Quick reference blogpost here 📝 This is how to take all members of an Entra ID group and assigning them to an access package using PowerShell.
# Configure these values:
$accesspackageid = "4dbc5088-7ba9-4d81-a4c1-51595581ba1d"
$assignmentpolicyid = $null # Leave as null to use the first assignment policy for the access package
$group = "38520aee-c2c9-4900-8405-862902df2c88"
# No need to do anything below this line
Install-Module Microsoft.Graph.Identity.Governance -Scope CurrentUser
Connect-MgGraph -Scopes EntitlementManagement.ReadWrite.All, User.Read.All, Group.Read.All
# Get the access package, assignment policy and existing assignments
$accessPackage = Get-MgEntitlementManagementAccessPackage -AccessPackageId $accesspackageid -ExpandProperty catalog, assignmentPolicies
$assignmentpolicyid ??= $accessPackage.AssignmentPolicies.id | Select-Object -First 1
$assignments = Get-MgEntitlementManagementAssignment -Filter "accessPackage/id eq '$($accesspackageid)'" -ExpandProperty target -All
# Create a map of existing assignments
$assignmentsMap = $assignments | ? state -eq "delivered" | Group-Object -AsHashTable -Property { $_.Target.ObjectId }
$assignmentsMap ??= @{}
# Get all group members and foreach over them
$groupMembers = Get-MgGroupMember -GroupId $group -All
$groupMembers | ForEach-Object {
if ($assignmentsMap.ContainsKey($_.id)) {
Write-Host "User $($_.id) already assigned to access package $($accessPackage.DisplayName)"
}
else {
if ($accessPackage.AssignmentPolicies.RequestApprovalSettings.IsApprovalRequiredForAdd) {
Write-Warning "Approval required for adding user to access package $($accessPackage.DisplayName), this should be disabled before adding users this way"
}
else {
Write-Host "Adding user $($_.id) to access package $($accessPackage.DisplayName)"
New-MgEntitlementManagementAssignmentRequest -Assignment @{
targetId = $_.id
assignmentPolicyId = $accessPackage.AssignmentPolicies.id
accessPackageId = $accessPackage.Id
} -RequestType "adminAdd" | Out-Null
}
}
}
Good Workaround! 