Auditing Entra ID Access Packages with PowerShell

When you start working seriously with Entra ID Governance, you quickly realize how powerful it can be. Lifecycle Workflows, Access Packages, and Access Reviews — all the building blocks are there to automate access and keep everything compliant.

But before the automation runs smoothly, there’s a phase that’s often underestimated: the migration.

Moving from old dynamic security groups or manual access processes into Lifecycle Workflows and Access Package assignments sounds straightforward on paper. In reality, it’s a mix of detective work, cleanup, and validation. You end up matching users across systems, verifying assignments, and figuring out who should have access — and who shouldn’t — all while keeping the business running.

That’s the part where governance stops being just a “configuration exercise” and starts becoming real work.

Understanding Your Current State

Before you can move anything into Entra ID Governance, you have to understand what you already have — and that’s often the hardest part.

Most environments I’ve worked with have years of access logic built around dynamic groups, manual assignments, and forgotten exceptions. When you start asking questions like “Who should actually be in this group?” or “What decides if someone gets this access?”, you realize how much of your access model is built on assumptions.

At this stage, data becomes your best friend. You need a clear picture of:

• Who currently has access, and how they got it
• Which attributes (like department, company, or country) control that access
• Where those attributes are reliable — and where they aren’t

Without that baseline, every Lifecycle Workflow or Access Package you create will be built on guesswork. And in governance, guesswork is both time-consuming and risky.

Mapping Existing Access to Access Packages

Once you have a sense of your current state, it’s time to start mapping what exists to what you want to build.

This usually means taking stock of all the dynamic groups, static groups, and manual assignments currently in use — and identifying how they line up with the access packages you plan to introduce.

Excel is a great tool for this part. It gives you visibility, filtering, and structure — and for many environments, it’s where the first real overview is built. You can sort, group, and highlight patterns that aren’t obvious anywhere else.

Validating and Cleaning Up Old Assignments

Once you’ve mapped your current access state to the Access Packages you plan to use, the next step is validation — ensuring your assignments are accurate, complete, and aligned with your governance policies. This is where the process can get tricky: large organizations often have hundreds or even thousands of users spread across dynamic groups, static groups, and manual assignments. Manually auditing this is time-consuming and error-prone.

To simplify this, I created a PowerShell toolkit specifically designed for auditing and comparing Microsoft Entra ID users against Access Package assignments in Entra ID Governance. The script automates many of the tedious steps, retrieving users based on filters or group membership, comparing them against Access Packages, and exporting the results for easy analysis.

Here’s what makes it especially useful:

Interactive and Flexible User Retrieval

The script isn’t one-size-fits-all. When you run it, you’re prompted to choose how you want to retrieve your user list:

1. Filtered Retrieval: Pull users based on country, department, company, EmployeeId prefix, or other attributes.
2. Group Membership: Pull all members of a specific group — useful if your old dynamic groups are still active.
3. Manual CSV Import: For edge cases, you can provide a CSV of users to audit.

This flexibility allows the script to adapt to different environments — whether you’re auditing a small team or the entire organization and ensuring that users with existing access, continues to have them after migration.

Detailed Comparison and Reporting

Once the users are retrieved, the script compares them to the Access Package assignments in your Entra ID environment. It checks:

• Who is correctly assigned.
• Who is missing an assignment they should have.
• Which accounts are lingering but shouldn’t exist.

The results are exported into an Excel workbook, complete with multiple sheets:

• DetailedReport: Every user and their assignment status.
• Summary: Totals per policy and overall counts.
• UsersNotAssigned: A focused list of users missing required access.

This structured output acts as an audit dashboard — you can immediately spot gaps, duplicates, or inconsistencies. Pivot tables, filters, or additional analysis can then be applied directly in Excel, saving hours compared to manual validation.

of mistakes and free up time for strategic governance work instead of manual data wrangling.

Practical Use Cases

Some common scenarios where this script shines include:

• Pre-migration audits before moving from dynamic groups to Access Packages.
• Regular access reviews to maintain compliance.
• Validating Lifecycle Workflow assignments before enforcing automatic approvals or expirations.

In short, this toolkit doesn’t just produce a report — it provides a reliable snapshot of your access environment before automation begins, ensuring that Lifecycle Workflows and Access Packages start from a solid foundation.

For me, the combination of interactive prompts, flexible retrieval, and structured reporting has made auditing assignments far less painful. It turns what used to be a tedious, error-prone task into a reproducible, transparent process — and gives me confidence that the automation that follows will actually work.

Example

For example, if you want to compare all users in company “Company Name” with employeeID’s with Access Package Workvivo:

PS C:\code> start-UserAccessPackageAudit
==========================================
🔎  USER & ACCESS PACKAGE AUDIT STARTED
==========================================
Checking module 'Microsoft.Graph.Authentication'...
✅ Module 'Microsoft.Graph.Authentication' is already imported.
Checking module 'ImportExcel'...
✅ Module 'ImportExcel' is already imported.

 Connecting to Microsoft Graph...
✅ Connected to Graph successfully.

Fetching organization name...
🏢 Organization: Company Name 

How would you like to get users?
1️⃣  Filter (Country, EmployeeId, etc.)
2️⃣  Group (Members of specific group)
3️⃣  Manual (CSV import)
Enter choice (1-3): 1

--- 🔍 FILTER PARAMETERS ---
Enter country (or leave blank):
Filter by department (or leave blank): 
Filter by companyName (or leave blank): Company Name
Filter EmployeeId not null? (y/n): y
Filter EmployeeLeaveDateTime not null? (y/n): n
🔎 Querying users with: companyName eq 'Company Name' and accountEnabled eq true

✅ Retrieved 13 users for comparison.

Enter Access Package ObjectId: 58f12289-ca67-46bd-aebe-222b6ff3877e
📦 Selected Access Package: Workvivo

🔍 Comparing users to Access Package assignments...

 Starting user comparison against Access Package assignments...
Querying Microsoft Graph for assignments...                                                                             
    → https://graph.microsoft.com/v1.0/identityGovernance/entitlementManagement/assignments?$expand=target,accessPackage,assignmentPolicy&$filter=accessPackage/id eq '58f12289-ca67-46bd-aebe-222b6ff3877e' and state eq 'Delivered'
✅ Retrieved 1573 Access Package assignments.
👥 Beginning comparison for 13 users...
✅ Comparison complete for 13 users.
Summary:
   → Assigned: 13
   → Not assigned: 0

📁 Select output folder for Excel export...
--------------------------------------------------------
📂 Please select a folder where the report will be saved.
⚠️  The folder selection window may appear behind other open windows.
If you don't see it, try minimizing other windows.
--------------------------------------------------------
✅ Export folder selected: C:\Reports

DetailedReport   : DetailedReport
Summary          : Summary
Package          : OfficeOpenXml.Packaging.ZipPackage
Encryption       : OfficeOpenXml.ExcelEncryption
Workbook         : OfficeOpenXml.ExcelWorkbook
DoAdjustDrawings : True
File             : C:\Reports folder\Company_Name-Workvivo-2025-11-10.xlsx
Stream           : System.IO.MemoryStream
Compression      : Level6
Compatibility    : OfficeOpenXml.Compatibility.CompatibilitySettings

✅ Excel report created successfully: C:\Reports folder\Company_Name-Workvivo-2025-11-10.xlsx
Sheets included: Summary, DetailedReport, UsersNotAssigned
==========================================
✅  USER & ACCESS PACKAGE AUDIT COMPLETE
==========================================

Transition to Lifecycle Workflows and Access Packages

Once the mapping and validation phase is complete, moving your access logic into Lifecycle Workflows and Access Packages becomes much smoother. The work you’ve done to audit users, clean up old assignments, and understand your current state pays off immediately: you’re no longer guessing who should have access or which groups are still active.

Confidently Automating Access

With accurate user data and validated assignments in hand, you can now define rules for your Access Packages with confidence. This includes:

• Approval workflows: Automatically route access requests to the right managers or owners.
• Expiration policies: Set time-limited access for contractors or temporary employees.
• Automatic assignment: Remove users from manual or dynamic groups once they’re properly assigned via Access Packages.

The key benefit here is reliability. What used to require manual intervention — checking requests, reviewing group membership, and ensuring access is up-to-date — now happens automatically. Every action is logged, tracked, and auditable, reducing both operational risk and compliance concerns.

Post-Migration Validation

Even after migration, governance doesn’t stop. Lifecycle Workflows and Access Packages provide a framework for automation, but you still need to ensure that everything works as intended. That’s where the insights from the audit script come in handy:

• You can compare newly automated assignments against your audit reports to make sure no users were missed.
• Identify any edge cases where users might have multiple assignments or conflicting roles.
• Regularly rerun the audit as part of your governance routine to ensure ongoing compliance.

This creates a continuous feedback loop: the audit script informs the setup, the automated processes maintain it, and periodic validation keeps everything accurate over time.

Benefits Beyond Automation

By taking this structured approach, governance becomes more than just a technical exercise. You start to see broader organizational benefits:

• Transparency: Managers and auditors can see exactly who has access, why, and for how long.
• Predictability: Changes in the environment, like onboarding or role changes, flow through a controlled process.
• Reduced risk: Fewer misassignments, fewer orphaned accounts, and less manual intervention means fewer opportunities for mistakes or unauthorized access.

Real-World Impact

In my experience, organizations that invest the time in mapping, validating, and auditing before migrating to Lifecycle Workflows rarely run into issues after automation is enabled. Access requests are processed automatically, expired accounts are removed on schedule, and compliance reports can be generated at any time without tedious manual effort.

The transition isn’t just about implementing automation — it’s about building a foundation where access management is predictable, auditable, and resilient. The work you put in beforehand transforms governance from a reactive, error-prone process into a proactive, controlled system.

Wrapping Up

Working through these migrations has reminded me that governance isn’t just about automation — it’s about understanding. When you take the time to really examine how access is granted, maintained, and removed, you begin to uncover both risks and opportunities in your environment.

The process can feel messy at first — especially when old rules and dynamic groups have been running quietly for years — but the reward is worth it. With some structure, reliable data, and tools like the Entra ID Access Package Audit script on GitHub, you can make that transition smoother, faster, and far more predictable.

For me, this has been about making my own workday a little easier — one audit, one cleanup, and one validation at a time.