Microsoft Entra Access Packages represent a meaningful step forward in how organizations think about access management. The concept is straightforward: instead of granting individual permissions app by app, you bundle resources and roles into a package, define who can request it and under what conditions, and let the platform handle provisioning, time limits, and reviews.
For organizations already invested in the Microsoft ecosystem, this is genuinely useful. It brings structure to access requests, automates onboarding for both employees and external collaborators, and gives department heads more control without routing everything through IT.
But Access Packages are a Microsoft-native solution. They govern what lives inside Microsoft Entra. The average enterprise also runs Salesforce, Jira, GitHub, Slack, Workday, and dozens of other SaaS applications that sit outside the Microsoft perimeter entirely. That's the gap this article addresses.
What Microsoft Entra Access Packages Actually Do
Before looking at the limitations, it's worth understanding what Access Packages do well, because the capability is substantial.
Bundled access provisioning. An Access Package can include multiple resources: SharePoint sites, Teams memberships, Azure AD groups, and applications registered in Entra. A new hire in the marketing department gets one package that grants all the access their role requires, rather than individual grants spread across separate workflows.
Policy-driven eligibility. Access Packages let administrators define who can request access (specific users, groups, or external organizations), whether approval is required and from whom, and how long access lasts before it needs to be renewed or expires automatically.
Time-limited access for external collaborators. One of the strongest use cases is granting contractors or external partners secure, time-bound access to specific resources without creating permanent accounts. The package defines the duration, and Entra enforces the expiration automatically.
Delegated catalog management. Administrators can delegate the management of specific catalogs to department heads or resource owners, reducing IT workload and giving teams ownership over the access they control.
Access reviews. Entra's access review capability integrates with Access Packages to run periodic certification campaigns, prompting approvers to confirm whether access is still needed.
For organizations running a Microsoft-native environment, this covers a substantial portion of the identity governance problem.
Where Entra Access Packages Stop
The limitation is scope. Access Packages govern resources that are managed within Microsoft Entra. Applications and systems outside the Microsoft ecosystem require separate management.
In practice, this means that the governance framework you've built in Entra doesn't extend to:
SaaS applications without native Entra integration. Tools like Salesforce, Zendesk, HubSpot, or dozens of others may support SAML-based SSO through Entra, but their internal permission structures, role assignments, and license management operate independently. Entra can authenticate users into these applications. It can't govern what roles they hold inside them or trigger deprovisioning within the application when access should end.
Shadow IT. Applications purchased by individual teams without going through IT are invisible to Entra entirely. They have their own accounts, their own admin structures, and no connection to the central identity governance framework.
Cross-system access reviews. Running a comprehensive access review that covers both Microsoft applications and the broader SaaS stack requires pulling data from outside Entra, which Access Packages don't facilitate natively.
HRMS-driven lifecycle events. Entra can be configured to respond to HR-driven events through tools like Microsoft Identity Governance's Lifecycle Workflows, but the integration depth and flexibility varies. Organizations using Workday, BambooHR, or other HRMS platforms as the authoritative source of truth for employee lifecycle events need to evaluate how cleanly that connection works at their scale and configuration.
None of these limitations are criticisms of Entra. They reflect the reality that identity governance across a full enterprise SaaS stack is a broader problem than any single ecosystem's native tools are designed to solve.
How Zluri Extends Governance Beyond the Microsoft Ecosystem
Zluri is an IGA platform that covers the same three governance areas highlighted in the Entra Access Packages framework: automated onboarding and offboarding, time-limited access, and delegated access management. The difference is that it applies these capabilities across 300+ SaaS integrations, not just within the Microsoft ecosystem.
Joiner, Mover, Leaver Lifecycle Automation
Zluri treats the HRMS, whether Workday, BambooHR, or another platform, as the authoritative source of truth for identity lifecycle events. When a new hire record is created, Zluri detects the event and automatically triggers a role-specific onboarding playbook that provisions access across every application the role requires: Microsoft applications through Entra, and every other SaaS tool in the stack through direct integrations.
The same applies to role changes and departures. When an employee changes departments, their access is updated across all connected applications simultaneously. When they leave, a deprovisioning playbook revokes access across the full environment, including applications that sit outside Entra's governance scope.
Crucially, Zluri now uses Azure AD as its single source of truth for user and license data, and uses Microsoft 365 strictly to pull application activity and usage data. This means governance decisions made in Zluri stay synchronized with the state in Entra, rather than creating a parallel identity record.
Time-Bound Access Across the SaaS Stack
Zluri's Access Requests module handles time-limited access in the same way Entra Access Packages do for Microsoft resources, but extended to any application in the catalog. An employee or manager specifies the duration of access needed, down to the hour or day. Once approved, a provisioning playbook grants access. When the duration expires, a linked deprovisioning playbook runs automatically and access is revoked, regardless of whether anyone manually triggers it.
This ensures that temporary access is genuinely temporary across the entire application landscape, not just within Microsoft-managed resources.
Delegated Access Management via Slack and App Catalog
Instead of routing all access requests through IT, Zluri's App Catalog gives employees a self-service portal to browse approved applications and request what they need. Requests are automatically routed to the designated approver, whether that's a department head, an application owner, or a defined approval chain, via Slack or email.
The approver reviews and approves with a single click. Zluri's provisioning playbook runs immediately. IT is not in the loop for routine requests. This mirrors the delegation model in Entra Access Packages but applies it across every SaaS application the organization uses, not just those in the Microsoft catalog.
Entra and Zluri: Complementary, Not Competing
The right framing here is not Entra Access Packages versus Zluri. It's Entra handling what it handles best, and Zluri extending that governance posture to the broader SaaS environment.
Many organizations run both. Entra governs Microsoft resources natively. Zluri picks up everything outside the Microsoft perimeter, and synchronizes its governance decisions back to Entra so the identity picture stays consistent across both.
For access reviews, this means a single certification campaign can cover the full application landscape rather than running separate reviews for Microsoft resources and non-Microsoft applications. For lifecycle management, it means onboarding and offboarding playbooks run once and cover everything, rather than requiring separate workflows per ecosystem.
The Broader Governance Picture
Access Packages are a step in the right direction for any organization trying to move from ad hoc access management to structured, auditable governance. The discipline they introduce, bundled access, defined eligibility, time limits, delegation, is the right model regardless of which tools enforce it.
The question is how far that discipline extends. For organizations whose SaaS footprint is predominantly Microsoft, Entra may cover the majority of what they need. For organizations running a broader SaaS stack, the governance posture built in Entra needs to be extended to cover the full environment, or the gaps between what's governed and what isn't become the primary risk surface.
Zluri is built for that extension: connecting the governance framework to every application in the stack, automating the lifecycle events that create the most access risk, and maintaining the audit trail that compliance frameworks require across the full environment.
.svg)
