All articles
Self-serviceEntra IDIAMSecurity

Self-service access portals: the business case

Ruben van der Graaf··4 min read

A self-service access portal cuts tickets, lead time, and manager frustration. Real numbers and what you need to have in place for it to work.

Routine IT requests, access and password resets among them, make up a large share of service desk tickets in most organizations; industry estimates commonly put access and password work at a quarter to a half of ticket volume. Almost all of it is routine. This post covers what you save with a self-service portal, and where it can go wrong.

TL;DR

  • Routine access and password work is a large share of service desk tickets (commonly estimated at a quarter to a half).
  • A self-service portal can take a big bite out of that volume; self-service password reset alone is widely reported to cut those tickets sharply.
  • Direct-manager approval is faster than service desk triage.
  • Only works if the access catalog is clean and clear.
  • The payback comes from freed IT support hours and shorter lead times; the exact saving depends on your ticket mix.

The problem

An access ticket on the service desk usually looks like this:

  1. Employee sends email or opens ticket: "I need access to SharePoint site X."
  2. Service desk engineer reads it, doesn't know the context.
  3. Engineer emails the manager for approval. Waits 1 to 2 days.
  4. Manager responds (or doesn't). Engineer follows up.
  5. Access granted. Ticket closed. Total lead time: 3 days to a week.
Stack that up: as an illustration, a 300-person team averaging around 1.5 access requests per person per month is several hundred tickets a month, the bulk of them routine.

How self-service removes that

With a self-service portal:

  1. Employee logs in, sees what they already have.
  2. Clicks "I want access to X". Portal shows who the owner or manager is.
  3. Approval request goes straight to the manager. Manager clicks Accept or Reject.
  4. On accept: access granted in minutes, no support team involvement.
  5. Everything logged.
A week down to minutes. And 0 service desk hours.

What you need in place first

A self-service portal only works if three things are solid:

  1. Access catalog. You need to know which apps, SharePoints, Teams, and groups exist and who owns each. No owner = no approval path = no self-service.
  2. Manager hierarchy. Entra ID has to know who reports to whom. Populate the manager attribute.
  3. Approval flows per resource. Not every access request goes to the direct manager. Sensitive systems (HR, Finance) sometimes need extra approvers or a different path.
Without these three: no self-service. With them: you'll never go back.

Which requests work self-service

Typically good candidates:

  • Teams and SharePoint groups
  • Distribution lists
  • Application access for SSO'd SaaS tools
  • Reports and Power BI dashboards
  • Temporary project access (with expiry date)
What often does not fit:
  • Admin rights (privileged access)
  • Financial systems under segregation of duties
  • Anything under strict compliance regimes
For those, keep dedicated approval workflows, not self-service.

The numbers

The table below is an illustrative before-and-after for a 200 to 500-person organization, not measured ServiceChanger data. It shows the direction and rough shape of the effect, not a guaranteed outcome:

MetricBeforeAfter
Access tickets per monthseveral hundreda fraction of that
Average lead time3 to 7 daysminutes to hours
Manager satisfactionlowerhigher
Service desk capacity freed up-tens of hours per month
The hours you free up can go to the IT team for incidents and problems that actually need human attention.

Pitfalls

  1. Empty catalog. If employees don't know what's available, they'll email anyway. Invest in clear names and descriptions per resource.
  2. Approval fatigue. Managers get hit with many requests. Bundle them into a daily digest or set default auto-approve for low-risk resources.
  3. No owner. A group without an owner means nobody can approve. Clean it up.

FAQ

What about audit? Every approval is logged with timestamp, requester, approver, resource, and reason. Exportable for compliance.

Does it work for temporary access? Yes. Approval with an expiry date. After that date, access is revoked automatically, with no extra action.

What if the manager doesn't respond? Set escalation flows: after 48 hours the request goes up to the manager's manager, or to a specific group.

A portal takes the request work away, but most of the time saved comes from automating the access requests themselves. Read Automate service desk access requests for the rule-based approach behind it.

Next step

ServiceChanger builds a self-service portal on your Entra ID, including approval flows, audit trail, and temp access. Book a demo or read the Self-Service Portal docs.

You might also like

Dynamic groups, an IGA platform, or ServiceChanger: when to choose what

You can manage access in Microsoft with native Entra dynamic groups, a full IGA platform, or a rules layer like ServiceChanger. Here are the three approaches, their limits, and when each fits.

Find inactive users in Entra by last sign-in (and what it saves)

The signInActivity field in Entra ID lets you find accounts that have not signed in for months. Here is how the query works, what to watch for (P1, 24-hour delay), and what it saves in licenses.

Entra ID vs Active Directory in 2026

Active Directory still runs in many places while Entra ID is becoming the standard. The state of play in 2026: what to do with your AD, when to move, what to keep hybrid.