📋 Microsoft Entra Documentation Changes

If you need to add resources such as groups or apps to an access package, you should check whether the resources you need are available in the access package's catalog. If you're an access package manager, you can't add resources to a catalog, even if you own them. You're restricted to using the resources available in the catalog.

If you want some identities to receive different resource roles than others, then you need to create multiple access packages in the catalog, with separate access packages for each of the resource roles. For example, if you wish to assign API permissions to an agent ID (preview), then you'll need this to be in a separate access package from member or guest users, since member or guest users can't have API permissions assigned to them. You can also mark the access packages as [incompatible](entitlement-management-access-package-incompatible.md) with each other so identities can't request access to access packages that would give them excessive access.

1. Depending on whether you want to add a [membership of a group or team](#add-a-group-or-team-resource-role), [access to an application](#add-an-application-resource-role), [SharePoint site](#add-a-sharepoint-site-resource-role), [Microsoft Entra role (Preview)](#add-a-microsoft-entra-role-assignment) or [API permission (Preview)](#add-an-api-permission-preview), perform the steps in one of the following resource role sections.

## Govern access for agents (preview)

 

[!INCLUDE [entra-agent-id-license](../includes/entra-agent-id-license-note.md)]

 

1. [Create a new access package](entitlement-management-access-package-create.md#start-the-creation-process)

1. [Add groups or API permissions to access package](entitlement-management-access-package-create.md#select-resource-roles)

1. [Add a request policy to allow service principals and agent identities in your directory to request access](entitlement-management-access-package-create.md#allow-users-service-principals-and-agent-identities-in-your-directory-to-request-the-access-package)

 

Microsoft Entra External ID supports integrated security features and partner solutions to help protect identities across the lifecycle. These capabilities include edge protection, sign-up fraud prevention, and unified monitoring. You can enable these solutions directly in External ID and access partner integrations through the [Microsoft Security Store](https://securitystore.microsoft.com/). This approach allows organizations to deploy trusted security tools quickly without complex setup. All these features are available in a wizard under the Security Store blade experience.

| **Sign-up fraud protection** | The Security Store wizard experience is not available. | Use [Arkose Labs](/entra/external-id/customers/how-to-integrate-fraud-protection?pivots=arkose) and [HUMAN Security](/entra/external-id/customers/how-to-integrate-fraud-protection?pivots=human) to protect against sign-up fraud and block automated bot attacks. |

| **DDoS and WAF protection** | The Security Store wizard experience is not available. | Use [Cloudflare](/entra/external-id/customers/how-to-configure-waf-integration) and [Akamai](/entra/external-id/customers/how-to-configure-akamai-integration) to defend at the edge with DDoS mitigation and web application firewall (WAF) features. |

| **Security analytics** | The Security Store wizard experience is not available. | Use [Azure Monitor and Microsoft Sentinel](/entra/external-id/customers/how-to-azure-monitor) to enable one-click monitoring, log analytics, and advanced threat detection. |

This following document discusses Microsoft Entra ID Governance licensing for employees. It's intended for IT decision makers, IT administrators, and IT professionals who are considering Microsoft Entra ID Governance services for their organizations.

 

For licensing governance for guest users, see [Microsoft Entra ID Governance licensing for guest users](microsoft-entra-id-governance-licensing-for-guest-users.md). For the preview for agents, see [governing agent identities (preview)](agent-id-governance-overview.md#license-requirements).

## Microsoft Entra ID Governance features

 

author: jeevansd

ms.author: jeedes

1. Select the resource type that you want to add (**Groups and Teams**, **Applications**, **SharePoint sites**, **Microsoft Entra role (Preview)**, or **API Permissions (Preview)**.

1. For [including API permissions](entitlement-management-access-package-resources.md#add-an-api-permission-preview) as a resource role to an access package for service principals or agent IDs (preview), select one of more API permissions from the list.

### License requirements for assigning agents to access packages (preview)

 

[!INCLUDE [entra-agent-id-license](../includes/entra-agent-id-license-note.md)]

## Identity governance for agents

 

With the addition of the Microsoft agent identity platform, managing agent's identity and access in the same way as people is just as important in the governance lifecycle of your organization. For more information, see [governing agent identities (preview)](agent-id-governance-overview.md).

The **All Service principals** and **All agents** preview require Microsoft Entra Agent ID. For more information, see [Governing agent identities (preview)](~/id-governance/agent-id-governance-overview.md).

- Application roles and API permissions (including Graph permissions)

The **All Service principals** and **All agents** preview require Microsoft Entra Agent ID. For more information, see [Governing agent identities (preview)](agent-id-governance-overview.md).

 

- [Governing agent identities in Microsoft Entra Agent ID (preview)](../agent-id-governance-overview.md)

- Synced passkeys (synced via providers such as Google Password Manager or iCloud Keychain)