Forum Discussion
"Access package assignment manager" role with "Restricted access to Microsoft Entra admin center"
Josimar-Hedler could you advise which least-privileged role I can assign to a user to allow access to the Entra Admin Portal when “Restrict access to Microsoft Entra admin center” is set to Yes?
PawelKowalczyk
If the goal is only to allow access to the Microsoft Entra Admin Center while:“Restrict access to Microsoft Entra admin center = Yes”
is enabled, then in practice any Microsoft Entra administrative role will typically allow access to the portal.
However, Microsoft does not officially document a dedicated “portal access only” role for this specific scenario.
For least privilege, the lowest privileged role commonly used for this purpose is usually:
- Directory Readers
That said, behavior may still vary depending on the specific Entra blade or feature being accessed, since some areas of the portal may require additional permissions beyond basic portal access.
For Entitlement Management scenarios specifically, Microsoft’s officially recommended role remains:
- Identity Governance Administrator
- or delegated Entitlement Management roles such as:
- Catalog owner
- Access package manager
- Access package assignment manager
But these delegated roles alone may not be sufficient when Entra Admin Center access restriction is enabled.
Documentation:
https://learn.microsoft.com/en-us/entra/id-governance/entitlement-management-delegate-managers
https://learn.microsoft.com/en-us/entra/id-governance/entitlement-management-delegate-managers
