10.21.26
What Microsoft docs don't tell you about Entitlement Management access packages
The edge cases, the multi-policy assignment patterns, and the gotchas you only learn from breaking things.
Entitlement Management is one of those features that looks straightforward in the documentation but reveals its complexity the moment you try to implement it in a real organization.
The multi-policy trap
Access packages can have multiple policies, but the interaction between them isn't always intuitive. If a user qualifies for multiple policies, Azure AD picks the one with the longest duration—not necessarily the one you intended.
Approval workflows
The approval workflow configuration has some undocumented behaviors. If you set up a two-stage approval and the first approver is unavailable, the request doesn't fail gracefully. It just sits there.
My recommendation
Start simple. One policy per access package until you understand the interaction model. Then add complexity incrementally.