In today’s blog post I would like to focus on Microsoft Entra ID Access Packages in combination with an enterprise application. This is a real-life example from my daily work and I thought it would be great to share it with you.
In late 2024, a colleague approached me with a specific situation involving an enterprise SaaS solution where licence management was being handled manually. In essence, this meant that if Employee A wanted to use the Enterprise SaaS solution, the licence had to be granted manually within the application. As this process is relatively common and time consuming in a larger organisation, we developed the solution described below using Microsoft Entra ID Access Packages.
By using Microsoft Entra ID Access Packages, we were able to automate the licence allocation process. This not only significantly reduced the time and effort involved, but also minimised the potential for human error. The Access Packages allowed us to create pre-defined bundles of access rights and licences that could be automatically assigned based on an employee’s role or department.
The solution
In mid-2024, I had already written two blog posts about Microsoft Entra ID Access Packages:
When I was approached with this request, I immediately thought that Access Packages might be the right solution, but I needed to check it out first.
The challenge with managing licences for enterprise SaaS applications in general is that they do not always provide System for Cross-domain Identity Management (SCIM). Fortunately, this was not an issue with this particular enterprise application, and the documentation, including attributes for licence assignment, could be implemented with relatively few problems.
Workflow
The complete workflow of the solution looks like this:
Configuration
The challenge was not in creating the Access Package itself with the appropriate workflow, but in interacting with the Enterprise SaaS solution and its licence management through the required SCIM metadata and attributes.
You can read about the basic creation of an Access Package here: How-to: Simplify Access with Microsoft Entra ID Packages
Steps
First and foremost, it requires an enterprise application in Microsoft Entra for the SSO flow. We have added another role to the collating app registration, which is relevant for licence allocation later on.
App registrations -> Select collating application -> App roles
We configured SCIM in the Enterprise Application as follows.
Enterprise Applications -> Choose Enterprise application -> Provisioning -> Provisioning Mode: Automatic -> Admin Credentials / Attribute Mapping
The magic of this enterprise SaaS solution is the attribute active which controls the user license. The following evaluation checks whether the user has two roles active on the Enterprise Application or not. If this is the case, the active attribute is set to true, otherwise it is false.
Conclusion
With relatively simple tools such as Microsoft Entra Access Packages in combination with SCIM, you can simplify external licence management in your enterprise application. In this case, however, it requires a SCIM interface so that you can automatically update the user in the application at any time.
Of course, this can also be extended to other areas, not just licence management but to any attributes that are supported by the application.