Coding Stephan

Experts Live NL 2026: Workcation unlocked

I want to do a session on access packages at Experts Live The Netherlands, will you join me Fabian? This question was the start of our session on Access packages at Experts Live NL, with this idea in mind I had to think up a clever use-case that would spark interest with both the content team and the attendees.

What about enabling a workcation?

Experts Live: Workcation unlocked using Access Packages selfie

Introduction to access packages

We submitted this session as an introduction level session on access packages. This key part of Identity Governance does not get enough attention in our opinion.

  • What is an access package?
  • What resources can you grant access to using such a package?
  • What is needed to utilize access packages?
    / [pdf]

Workcation unlocked?

Enabling a workcation was the red line throughout the talk, we used it to show requesting on-behalf-of packages. And the approval flow. Ingredients for a workcation access package:

  • A group called cap-workcation-allowed and a group leadership
  • A conditional access policy
    • Block access to All cloud apps from other countries then the default operating countries.
    • Excluding the Leadership group and the cap-workcation-allowed group.
  • An access package that temporary adds the user to the group cap-workcation-allowed

If the user was not yet on abroad, he/she could have requested the workcation by itself, but because access to all apps is blocked from the vacation country. This user was not able to request the workcation. After a text to his manager, the manager made the request on the portal skipping the approval flow. Because this access package can only be granted for a set period, the access is automatically revoked after the set time.

Access packages compared to PIM

These features complement each other, the biggest difference is between the two is that Privileged identity management is for temporary elevating your access to do some privileged stuff. The lifetime should be counted in hours or minutes.

Use-cases for access packages

Here are some ideas where you could really use the self-service part of access packages:

  • Opt-in to more security (group, CA-policy)
  • Requesting expensive licenses (group, group-based license), which approval and self extending.
  • Opt-in to test group, think new conditional access or Intune policies
  • Opt-out of Intune settings
  • Requesting expensive desktop applications (group, Intune app assignment)
  • Requesting an admin account (using custom extensions)
  • Grant B2B guests access to management application

We had a blast

Being on stage with Fabian always is a joy. We enjoyed giving this talk, and it seems most attendees also liked it. Getting the attendees to even submit their feedback is always an issue, not sure how we could make this better.

Experts Live NL 2026: Scores are in

Greetings from the conference floor!

Experts Live NL 2026: Fabian and Stephan

Continue the conversation

Want to join the conversation on access packages, leave your comments under this post: