If you have been working with Access Packages in Entra ID Governance, you probably know that getting a proper overview of your setup is not easy. There is no built-in way to see all your catalogs, packages, policies, and resources in one place. I have written about some of the challenges before, like finding and cleaning up deleted resources and locating what Access Packages a specific resource is added to. Those scripts solve specific problems, but they don’t give you the full picture.
That is what the Access Package Documentor does.
The idea
Native reporting for Access Packages is essentially non-existent. If you need to document an Access Package setup, you are clicking through the Entra portal catalog by catalog, package by package. In smaller environments with just a handful of packages, that might be fine. But in larger organizations with many catalogs, packages, policies, and resources, it quickly becomes time-consuming and error-prone.
The idea behind the Access Package Documentor is to provide a single report that shows everything in one place. One command, one report, full overview.
How it came about
It started with a question in the EMS Discord, which is run by Jonas Bøgvad and his team. Sebastian Flæng Markdanner asked if anyone knew of a reporting tool for Access Packages. Nobody did, because there wasn’t one.
Sebastian reached out to me shortly after with some early mockups for a visual mindmap-style overview. We went back and forth on the design, and I suggested starting from the catalog level with a drill-down approach and a details panel on the side. We jumped on a Discord call where he showed me an early version, and from there things moved quickly.
Sebastian initially had both a web app version and a PowerShell version. He decided to go with the pure PowerShell approach and an interactive HTML report, which I thought was a good call – it keeps things simple and accessible. He also built a JSON export with ID-to-name translations for the raw data. Once the tool was ready, he integrated it into his M365IdentityPosture reporting module, which already included an Authentication Context Inventory Report.
I contributed throughout the process with brainstorming, writing code, troubleshooting, and gathering feedback. Nico Wyss, the creator of the Access Package Builder, also provided valuable input.
What it does
The Access Package Documentor is part of the M365IdentityPosture PowerShell module. It generates an interactive HTML report that visualizes your entire Access Package setup. You run a single command and get a report that covers:
- Catalogs and Access Packages – the full structure across all your catalogs
- Assignment policies – what each policy targets and what access it grants
- Resources – groups, applications, and SharePoint sites linked to packages
- Separation of Duty – incompatible access package configurations
- Orphaned resources – resources added to a catalog but not used in any Access Package, highlighted with a yellow border so they are easy to spot
- Custom Extensions – any custom extensions configured on your packages
Visual layout
The report opens with a visual overview of your catalogs. From there, you can drill down through the different layers – catalogs, packages, policies, resources – by double-clicking or expanding nodes. Each resource type has its own color for readability.
Clicking any node opens a details panel on the right side, showing the configuration specific to that node type. For example, selecting a policy shows its configuration details, selecting a resource shows what packages it belongs to.
Search and filter
There is a search bar that highlights results directly in the graph and shows where each match exists within catalogs and packages. Clicking a result zooms into the relevant node. You can also filter by catalog or package to scope what is shown in the visualization.
Export
The report can be exported as Markdown, JSON, PNG, or JPEG. The JSON export is particularly useful if you need to process the data further, as it contains the raw data with ID-to-name translations (user IDs to UPNs, group IDs to display names, and so on).
How to use it
Install the module and run the report:
Install-Module -Name M365IdentityPosture -Scope CurrentUser
Import-Module -Name M365IdentityPosture
Invoke-AccessPackageDocumentorThe required permissions are EntitlementManagement.Read.All and Directory.Read.All. Everything is read-only. The output is a self-contained HTML file that you can open in any browser, share with colleagues, or attach to documentation.
Use cases
Here are some of the scenarios where I see this being useful:
- Documenting Access Package setups – whether it is for internal documentation, a client handover, or explaining the setup to a colleague, having a visual overview is much easier than clicking through the portal or assembling screenshots.
- Security and governance reviews – quickly see the full picture of your entitlement management configuration, including separation of duty rules and policy configurations.
- Audit preparation – having a snapshot of your Access Package configuration ready for auditors saves a lot of manual work.
- Tracking changes over time – running the report on a schedule allows you to compare reports and detect unexpected configuration changes.
Read more
Sebastian has written a full write-up on the M365IdentityPosture module that goes into more detail on all the features, including the Authentication Context Inventory Report and a full walkthrough of the Access Package Documentor with screenshots.
The module is open source on GitHub and the goal is for it to grow into a community-driven toolkit for identity and security reporting across the Microsoft Cloud.