{"id":3723,"date":"2026-07-09T16:05:29","date_gmt":"2026-07-09T21:05:29","guid":{"rendered":"https:\/\/microsoftgeek.com\/?p=3723"},"modified":"2026-07-09T16:05:29","modified_gmt":"2026-07-09T21:05:29","slug":"secure-your-users-when-they-go-on-vacation","status":"publish","type":"post","link":"https:\/\/microsoftgeek.com\/?p=3723","title":{"rendered":"Secure your users when they go on vacation"},"content":{"rendered":"\n<h1 class=\"wp-block-heading\">Access Packages to the rescue!<\/h1>\n\n\n\n<p>Entra ID Access Packages allows you to control access to groups, Teams, applications and SharePoint sites in a flexible, but secure way. They can be assigned automatically, manually or upon request for a limited time or permanently. Combining Access Packages in Entra ID with Conditional Access gives us a very easy fix for this scenario without sacrificing security too much. Access Packages requires Entra ID P2 license for basic configuration, but more advanced features require Entra ID Governance license.&nbsp;<\/p>\n\n\n\n<p>An overview of Access Packages:<\/p>\n\n\n\n<p>Resources are groups\/applications\/teams\/etc, these are places into one or more catalogs. These catalogs are organized into one or more Access Packages and then made available to users through an Access Package Policy which states the requirements and limitations for users access.<\/p>\n\n\n\n<p>Resources \u2013&gt; Catalog \u2013&gt; Access Package(s) \u2013&gt; Access Package Policy \u2013&gt; users or groups<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Solution design<\/h2>\n\n\n\n<p>In this scenario my suggestion would be:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<ul class=\"wp-block-list\">\n<li>Create a security group for users who should login from outside Country  example (which again is our default geo-block)<\/li>\n\n\n\n<li>Create an Access Package where users can request membership to this group for a limited time, and requests needs to be approved before access is granted.<\/li>\n\n\n\n<li>Define a list (aka \u201cNamed location\u201d) of countries allowed to login from, outside Scandinavia. Remember, we don\u2019t want to open up for the entire world.<\/li>\n\n\n\n<li>Change and create Conditional Access rule to allow group members to login to M365 from select countries outside Scandinavia.<\/li>\n<\/ul>\n<\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">Create a group and place it into a catalog<\/h2>\n\n\n\n<p>Just create a new security group in Entra ID. no specific requirements except to follow your naming standards<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/agderinthe.cloud\/wp-content\/uploads\/2024\/06\/Vacation04.png\" alt=\"\" class=\"wp-image-1200\"\/><\/figure>\n\n\n\n<p>Then navigate to&nbsp;<strong>Identity governance<\/strong>&nbsp;and&nbsp;<strong>Entitlement management<\/strong>, here you will find both&nbsp;<strong>Catalog<\/strong>&nbsp;and&nbsp;<strong>Access packages<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/agderinthe.cloud\/wp-content\/uploads\/2024\/06\/Vacation02.png\" alt=\"\" class=\"wp-image-1198\"\/><\/figure>\n\n\n\n<p>Select \u201c<strong>Catalogs<\/strong>\u201d and then \u201c<strong>New catalog<\/strong>\u201d in the top. Provide a name and description (this will be visible to end users) set \u201c<strong>Enabled<\/strong>\u201d to&nbsp;<strong>yes<\/strong>, and \u201c<strong>Enabled for external users\u201d<\/strong>&nbsp;to&nbsp;<strong>no<\/strong>. Then click&nbsp;<strong>Create<\/strong>&nbsp;at the bottom.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/agderinthe.cloud\/wp-content\/uploads\/2024\/06\/Vacation03.png\" alt=\"\" class=\"wp-image-1199\"\/><\/figure>\n\n\n\n<p>Doubleclick on the new catalog and select Resourcs on the left, Add resources in the top and add the group you created earlier so it appears in the list.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/agderinthe.cloud\/wp-content\/uploads\/2024\/06\/Vacation05.png\" alt=\"\" class=\"wp-image-1202\"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Create an access package for the catalog<\/h2>\n\n\n\n<p>Then to back to \u201c<strong>Identity Governance<\/strong>\u201d and select \u201c<strong>Access Packages<\/strong>\u201d on the left and \u201cN<strong>ew Access Package<\/strong>\u201d on the top.<\/p>\n\n\n\n<p>Basics:<br>Enter a&nbsp;<strong>name<\/strong>&nbsp;and&nbsp;<strong>description<\/strong>, keep in mind this is visible for the end user. Make sure you select the correct&nbsp;<strong>catalog<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/agderinthe.cloud\/wp-content\/uploads\/2024\/06\/Vacation06.png\" alt=\"\" class=\"wp-image-1204\"\/><\/figure>\n\n\n\n<p>Resource roles:<br>Add the relevant group from before, make sure you select \u201c<strong>Member<\/strong>\u201d under \u201c<strong>Role<\/strong>\u201d to the far right.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/agderinthe.cloud\/wp-content\/uploads\/2024\/06\/Vacation20.png\" alt=\"\" class=\"wp-image-1223\"\/><\/figure>\n\n\n\n<p>Requests:<br>There are a lot of options here, so I will present a suggestion but feel free to change the settings to suit your own needs. This will make up the Access Package policy as I mentioned in the start.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Select \u201c<strong>for users in your directory<\/strong>\u201c, \u201c<strong>All members (excluding guests<\/strong>)\u201d.<\/li>\n\n\n\n<li>Require approval:\u00a0<strong>Yes<\/strong>\u00a0(if you select, users are automatically grated access when requesting)<\/li>\n\n\n\n<li>Require requestor justification:\u00a0<strong>Yes<\/strong>\u00a0(if users must write a reason why they should get access)<\/li>\n\n\n\n<li>How many stages:\u00a0<strong>1<\/strong>\u00a0(how many steps of approval, 1 is usually sufficient)<\/li>\n\n\n\n<li>First approver: Pick one or more persons to receive the request and approve\/deny them, and how long the approver(s) have to respond. Note that the approvers\u00a0<strong>do not require any privileged access whatsoever<\/strong>.<\/li>\n\n\n\n<li>Enable new requests:\u00a0<strong>Yes<\/strong>\u00a0(selecting \u201cNo\u201d here will prevent users from requesting access)<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/agderinthe.cloud\/wp-content\/uploads\/2024\/06\/Vacation08-1024x1004.png\" alt=\"\" class=\"wp-image-1206\"\/><\/figure>\n\n\n\n<p>Requestor information:<br>Click \u201c<strong>Next<\/strong>\u201c<\/p>\n\n\n\n<p>Lifecycle:<br>This is how long the access should last and if the user can extend their access.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Access package assignments expire: \u201c<strong>Number of days<\/strong>\u201c<\/li>\n\n\n\n<li>Assignments expire after (number of days):\u00a0<strong>21<\/strong><\/li>\n\n\n\n<li>Users can request specific timeline:\u00a0<strong>Yes<\/strong>\u00a0(This allows the end user to specify their access ahead of time, which is really useful in this scenario)<\/li>\n\n\n\n<li>Allow users to extend access: \u201c<strong>Yes<\/strong>\u201c<\/li>\n\n\n\n<li>Require approval to grant extension: \u201c<strong>Yes<\/strong>\u201c<\/li>\n\n\n\n<li>Require access reviews: \u201c<strong>No<\/strong>\u201d (you may want to set up access review but for this demo I will select No to keep this post somewhat short).<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/agderinthe.cloud\/wp-content\/uploads\/2024\/06\/Vacation09.png\" alt=\"\" class=\"wp-image-1207\"\/><\/figure>\n\n\n\n<p>Custom extensions:<br>Click \u201c<strong>Next<\/strong>\u201c<\/p>\n\n\n\n<p>Review + create:<br>Click \u201c<strong>Create<\/strong>\u201d in the bottom and you\u2019re done here.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Named location and Conditional Access rules<\/h2>\n\n\n\n<p>In Entra ID: Navigate to&nbsp;<strong>Protection<\/strong>&nbsp;and&nbsp;<strong>Conditional Access<\/strong>&nbsp;and&nbsp;<strong>Named location<\/strong>. Select \u201c<strong>+ Countries location<\/strong>\u201d in the top and add the countries you want to grant access to M365 from and click&nbsp;<strong>Create<\/strong>&nbsp;at the bottom.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/agderinthe.cloud\/wp-content\/uploads\/2024\/06\/Vacation10.png\" alt=\"\" class=\"wp-image-1208\"\/><\/figure>\n\n\n\n<p>Select&nbsp;<strong>Policies<\/strong>&nbsp;on the left side and edit your current geo-block Conditional access rule. Exclude the group you created in the start from this rule.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/agderinthe.cloud\/wp-content\/uploads\/2024\/06\/Vacation11.png\" alt=\"\" class=\"wp-image-1209\"\/><\/figure>\n\n\n\n<p><strong>Create a new Conditional Access rule:<br><\/strong>Users: The same group as you just excluded from the geo-block rule<br>Target resources:&nbsp;<strong>All cloud apps<\/strong>&nbsp;(You can specify specific apps to lock this further down, but I\u2019ll do All cloud apps for demo purpose)<br>Network:&nbsp;<strong>Include Selected network or location<\/strong>&nbsp;and select the countries location you just created<br>Access control: Whichever requirements you have, I will select&nbsp;<strong>Require MFA&nbsp;<\/strong>for this demo.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/agderinthe.cloud\/wp-content\/uploads\/2024\/06\/Vacation12.png\" alt=\"\" class=\"wp-image-1210\"\/><\/figure>\n\n\n\n<p>Now, any users who are member of this group will be allowed to login to M365 from the countries specified using MFA. Now we just need the users to request access and approve\/deny their requests.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">End-user access request<\/h1>\n\n\n\n<p>The end-user now only needs to log in to&nbsp;<strong><a href=\"http:\/\/myaccess.microsoft.com\/\">myaccess.microsoft.com<\/a><\/strong>&nbsp;and they will find \u201c<strong>Access packages<\/strong>\u201d on the left side along with the packages available to them. Here they click \u201c<strong>Request<\/strong>\u201d on the right side to request access.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/agderinthe.cloud\/wp-content\/uploads\/2024\/06\/Vacation13-1024x324.png\" alt=\"\" class=\"wp-image-1211\"\/><\/figure>\n\n\n\n<p>Press&nbsp;<strong>Continue&nbsp;<\/strong>on the first screen and then they can specify when they want their access if they want to and provide their justification of required. Finally click \u201c<strong>submit request<\/strong>\u201c<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/agderinthe.cloud\/wp-content\/uploads\/2024\/06\/Vacation14.png\" alt=\"\" class=\"wp-image-1212\"\/><\/figure>\n\n\n\n<p>The request is now visible under \u201c<strong>Request history<\/strong>\u201d along with the status<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/agderinthe.cloud\/wp-content\/uploads\/2024\/06\/Vacation15-1024x328.png\" alt=\"\" class=\"wp-image-1213\"\/><\/figure>\n\n\n\n<h1 class=\"wp-block-heading\">Request approval<\/h1>\n\n\n\n<p>Again, the approvers do not need any privileged access. The system will handle the technical changes for them. They will receive an e-mail notification that they have a pending request.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/agderinthe.cloud\/wp-content\/uploads\/2024\/06\/Vacation17-1.png\" alt=\"\" class=\"wp-image-1216\"\/><\/figure>\n\n\n\n<p>The e-mail has a link to the request, but they can also see their pending requests at&nbsp;<strong><a href=\"http:\/\/myaccess.microsoft.com\/\">myaccess.microsoft.com<\/a><\/strong>. Click \u201c<strong>Review<\/strong>\u201d on the right side to get started.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/agderinthe.cloud\/wp-content\/uploads\/2024\/06\/Vacation16-1024x345.png\" alt=\"\" class=\"wp-image-1214\"\/><\/figure>\n\n\n\n<p>Here they can see all the information provided in the request and can select \u201cApprove\u201d or \u201cDeny\u201d and then click \u201cSubmit\u201d in the bottom.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/agderinthe.cloud\/wp-content\/uploads\/2024\/06\/Vacation18.png\" alt=\"\" class=\"wp-image-1217\"\/><\/figure>\n\n\n\n<p>The end-user (requestor) will automatically receive an e-mail of the response and, if approved, automatically get access to the group for a limited time.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/agderinthe.cloud\/wp-content\/uploads\/2024\/06\/Vacation19.png\" alt=\"\" class=\"wp-image-1218\"\/><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p>Entra ID Access Packages is a robust and adaptable solution for managing user access within an organization, and is an incredibly important tool in these copilot times we live in now. While this was a very simple and quick introduction, I hope you can see its flexibility and simple setup to provide temporary access for those employees who wants access to resources while travelling abroad.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Access Packages to the rescue! Entra ID Access Packages allows you to control access to groups, Teams, applications and SharePoint sites in a flexible, but secure way. They can be assigned automatically, manually or upon request for a limited time or permanently. Combining Access Packages in Entra ID with Conditional Access gives us a very [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[69,35],"tags":[],"class_list":["post-3723","post","type-post","status-publish","format-standard","hentry","category-azure","category-cloud-computing"],"_links":{"self":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/3723","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3723"}],"version-history":[{"count":1,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/3723\/revisions"}],"predecessor-version":[{"id":3724,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/3723\/revisions\/3724"}],"wp:attachment":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3723"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3723"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3723"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}