'How to create access package in Azure

I'm new to Azure AD. I was going through this and this to understand how to create access package in Azure. However, I'm not very clear as I have few groups to be added in the access package. This is something creating the access package from the scratch.

My question is do I need to choose the subscription 1st, 2ndly create the group and then create access package and add the groups to the access package?

I can't see to choose the subscription. I have a subscription name where access package needs to be created. How do I choose the subscription while creating access package?

I have multiple groups for which I think I have to create one access package. Not very sure what should be the flow or best ways to approach it. What can I try next? I know this could be a step by step process; however, I think I'm missing fundamentals.

azure azure-active-directory

Solution 1:^[1]

• First thing, when you log in to your Azure subscription, please check whether that subscription has Azure AD Premium P1 or P2 license assigned or not if that is the subscription that you intend to use for creating access packages. Then, you don’t need to select a subscription while creating access packages, your subscription needs to have an appropriate Azure AD license to support creating access packages in Identity Governance section.

• Secondly, the user ID that you are using to login to your Azure subscription and its related tenant should have requisite azure role assignments and appropriate role permissions assigned. Thus, when you assign Azure role assignments, at that time, you need to select the subscription for which you need to assign the role assignment for. In that, select the subscription of your choice, select the user ID, and then select the appropriate role assignment. • For access package creation and management purposes, ‘EntitlementManagement.ReadWrite.All’ azure role should be assigned to the user ID which can create access package. Also, that user ID should not be a user administrator as it cannot have entitlement management role that can add resources to a catalog. Thus, that user can be any Azure AD role holder who is a catalog creator or owner except user administrator.

• Finally, when you have assigned the required roles to the user ID, create a catalog of the resources that you want to associate with a business specific/task specific requirement. That includes groups, applications and Sharepoint online sites. In this case, when you specified that you have multiple groups that you want to access a package, then you would need to add these groups to a catalog as resources. Once done, then create an access package and assign this catalog to this access package. Also, you can add multiple catalog owners to that catalog for better manageability.