You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/governance/entitlement-management-overview.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -68,10 +68,10 @@ Here are the types of resources you can manage access to with entitlement manage
68
68
69
69
- Azure AD security groups
70
70
- Office 365 groups
71
-
- Azure AD enterprise applications, including SaaS application and custom-integrated applications which support federation or provisioning
71
+
- Azure AD enterprise applications, including SaaS application and custom-integrated applications that support federation or provisioning
72
72
- SharePoint Online site collections and sites
73
73
74
-
You can also control access to other resources which rely upon Azure AD security groups or Office 365 groups. For example:
74
+
You can also control access to other resources that rely upon Azure AD security groups or Office 365 groups. For example:
75
75
76
76
- You can give users licenses for Microsoft Office 365 by using an Azure AD security group in an access package and configuring [group-based licensing](../users-groups-roles/licensing-groups-assign.md) for that group
77
77
- You can give users access to manage Azure resources by using an Azure AD security group in an access package and creating an [Azure role assignment](../../role-based-access-control/role-assignments-portal.md) for that group
Copy file name to clipboardExpand all lines: articles/active-directory/governance/entitlement-management-troubleshoot.md
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -37,9 +37,9 @@ This article describes some items you should check to help you troubleshoot Azur
37
37
38
38
## Checklist for adding a resource
39
39
40
-
* For an application to be a resource in an access package, it must have at least one resource role that can be assigned. The roles are defined by the application itself and are managed in Azure AD. Note that the Azure portal may also show service principals for services that cannot be selected as applications. In particular, "Exchange Online" or "SharePoint Online" are services, not applications that have resource roles in the directory, so cannot be included in an access package. Instead, use group-based licensing to establish an appropriate license for a user who needs access to those services.
40
+
* For an application to be a resource in an access package, it must have at least one resource role that can be assigned. The roles are defined by the application itself and are managed in Azure AD. Note that the Azure portal may also show service principals for services that cannot be selected as applications. In particular, **Exchange Online** and **SharePoint Online** are services, not applications that have resource roles in the directory, so they cannot be included in an access package. Instead, use group-based licensing to establish an appropriate license for a user who needs access to those services.
41
41
42
-
* For a group to be a resource in an access package, it must be able to be modifiable in Azure AD. Groups that originate in an on-premises Active Directory cannot be assigned as resources, since their owner or member attributes cannot be changed in Azure AD.
42
+
* For a group to be a resource in an access package, it must be able to be modifiable in Azure AD. Groups that originate in an on-premises Active Directory cannot be assigned as resources because their owner or member attributes cannot be changed in Azure AD.
43
43
44
44
* SharePoint Online document libraries and individual documents cannot be added as resources. Instead, create an Azure AD security group, include that group and a site role in the access package, and in SharePoint Online use that group to control access to the document library or document.
45
45
@@ -49,15 +49,15 @@ This article describes some items you should check to help you troubleshoot Azur
49
49
50
50
* If there is a B2B [allow list](../b2b/allow-deny-list.md), then users whose directories are not allowed will not be able to request access.
51
51
52
-
* Ensure that there are no [Conditional Access policies](../conditional-access/require-managed-devices.md)which would prevent external users from requesting access or being able to use the applications in the access packages.
52
+
* Ensure that there are no [Conditional Access policies](../conditional-access/require-managed-devices.md)that would prevent external users from requesting access or being able to use the applications in the access packages.
53
53
54
54
## Checklist for request issues
55
55
56
56
* When a user wants to request access to an access package, be sure that they are using the **My Access portal link** for the access package. For more information, see [Copy My Access portal link](entitlement-management-access-package-edit.md#copy-my-access-portal-link).
57
57
58
58
* When a user signs in to the My Access portal to request an access package, be sure they authenticate using their organizational account. The organizational account can be either an account in the resource directory, or in a directory that is included in one of the policies of the access package. If the user's account is not an organizational account, or the directory is not included in the policy, then the user will not see the access package. For more information, see [Request access to an access package](entitlement-management-request-access.md).
59
59
60
-
* If a user is blocked from signing in to the resource directory, they will not be able to request access in the My Access portal. Before the user can request access, you must remove the sign-in block from the user's profile. To remove the sign-in block, in the Azure portal, click **Azure Active Directory**, click **Users**, click the user, and then click **Profile**. Edit the **Settings** section and change **Block sign in** to **No**. For more information, see [Add or update a user's profile information using Azure Active Directory](../fundamentals/active-directory-users-profile-azure-portal.md). You may also wish to check if the user was blocked due to an [Identity Protection policy](../identity-protection/howto-unblock-user.md).
60
+
* If a user is blocked from signing in to the resource directory, they will not be able to request access in the My Access portal. Before the user can request access, you must remove the sign-in block from the user's profile. To remove the sign-in block, in the Azure portal, click **Azure Active Directory**, click **Users**, click the user, and then click **Profile**. Edit the **Settings** section and change **Block sign in** to **No**. For more information, see [Add or update a user's profile information using Azure Active Directory](../fundamentals/active-directory-users-profile-azure-portal.md). You can also check if the user was blocked due to an [Identity Protection policy](../identity-protection/howto-unblock-user.md).
61
61
62
62
* In the My Access portal, if a user is both a requestor and an approver, they will not see their request for an access package on the **Approvals** page. This behavior is intentional - a user cannot approve their own request. Ensure that the access package they are requesting has additional approvers configured on the policy. For more information, see [Edit an existing policy](entitlement-management-access-package-edit.md#edit-an-existing-policy).
0 commit comments