Through out the years, I’ve worked with a lot off different customers, and almost all of them use some kind of ITSM tool (such as Jira ServiceNow) to order new services and hardware for users. This is usually where Windows 365 is added as a service where I as an end user, or manager, can request it.
But what if you don’t have an ITSM tool, but I still want to offer the self-service option?
Well, in Entra ID there is something called “Access packages” which we can use for this puropse. If you want to read more about what that is, check out the Microsoft documentation here.
With Access packages, we can create a self-service portal, where end-users can request memebership to a group. This group can then have a license tied to it, what is also known as Group Based Licensing. The user will then request membership to the group, you can add approvals and set a time frame that this membership should be valid. You can also add access reviews to check in with the user to see if they are still using the service.
So let’s jump into how an easy setup of this would look like, and then have a look at the user experiance. However, this setup is assuming you have already setup group based licensing for Windows 365.
This setup also assumes that you are targeting provisining policies to all users already (I’m using dynamic, country based groups as descibed in this post).
Setting upp Access packages
To set up access packages, we head into the Entra portal (https://entra.microsoft.com) and navigate to Identity > Identity Governance > Entitlement Management and then look for “Access packages” in the menu.
We will just create a very basic setup for this, so lets go ahead and click on “+ New Access Package“. First step is to give your policy a name and descripton. Remeber, the description is a required field. We will leave the catalog to “General” which is the default value. When done, hit next on the bottom of the windows.
Since we want to configure a memebership to a group, select the option “+ Groups and Teams” and find
Since we are just going with default values, you might need to check the “See all Groups and Teams…” check-box in order to find your group. When you have found the group, click select. If you are not already targeting users with a provisioning group, you need to add that here as well.
When you have added your group, remeber to change the Role to member before hitting next.
In the next step, we will define our Request flow. In this example I will make this apply for all users in my tenant, and I will allow all users to place a request.
The next part is to define the approval process. You can also remove approvals completely, but since Windows 365 comes with a cost we want a manager to approve this request. You can also add additional approvers if required. Default value is that manager will be the approved, and we will leave it to default. What you need to add is a “fallback” approver, and as you can see here I added my Help Desk team for this. Choose an approriate user/group for this task.
Last step on this section, is to select how we will enable this request flow. I’ve also enabled the preview features for this example, but you dont need to do that. Just make sure to enable the top one since this is what makes this request available. We will skip the Verified ID part and press the Next button.
On this step, we could add additional questions or justifications for the requestor, but we will leave this to default and press next. We will still get a question for business justification in the request.
Next step is to set the lifecycle for this, which we in this case will set to 180 days since that is roughly 6 months. And just for the purpose of usign access reviews, we will enable that as well but leave all values to default. When you are done, press next until you reach “Review + Create“.
On the last step, you can review all your settings before pressing Create. It will validate your configuration, and if you missed something or something is wrong it will ask you to correct this before moving forward.
We have now successfully create a Access package for our Cloud PCs!
Let’s have a look at what this looks like when a user requests this.
The request flow
The place where you need to direct your users for placing requests is https://myaccess.microsoft.com/ where they will see all available request packages for them. As you can see, I have three different access packages for Cloud PC I can request. To start a request, I simply click on “Request” on the service I want to request.
This windows will then appear, and you just click continue.
Next step is to add a business justification for my request, here I can also set it to a specific period if I like since we enabled that option when setting things up.
I then submit the request and it is sent of to the approver, which in this case is the manager.
Approver experiance
When the request has been sent, the approved will recieve an email looking like this, where they are asked to approve the request. This email also contains the business justification added by the requestor.
When the approver clicks the blue button in the email, they are redirected to the approval site on My Access.
When the approved selects to approve the request, they will be asked to enter a justification before approval is sent.
When the approver has approved the request, a confirmation email will be sent to the user. However, what is imporant to keep in mind is that this will initiate the provisioning of the Cloud PC.
The process of provisioning will now start and the Cloud PC will be done within usually 30-40 minutes depending on how fast your provisining policy is!
Key take aways
Estalishing a good on- and off-boarding process is important in all IT organsations. This walk though shows you that you can establish this without setting up more advanced tools. However, this is not close to as powerful as proper ITSM tools, but you can build simpler request flows to suite your needs.
This principle can also be applied to other things, not just Windows 365 and Cloud PCs.
Leave a Reply