Forum Discussion
Access Package Assignment Issue
Hi there!
I know it's frustrating when something that worked perfectly suddenly stops! The good news is that the symptom you're describing ("You don't meet policy requirements") combined with your timeline gives us strong clues.
UNDERSTANDING THE ISSUE
The fact that:
- It works for internal users
- It fails for external users
- Timeline: Last success July 29 → Issue started August 22
This pattern strongly suggests a **change in external identity policies or B2B collaboration settings** rather than the Access Package itself.
MOST LIKELY CAUSES (Based on August Timeline)
1. Cross-Tenant Access Settings Changed
Microsoft has been rolling out stricter external collaboration controls. Check if someone modified:
- Azure Portal → **External Identities** → Cross-tenant access settings
- Look for new "Inbound access" restrictions
- Check if "B2B collaboration" is still allowed for your partner organizations
2. Conditional Access Policy Blocking External Users
A new CA policy might be interfering:
3. Default External User Access Changed
Check your External Collaboration Settings:
- Azure AD → **External Identities** → External collaboration settings
- Verify "Guest user access restrictions" hasn't changed
- Ensure "Guest invite settings" allows invitations
4. Access Package Resource Configuration
One of the resources in your package might now require additional permissions for external users:
- SharePoint sites with new external sharing restrictions
- Teams with changed guest access policies
- Apps requiring internal-only authentication
Let me know what you find in the audit logs and external collaboration settings! Also, please share:
- The exact error correlation ID (helps trace backend logs)
- Whether the workaround test policy works
- What resources are in your access package
I'm happy to dig deeper once we have these details - this type of issue often has a very specific cause that's not immediately obvious!
Good luck, and keep me posted on your findings!
Thank you very much for your information.
I've seen your message about "Microsoft has been rolling out stricter external collaboration controls." However, I couldn't find any Microsoft documentation explaining what was implemented and when, do you that?
Regarding the issues you mentioned, I have checked all of those things in the past. I'm one of the only sysadmins for these services, and I did not change any of the External Identities settings. Unless Microsoft changed something on their end, it's unlikely something changed here.
The access package simply assigns an external contractor to an Entra security group and runs a custom script via a custom extension to send an email to the external user. When I do a manual assignment, I get the error message, "You don't meet policy requirements," and the account is not created.
I did a test to change my policy from "None (administrator direct assignments only)" to "For users not in your directory," and selected "All users (All connected organizations + any new external users)." I am now able to manually assign the user with that configuration.
The problem is that this setup requires at least one step of approval, which I don't want. This process is part of an automation that was working perfectly a month ago, and we don't want to have to approve it as it's an automated process.
I think the only issue is that. Does anyone know why "None (administrator direct assignments only)" was working fine in the past to assign an external user and does not work anymore?
