Azure Entitlement Management – “Value does not fall within the expected range.”

I’ve been working with Azure Entitlement Management and its a great tool as part of Azure AD Identity Governance. It can help with lifecycle management for employees and business guests, enable Self-service, provide Multi-stage approval workflows, recurring access reviews and provide time-limited access with guests removed when last access expires.

For more information on Azure Entitlement Manager check this out

Please note using this feature requires an Azure AD Premium P2 license.

No surprise im looking at this for Teams Guest access, so a external user from another tenant can request access to a Team hosted on another tenant and this can provide self request, approvals and identity lifecycle governance as well.

Whilst configuring on a demo tenant i came across an issue where after a request was approved the requester the Guest account was never added to the directory or added to the Team (Resource)

On checking the access packages under requests i could see the request with the status “Delivery failed”

Under the error i see the status above.

I looked at this and first tried to check a Guest account for the user manually where errored so this lead me to think it could be permisson related so i went to check the Azure B2B configurations and checked this against the dependencies listed here but i couldn’t see anything missing

I did notice that i had disabled the ability for admins and users in the guest inviter roles to add Guest so i assume this was stopping Entitlement Management from working so that i needed to allow

“Admins and users in the guest inviter role can invite”

After i changed this setting i retested the access package request and my guest account was automatically created in my directory and the guest was added to the Team.


Thanks to Guy Partridge as well for his help brainstorming the solution 🙂


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.