Forum Discussion

PawelKowalczyk's avatar
PawelKowalczyk
Copper Contributor
May 14, 2026

"Access package assignment manager" role with "Restricted access to Microsoft Entra admin center"

Hi, How can I allow a user with the "Access package assignment manager" role assigned only to a single catalog to manage access package assignments when "Restricted access to Microsoft Entra admin c...
Access Management
microsoft entra
Josimar-Hedler's avatar
Josimar-Hedler
MCT
May 14, 2026

Hello, PawelKowalczyk​ 

This behavior is expected when the option "Restrict access to Microsoft Entra admin center" is enabled for a user who only has the Access Package Assignment Manager role.

The Access Package Assignment Manager role is a delegated Entitlement Management role that allows users to manage assignments and policies only within the catalogs where permissions were delegated. However, the administration experience for Access Package assignments is performed through the Microsoft Entra Admin Center, not through the My Access portal.

The My Access portal is primarily intended for:

  • Access requests
  • Approvals
  • Access reviews

It does not provide the full administrative experience required to manage Access Package assignments and policies.

Because of this, when:

“Restrict access to Microsoft Entra admin center = Yes”

is enabled, users without administrative portal access will not be able to manage Access Package assignments, even if they have the delegated Entitlement Management role assigned.

According to Microsoft documentation, delegated administration for Entitlement Management is expected to be performed through the Entra Admin Center using roles such as:

  • Catalog owner
  • Access package manager
  • Access package assignment manager

This means the recommended approach is to:

  1. Delegate the catalog using the appropriate Entitlement Management role.
  2. Allow controlled access to the Microsoft Entra Admin Center so the delegated administrator can manage assignments within their scoped catalog only.

It is also important to note that the “request on behalf of” capability requires Microsoft Entra ID Governance licensing. Without it, some assignment management scenarios are not available.

So, in summary:

  • Managing Access Package assignments is not supported through the My Access portal alone.
  • If Entra Admin Center access is restricted, the delegated user will still require the minimum necessary admin center access to perform assignment management tasks.
  • The supported Microsoft design is delegated administration through scoped Entitlement Management roles inside the Entra Admin Center.

Microsoft documentation:

https://learn.microsoft.com/en-us/entra/id-governance/entitlement-management-delegate-managers

https://learn.microsoft.com/en-us/entra/id-governance/entitlement-management-access-package-create