diff --git a/modules/folder/pam.tf b/modules/folder/pam.tf
index bf9031bc8..53f28e827 100644
--- a/modules/folder/pam.tf
+++ b/modules/folder/pam.tf
@@ -117,8 +117,15 @@ resource "google_privileged_access_manager_entitlement" "default" {
               ]
             }
 
-            approvals_needed          = step.value.approvals_needed
-            approver_email_recipients = step.value.approver_email_recipients
+            approvals_needed = step.value.approvals_needed
+            approver_email_recipients = (
+              step.value.approver_email_recipients == null
+              ? null
+              : [
+                for e in step.value.approver_email_recipients :
+                lookup(local.ctx.email_addresses, e, e)
+              ]
+            )
           }
         }
       }
@@ -128,8 +135,22 @@ resource "google_privileged_access_manager_entitlement" "default" {
   dynamic "additional_notification_targets" {
     for_each = each.value.additional_notification_targets == null ? [] : [""]
     content {
-      admin_email_recipients     = each.value.additional_notification_targets.admin_email_recipients
-      requester_email_recipients = each.value.additional_notification_targets.requester_email_recipients
+      admin_email_recipients = (
+        each.value.additional_notification_targets.admin_email_recipients == null
+        ? null
+        : [
+          for e in each.value.additional_notification_targets.admin_email_recipients :
+          lookup(local.ctx.email_addresses, e, e)
+        ]
+      )
+      requester_email_recipients = (
+        each.value.additional_notification_targets.requester_email_recipients == null
+        ? null
+        : [
+          for e in each.value.additional_notification_targets.requester_email_recipients :
+          lookup(local.ctx.email_addresses, e, e)
+        ]
+      )
     }
   }
 
diff --git a/modules/organization/pam.tf b/modules/organization/pam.tf
index a954397f6..9d05cfd26 100644
--- a/modules/organization/pam.tf
+++ b/modules/organization/pam.tf
@@ -117,8 +117,15 @@ resource "google_privileged_access_manager_entitlement" "default" {
               ]
             }
 
-            approvals_needed          = step.value.approvals_needed
-            approver_email_recipients = step.value.approver_email_recipients
+            approvals_needed = step.value.approvals_needed
+            approver_email_recipients = (
+              step.value.approver_email_recipients == null
+              ? null
+              : [
+                for e in step.value.approver_email_recipients :
+                lookup(local.ctx.email_addresses, e, e)
+              ]
+            )
           }
         }
       }
@@ -128,8 +135,22 @@ resource "google_privileged_access_manager_entitlement" "default" {
   dynamic "additional_notification_targets" {
     for_each = each.value.additional_notification_targets == null ? [] : [""]
     content {
-      admin_email_recipients     = each.value.additional_notification_targets.admin_email_recipients
-      requester_email_recipients = each.value.additional_notification_targets.requester_email_recipients
+      admin_email_recipients = (
+        each.value.additional_notification_targets.admin_email_recipients == null
+        ? null
+        : [
+          for e in each.value.additional_notification_targets.admin_email_recipients :
+          lookup(local.ctx.email_addresses, e, e)
+        ]
+      )
+      requester_email_recipients = (
+        each.value.additional_notification_targets.requester_email_recipients == null
+        ? null
+        : [
+          for e in each.value.additional_notification_targets.requester_email_recipients :
+          lookup(local.ctx.email_addresses, e, e)
+        ]
+      )
     }
   }
 
diff --git a/modules/project/pam.tf b/modules/project/pam.tf
index aacba16d0..90f2a4488 100644
--- a/modules/project/pam.tf
+++ b/modules/project/pam.tf
@@ -117,8 +117,15 @@ resource "google_privileged_access_manager_entitlement" "default" {
               ]
             }
 
-            approvals_needed          = step.value.approvals_needed
-            approver_email_recipients = step.value.approver_email_recipients
+            approvals_needed = step.value.approvals_needed
+            approver_email_recipients = (
+              step.value.approver_email_recipients == null
+              ? null
+              : [
+                for e in step.value.approver_email_recipients :
+                lookup(local.ctx.email_addresses, e, e)
+              ]
+            )
           }
         }
       }
@@ -128,8 +135,22 @@ resource "google_privileged_access_manager_entitlement" "default" {
   dynamic "additional_notification_targets" {
     for_each = each.value.additional_notification_targets == null ? [] : [""]
     content {
-      admin_email_recipients     = each.value.additional_notification_targets.admin_email_recipients
-      requester_email_recipients = each.value.additional_notification_targets.requester_email_recipients
+      admin_email_recipients = (
+        each.value.additional_notification_targets.admin_email_recipients == null
+        ? null
+        : [
+          for e in each.value.additional_notification_targets.admin_email_recipients :
+          lookup(local.ctx.email_addresses, e, e)
+        ]
+      )
+      requester_email_recipients = (
+        each.value.additional_notification_targets.requester_email_recipients == null
+        ? null
+        : [
+          for e in each.value.additional_notification_targets.requester_email_recipients :
+          lookup(local.ctx.email_addresses, e, e)
+        ]
+      )
     }
   }
   depends_on = [
diff --git a/tests/modules/organization/context.tfvars b/tests/modules/organization/context.tfvars
index 0f6ec772a..13cea5e91 100644
--- a/tests/modules/organization/context.tfvars
+++ b/tests/modules/organization/context.tfvars
@@ -149,9 +149,14 @@ pam_entitlements = {
     manual_approvals = {
       require_approver_justification = true
       steps = [{
-        approvers = ["$iam_principals:mygroup"]
+        approvers                 = ["$iam_principals:mygroup"]
+        approver_email_recipients = ["$email_addresses:default"]
       }]
     }
+    additional_notification_targets = {
+      admin_email_recipients     = ["$email_addresses:default"]
+      requester_email_recipients = ["$email_addresses:default"]
+    }
     eligible_users = ["$iam_principals:mygroup"]
     privileged_access = [
       { role = "roles/compute.networkAdmin" },
diff --git a/tests/modules/organization/context.yaml b/tests/modules/organization/context.yaml
index 16096a61e..edca95d7a 100644
--- a/tests/modules/organization/context.yaml
+++ b/tests/modules/organization/context.yaml
@@ -165,13 +165,18 @@ values:
     org_id: '1234567890'
     role: organizations/366118655033/roles/myRoleTwo
   google_privileged_access_manager_entitlement.default["net-admins"]:
-    additional_notification_targets: []
+    additional_notification_targets:
+    - admin_email_recipients:
+      - foo@example.com
+      requester_email_recipients:
+      - foo@example.com
     approval_workflow:
     - manual_approvals:
       - require_approver_justification: true
         steps:
         - approvals_needed: 1
-          approver_email_recipients: null
+          approver_email_recipients:
+          - foo@example.com
           approvers:
           - principals:
             - group:test-group@example.com