Access Requests, Terms of Use & External Lifecycle
Manage access requests, implement terms of use policies, control external user lifecycles, and configure connected organisations for partner access.
Access Requests, Terms of Use & External Users
Think of this as the front door policy for your building.
Access requests are like a visitor management system — people request entry, someone approves, and they get a badge. Terms of Use is the sign on the wall that says “By entering, you agree to these rules” — everyone must read and accept before they come in. External user lifecycle is the process of making sure visitor badges expire when the visit is over, so you don’t have people wandering around with old badges months later.
Connected organisations are partner companies that have a pre-approved relationship — their employees can request visitor badges through a streamlined process instead of going through the full approval chain each time.
Managing access requests
When users request access packages through myaccess.microsoft.com, several things happen behind the scenes:
The request lifecycle:
- User browses available access packages and submits a request
- If a justification is required, the user provides it
- If custom questions are configured, the user answers them
- Approver(s) receive a notification and approve/deny
- On approval, the system assigns all resource roles in the package
- The user gets a notification confirming access
Requestor experience settings you can configure:
- Require justification — free-text explanation of why they need access
- Custom questions — structured questions (text or multiple-choice) the requestor must answer
- Require approver justification — approvers must explain why they approved or denied
Scenario: Priya adds custom questions to access requests
🔐 Priya configures the “Clinical Trial Data Access” package at Meridian Health with custom questions:
- “Which clinical trial ID does this access relate to?” (text field)
- “Have you completed the data handling training?” (Yes/No)
- “Expected duration of access needed” (30 days / 90 days / 180 days)
These answers appear in the approval request so Dr. Chen can make informed decisions. They’re also stored in audit logs for compliance.
Tracking and managing requests:
Admins can view all pending, approved, denied, and expired requests in the Entra admin center under Identity Governance → Entitlement management → Requests. They can also:
- Cancel pending requests
- Reprocess failed requests
- Extend expiring assignments
Terms of Use (ToU)
Terms of Use lets you present a legal agreement that users must accept before accessing resources. It’s enforced through Conditional Access — not entitlement management.
Key facts about Terms of Use:
| Setting | Details |
|---|---|
| Format | PDF document (uploaded to Entra ID) |
| Languages | Multiple PDFs for different languages — auto-selects based on browser language |
| Enforcement | Through a Conditional Access policy (ToU is a “grant control”) |
| Consent tracking | Entra records who accepted, when, and which version |
| Re-acceptance | You can set an expiry — users must re-accept on a schedule |
| Per-device consent | Optional — require acceptance on each device, not just once per user |
Scenario: Priya deploys Terms of Use for clinical staff
🔐 Priya uploads a “Clinical Data Handling Agreement” PDF as a Terms of Use. She creates a Conditional Access policy:
- Target: All users in the “Clinical Staff” group
- Cloud apps: Clinical Research Portal, Patient Data Warehouse
- Grant control: Require “Clinical Data Handling Agreement” Terms of Use
Now when clinical staff access these apps, they see the agreement and must click Accept. Priya sets re-acceptance to every 90 days so staff stay current with policy changes.
Exam tip: Terms of Use is a grant control in Conditional Access — it sits alongside “Require MFA” and “Require compliant device” in the grant section, not in session controls.
Exam tip: ToU consent expiry
When you update a Terms of Use document (upload a new PDF version), you can choose whether to require all users to re-accept. If you set a recurring consent schedule (e.g., every 90 days), users must re-accept even if the document hasn’t changed.
The exam loves testing the difference between version-based re-consent (new PDF uploaded) and schedule-based re-consent (time-based expiry).
External user lifecycle management
Guest users (B2B collaboration) need lifecycle management — otherwise you end up with hundreds of stale guest accounts cluttering your directory.
Entra ID external user lifecycle settings:
| Setting | What It Does |
|---|---|
| Manage external user lifecycle | Automatically block and remove guest users who lose all access package assignments |
| Block external user from sign-in | Number of days after losing last assignment before sign-in is blocked |
| Remove external user | Number of days after sign-in is blocked before the account is deleted |
Scenario: Jake manages external collaborator lifecycle
🏪 Jake at Coastline Creative works with freelance designers who get guest access through access packages. He configures the external lifecycle settings:
- When a freelancer’s last access package expires → wait 30 days → block sign-in
- After sign-in is blocked → wait 30 days → delete the guest account
This gives freelancers a 30-day grace period to re-request access if a project extends, but ultimately cleans up accounts automatically. No more manually hunting for stale guest accounts.
Before these settings: Jake had 47 stale guest accounts from projects that ended months ago. Now cleanup is automatic.
Exam tip: Lifecycle only applies to entitlement-managed guests
The automatic external lifecycle settings only apply to guest users whose access was managed through entitlement management (access packages). Guest users invited directly (not through access packages) are NOT automatically cleaned up by these settings.
Connected organisations
A connected organisation represents a partner company whose users can request your access packages. Instead of inviting guests one by one, you pre-approve the relationship.
Two types of connected organisations:
| Feature | Entra ID Tenant | Domain-based |
|---|---|---|
| Partner identity | Another Microsoft Entra tenant (tenant ID) | An email domain (e.g., partner.com) |
| Authentication | Partner's own Entra ID | Email OTP or other identity provider |
| Best for | Partners using Microsoft 365 / Azure | Partners without Microsoft cloud accounts |
| Configuration | Specify the partner's tenant ID | Specify the partner's domain name |
| Sponsor | Internal users who manage the relationship | Internal users who manage the relationship |
How it works with access packages:
- You create a connected organisation for your partner
- In an access package policy, you set “Who can request” to include connected organisations
- Partner users discover the package at myaccess.microsoft.com (using their own credentials)
- They submit a request → approval workflow → access granted
Sponsors are internal users designated as points of contact for a connected organisation. They can be set as approvers for access requests from that organisation.
Scenario: Meridian Health partners with a research university
🔐 Priya creates a connected organisation for Westfield University (an Entra ID tenant). She designates Dr. Chen as the internal sponsor.
She then creates an access package policy:
- Who can request: Users from connected organisations (Westfield University)
- Approval: Dr. Chen (sponsor) must approve
- Expiration: 180 days (aligns with the research project timeline)
University researchers go to myaccess.microsoft.com, sign in with their university credentials, find the “Research Collaboration” access package, and request it. Dr. Chen reviews and approves. When the 180 days expire, access is automatically revoked.
Video Lesson
🎬 Video coming soon
Access Requests, Terms of Use & External Lifecycle
Access Requests, Terms of Use & External Lifecycle
~10 minKey Concepts
Knowledge Check
Priya needs clinical staff to accept a data handling agreement before accessing the Research Portal. The agreement must be re-accepted every 90 days. How should she implement this?
Jake has 30+ stale guest accounts from completed projects. He wants future guest accounts to be automatically cleaned up when their access packages expire. What should he configure?
Meridian Health partners with a university for a research project. University researchers need to request access to Meridian's research SharePoint. Priya wants researchers to use their existing university credentials. What should she set up?
Next up: Access Reviews: Plan, Create & Monitor — how to set up periodic reviews that ensure the right people still have the right access.