include the Catalog owner and the Access package manager.

  2. Browse to ID Governance > Entitlement management > Control configurations.

  3. On the control configurations page, select view settings on the My Access settings for end users card. Screenshot of the my access settings for end user card.

  4. On the end user settings page, make sure View access package assignments for direct reports (preview) is checked. Screenshot for the settings for end users using my access.

  5. Select Save.

With the setting enabled, do the following steps to manage your team assignments using the My Access portal:

  1. Sign in to the My Access portal at https://myaccess.microsoft.com as the direct manager of the team who you want to manage access package assignments for. For US Government, the domain in the My Access portal link is myaccess.microsoft.us.

  2. In the left menu, select Manage team to see a list of your direct reports. Screenshot of the list of team members on the manage team page.

  3. Select an employee to see a list of their assignments.

  4. On the assignments page, you can see a list of their current access package assignments. You can also select Remove access to end that specific access package assignment for the user. Screenshot of managing team in the my access portal.

Next steps