Merge pull request #12754 from MicrosoftDocs/main

Auto Publish – main to live - 2026-04-22 22:05 UTC

Author: learn-build-service-prod[bot]

docs/id-governance/entitlement-management-access-package-create-app.md

@@ -4,7 +4,7 @@ description: You can use Microsoft Entra entitlement management to enforce the p
 author: markwahl-msft
 editor: markwahl-msft
 ms.topic: how-to
-ms.date: 08/25/2024
+ms.date: 04/22/2026
 ms.author: mwahl
 ms.reviewer: mwahl
 ms.custom: sfi-ga-nochange
@@ -48,9 +48,7 @@ To create the access package and its associated policies and assignments, you'll
 
 This section shows how to interact with Microsoft Entra ID Governance by using [Microsoft Graph PowerShell](https://www.powershellgallery.com/packages/Microsoft.Graph) cmdlets.
 
-The first time your organization uses these cmdlets for this scenario, you need to be in a Global Administrator role to allow Microsoft Graph PowerShell to be used in your tenant. Subsequent interactions can use a lower-privileged role, such as:
-
-- [Identity Governance Administrator](~/identity/role-based-access-control/permissions-reference.md#identity-governance-administrator).
+The first time your organization uses these cmdlets for this scenario, you need to be in a Global Administrator role to allow Microsoft Graph PowerShell to be used in your tenant. Subsequent interactions can use a lower-privileged role, such as [Identity Governance Administrator](~/identity/role-based-access-control/permissions-reference.md#identity-governance-administrator).
 
 1. Open PowerShell.
 1. If you don't have the [Microsoft Graph PowerShell modules](https://www.powershellgallery.com/packages/Microsoft.Graph) already installed, install the `Microsoft.Graph.Identity.Governance` module and others by using this command:
@@ -320,7 +318,7 @@ If the application relies upon a group, then you link the group membership of th
 
 In this section you'll create the first access package assignment policy in the access package, an [access package assignment policy for direct assignment](entitlement-management-access-package-request-policy.md#none-administrator-direct-assignments-only), that can be used to track the users who already have access to the application. In the example policy created in this section, only the administrators or access package assignment managers can assign access, users retain access indefinitely, and there are no approvals or access reviews.
 
-1. Create a policy.
+- Create a policy.
 
    ```powershell
    $policy1Name = "Direct assignment policy"
@@ -403,8 +401,43 @@ For each access package that is to be marked as incompatible with another, you c
 1. If your scenario requires the ability to override a separation of duties check, then you can also [set up additional access packages for those override scenarios](entitlement-management-access-package-incompatible.md#configuring-multiple-access-packages-for-override-scenarios).
 
 ## Add assignments of existing users who already have access to the application
+**Option 1**
+
+When you use the Microsoft Entra provisioning service to [discover](~/identity/app-provisioning/how-to-account-discovery.md) users in your application, you can easily assign those users to an access package. [Download](https://aka.ms/AssignCorrelatedUsersPowerShell) the Assign-CorrelatedUsersWithRules.ps1 file. See the example approaches for adding assignments.
+
+1. Assign all discovered users to a specific access package (dry run):
+
+   ```powershell
+   .\Assign-CorrelatedUsersWithRules.ps1 -ServicePrincipalId "7A22..." ` -RulesFile ".\access-package-rules.csv" -DryRun
+   ```
+
+1. Assign all discovered users to a specific access package:
+
+   ```powershell
+   .\Assign-CorrelatedUsersWithRules.ps1 -ServicePrincipalId "7A22..." `-AccessPackageId "6e809820-1f6a-4ff8-adc9-991f9f3151bd" `-PolicyId "8de7482f-ff17-4310-a8f5-3f35bcf02cca"
+   ```
+
+1. Assign users to packages based on rules that you define (example rules file):
+
+    ```powershell
+   .\Assign-CorrelatedUsers.ps1 -ServicePrincipalId "7A22..." `-RulesFile ".\access-package-rules.csv"
+   ```
+
+1. Assign users to access packages with a fallback package for users that don't meet any of the defined rules:
+
+   ```powershell
+   .\Assign-CorrelatedUsers.ps1 -ServicePrincipalId "7A22..." `-RulesFile ".\access-package-rules.csv" `-AccessPackageId "fallback-pkg-id" -PolicyId "fallback-policy-id" `-FallbackBehavior UseFallback
+   ```
+
+1. Assign users to access packages and skip app role assignments:
+ 
+    ```powershell
+   .\Assign-CorrelatedUsers.ps1 -ServicePrincipalId "7A22..." `-RulesFile ".\access-package-rules.csv" -SkipAppRoleAssignment
+   ```
+    
+**Option 2** 
 
-Add assignments of existing users, who already have access to the application, to the access package and its direct assignment policy. You can [directly assign each user](entitlement-management-access-package-assignments.md#assign-a-user-to-an-access-package-with-powershell) to an access package.
+Add assignments of existing users, who are already assigned to the Entra Enterprise application, to the access package and its direct assignment policy. You can [directly assign each user](entitlement-management-access-package-assignments.md#assign-a-user-to-an-access-package-with-powershell) to an access package.
 
 1. Retrieve the existing application role assignments.