DEV Community

stepbystep tocloud
stepbystep tocloud

Posted on

Use access packages for governed agent access

This article is part of a multi-part series on Microsoft Entra Agent ID governance. For the full sequence and recommended reading order, start from the Governing AI agents with Microsoft Entra Agent ID and Agent 365

Conditional Access helps decide whether an approved agent can access a resource under the right policy conditions. Access packages answer a different question: what access should the agent receive, who approves it, and how long should that access remain valid.

This is the right next step after inventory, classification, owner/sponsor cleanup, custom security attributes, and Conditional Access policy design. At this stage, the organisation should already know which agents are approved, who is accountable for them, what access pattern they use, and what sensitivity or business criticality applies.

Access packages should not be used for every discovered agent. They are most useful for approved agents that need durable access to resources such as groups, Microsoft Entra roles, or API permissions. The aim is to avoid permanent, ad hoc permission assignments and move toward access that is intentional, approved, auditable, and time-bound.

Why access packages matter for agents

Agents may need access to resources to complete business tasks. For example, a fleet of customer support agents may need access to the same set of groups, APIs, or directory roles. Without a governed access model, those permissions can become difficult to track, review, and remove.

Access packages provide a structured way to grant access with governance controls around:

  • Who can request access
  • Who approves access
  • What resources are included
  • How long access lasts
  • Whether access can be extended
  • What happens when access expires

This is especially important for agent identities because they may continue operating without day-to-day human interaction. Access should therefore be granted with clear purpose, expiry, and review expectations.

Where access packages fit in the governance sequence

Access packages should come after the agent has already passed the earlier governance checks.

Stage Purpose
Inventory Identify the agent and its source platform
Classification Understand identity model and access pattern
Owner and sponsor assignment Establish technical and business accountability
Custom security attributes Record governance metadata like approval status and sensitivity
Conditional Access Enforce access policy based on identity, risk, and attributes
Access packages Grant approved, time-bound access to required resources
Lifecycle workflows and monitoring Keep sponsorship, access, and risk posture current

The key point is simple: do not grant durable access to an agent until it is classified, accountable, and approved.

What agents can receive through access packages

Access packages are useful when approved agents need access to defined resources rather than broad standing permissions.

Common examples include:

  • Security group memberships
  • Microsoft Entra directory roles
  • OAuth application permissions
  • API permissions such as Microsoft Graph application permissions

This makes access packages suitable for repeatable access patterns. For example, if several approved agents need the same type of access, create a standard access package instead of assigning permissions manually to each agent.

Recommended access package design

Start with a small number of meaningful access packages rather than creating many narrowly scoped packages too early.

Design area Recommendation
Scope Use access packages only for approved agents with known purpose and accountability
Resources Include only the resources the agent needs for the defined scenario
Approval Route approval to the sponsor, resource owner, application owner, or security governance team
Expiry Make assignments time-bound by default
Extension Require re-approval or extension review for continued access
Auditability Ensure assignments and approvals can be reviewed later
Naming Use names that explain the agent scenario and access purpose

Example naming pattern:

  • AP-Agent-CustomerSupport-GraphRead-Prod
  • AP-Agent-FinanceAutomation-GroupAccess-Prod
  • AP-Agent-SOCInvestigation-Privileged-ReviewRequired

The name should help an administrator quickly understand who the access is for, what it grants, and whether it is production or review-based.

Request and approval model

Access packages can support different assignment paths:

Assignment path When it makes sense
Agent identity requests access Useful for programme-driven or automated access request scenarios
Sponsor requests access for the agent Useful when human oversight is required before the agent receives access
Administrator directly assigns access Useful for controlled rollout, pilot, or emergency remediation scenarios

The sponsor-based model is especially valuable. It keeps a human accountable for why the agent needs access and whether that access should continue.

Expiry and extension behaviour

Access packages should not create permanent access by default. The value comes from giving access a lifecycle.

When an access package assignment has an expiry date, the organisation can review whether the agent still needs that access. If the sponsor remains accountable and the access is still valid, an extension can be requested based on policy. If no action is taken, the assignment expires and the agent loses access to the target resources.

This is a clean governance pattern for agents because access does not remain forever simply because it was once approved.

Design caveats

Access packages are powerful, but they should be used carefully.

Do not use access packages as a shortcut to approve unknown agents. If the agent source, identity model, business purpose, owner, sponsor, or access pattern is unclear, keep the agent in ReviewRequired state.

Also avoid reusing access packages that were originally designed for human users if the resource roles or approval model do not fit agent identities. Agent access packages should be designed with agent scenarios in mind.

Key checks before using access packages:

  • Is the agent approved?
  • Does the agent have a valid owner and sponsor?
  • Is the access pattern understood?
  • Is the business purpose documented?
  • Are the required resources clearly defined?
  • Is access time-bound?
  • Is there a clear approver?
  • Is there a review or expiry model?

If the answer is unclear, the access package design is not ready.

Recommended operating model

A practical access package operating model for agents can look like this:

  1. Approved agents are identified from the inventory.
  2. Required resource access is mapped to a business scenario.
  3. Access package is created for that scenario.
  4. Sponsor or approver validates the need.
  5. Access is granted with expiry.
  6. Access is reviewed or extended only when justified.
  7. Expired or unused access is removed automatically through the lifecycle process.

This keeps access aligned to business purpose and reduces long-term permission drift.

Example access package patterns

Scenario Access package idea
Customer support agents Standard access to support knowledge groups and approved APIs
Security operations agents Time-bound access to investigation-related resources
Finance automation agents Controlled access to finance processing groups or APIs
HR assistant agents Access only to approved HR resources with stricter review
Test or sandbox agents Limited non-production access with short expiry

The design should follow least privilege. Agents should receive only the access needed for their approved scenario.

How this connects to the next phase

Once access packages are in place, the next concern is lifecycle. Agents may be approved today, but sponsors can change roles, leave the organisation, or stop being accountable for the agent. If sponsorship becomes stale, access decisions become stale too.

That is why the next phase is Lifecycle Workflows for sponsor continuity. Access packages govern what the agent can access. Lifecycle workflows help ensure the people responsible for that access remain current.

Wrap-up

Access packages give agent governance a proper entitlement layer. Conditional Access controls whether the agent can access resources under policy conditions. Access packages control what access the agent receives, who approves it, how long it lasts, and how it expires.

Use access packages for approved agents with clear business purpose and accountability. Keep access time-bound, auditable, and reviewable. This prevents agent permissions from becoming permanent, unmanaged, or disconnected from business ownership.

Top comments (0)