I have two distinctly separate goals:

Prevent administrative assignments of DISABLED access package policy(ies). By default, appropriate Entra Role, including built-in catalog roles, are able to administratively assign users to disabled access package policies.Limit administrative assignment of access packages to catalog roles only – prevent getting around catalog roles. (e.g., prevent GA or Identity Governance Administrator).

I have an access package policy that is used only by administrators to assign users to one resource (security) group: Users who can request access: None (administrator direct assignments only).

Regardless of whether we use elevated to GA, IG Admin, etc., hold an appropriate catalog RBAC role, or any combination thereof, enabling (checking) the following Opt-In Preview Feature disables EVERYONE from administratively being able to assign user(s) to an access package. There is no required approval – nothing. If I uncheck the following option, we’re once again able to administratively assign users from any level and any policy that is disabled.

Error: You don’t meet policy requirements to request this entitlement. (Note: I’m unable to locate the associated Correlation ID)

Lastly, I’ve tested the following in multiple tenants and the behavior is 100% the same. I feel like I’m missing something.

Identity Governance > Entitlement Management > Settings > Opt-in Features

Enforce policy scope setting for admin direct assignments

Enabling this feature will prevent global administrators from adding users to a package that are outside the scope of the selected policy. For example, an attempt to add an external user through a policy that is only configured for internal users will be blocked when this setting is enabled.

1. Identify any workflows in which users require access to a package, but there is no policy that includes them within its scope.
2. Create policies that will include these users.

​I have two distinctly separate goals:Prevent administrative assignments of DISABLED access package policy(ies). By default, appropriate Entra Role, including built-in catalog roles, are able to administratively assign users to disabled access package policies.Limit administrative assignment of access packages to catalog roles only – prevent getting around catalog roles. (e.g., prevent GA or Identity Governance Administrator).I have an access package policy that is used only by administrators to assign users to one resource (security) group: Users who can request access: None (administrator direct assignments only).Regardless of whether we use elevated to GA, IG Admin, etc., hold an appropriate catalog RBAC role, or any combination thereof, enabling (checking) the following Opt-In Preview Feature disables EVERYONE from administratively being able to assign user(s) to an access package. There is no required approval – nothing. If I uncheck the following option, we’re once again able to administratively assign users from any level and any policy that is disabled. Error: You don’t meet policy requirements to request this entitlement. (Note: I’m unable to locate the associated Correlation ID)Lastly, I’ve tested the following in multiple tenants and the behavior is 100% the same. I feel like I’m missing something. Identity Governance > Entitlement Management > Settings > Opt-in FeaturesEnforce policy scope setting for admin direct assignmentsEnabling this feature will prevent global administrators from adding users to a package that are outside the scope of the selected policy. For example, an attempt to add an external user through a policy that is only configured for internal users will be blocked when this setting is enabled.1. Identify any workflows in which users require access to a package, but there is no policy that includes them within its scope.2. Create policies that will include these users.   Read More

​