Forum Discussion
"Access package assignment manager" role with "Restricted access to Microsoft Entra admin center"
Hi,
How can I allow a user with the "Access package assignment manager" role assigned only to a single catalog to manage access package assignments when "Restricted access to Microsoft Entra admin center" is set to Yes?
I do not see any option to manage assignments through the MyAccess portal, so it seems this must be done through the Entra Admin Center. However, the user cannot access the Entra Admin Center because they do not have any Entra administrative roles.
I do not have an Entra ID Governance license, so the option to use on-behalf-of access package assignment requests is not available.
How can this scenario be solved?
Thanks.
3 Replies
Josimar-Hedler could you advise which least-privileged role I can assign to a user to allow access to the Entra Admin Portal when “Restrict access to Microsoft Entra admin center” is set to Yes?
PawelKowalczyk
If the goal is only to allow access to the Microsoft Entra Admin Center while:“Restrict access to Microsoft Entra admin center = Yes”
is enabled, then in practice any Microsoft Entra administrative role will typically allow access to the portal.
However, Microsoft does not officially document a dedicated “portal access only” role for this specific scenario.
For least privilege, the lowest privileged role commonly used for this purpose is usually:
- Directory Readers
That said, behavior may still vary depending on the specific Entra blade or feature being accessed, since some areas of the portal may require additional permissions beyond basic portal access.
For Entitlement Management scenarios specifically, Microsoft’s officially recommended role remains:
- Identity Governance Administrator
- or delegated Entitlement Management roles such as:
- Catalog owner
- Access package manager
- Access package assignment manager
But these delegated roles alone may not be sufficient when Entra Admin Center access restriction is enabled.
Documentation:
https://learn.microsoft.com/en-us/entra/id-governance/entitlement-management-delegate-managers
https://learn.microsoft.com/en-us/entra/id-governance/entitlement-management-delegate-managers
Hello, PawelKowalczyk
This behavior is expected when the option "Restrict access to Microsoft Entra admin center" is enabled for a user who only has the Access Package Assignment Manager role.
The Access Package Assignment Manager role is a delegated Entitlement Management role that allows users to manage assignments and policies only within the catalogs where permissions were delegated. However, the administration experience for Access Package assignments is performed through the Microsoft Entra Admin Center, not through the My Access portal.
The My Access portal is primarily intended for:
- Access requests
- Approvals
- Access reviews
It does not provide the full administrative experience required to manage Access Package assignments and policies.
Because of this, when:
“Restrict access to Microsoft Entra admin center = Yes”
is enabled, users without administrative portal access will not be able to manage Access Package assignments, even if they have the delegated Entitlement Management role assigned.
According to Microsoft documentation, delegated administration for Entitlement Management is expected to be performed through the Entra Admin Center using roles such as:
- Catalog owner
- Access package manager
- Access package assignment manager
This means the recommended approach is to:
- Delegate the catalog using the appropriate Entitlement Management role.
- Allow controlled access to the Microsoft Entra Admin Center so the delegated administrator can manage assignments within their scoped catalog only.
It is also important to note that the “request on behalf of” capability requires Microsoft Entra ID Governance licensing. Without it, some assignment management scenarios are not available.
So, in summary:
- Managing Access Package assignments is not supported through the My Access portal alone.
- If Entra Admin Center access is restricted, the delegated user will still require the minimum necessary admin center access to perform assignment management tasks.
- The supported Microsoft design is delegated administration through scoped Entitlement Management roles inside the Entra Admin Center.
Microsoft documentation:
https://learn.microsoft.com/en-us/entra/id-governance/entitlement-management-delegate-managers
https://learn.microsoft.com/en-us/entra/id-governance/entitlement-management-access-package-create
