From e05bd4c18793a7ad203c7ec94939388d5e8919f9 Mon Sep 17 00:00:00 2001
From: "Simran Moolchandaney (from Dev Box)" <simranm@microsoft.com>
Date: Wed, 10 Jun 2026 15:01:03 -0700
Subject: [PATCH 1/5] Add EntitlementMgmt-SubjectAccess.ReadWrite tip boxes to
 entitlement management APIs

- Create new RBAC include for post-assignmentrequests with subject access restriction
- Create new RBAC include for cancel with subject access restriction
- Create new RBAC tip box for getApplicablePolicyRequirements
- All include files created for both v1.0 and beta
- Updated API docs to reference new include files

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 ...package-getapplicablepolicyrequirements.md |  2 ++
 .../accesspackageassignmentrequest-cancel.md  |  2 +-
 ...ementmanagement-post-assignmentrequests.md |  2 +-
 ...package-getapplicablepolicyrequirements.md | 11 ++++++++
 ...ger-apis-write-including-subject-access.md | 24 ++++++++++++++++++
 ...ser-apis-write-including-subject-access.md | 25 +++++++++++++++++++
 ...package-getapplicablepolicyrequirements.md |  2 ++
 .../accesspackageassignmentrequest-cancel.md  |  2 +-
 ...ementmanagement-post-assignmentrequests.md |  2 +-
 ...package-getapplicablepolicyrequirements.md | 11 ++++++++
 ...ger-apis-write-including-subject-access.md | 24 ++++++++++++++++++
 ...ser-apis-write-including-subject-access.md | 25 +++++++++++++++++++
 12 files changed, 128 insertions(+), 4 deletions(-)
 create mode 100644 api-reference/beta/includes/rbac-for-apis/accesspackage-getapplicablepolicyrequirements.md
 create mode 100644 api-reference/beta/includes/rbac-for-apis/rbac-entitlement-management-access-package-assignment-manager-apis-write-including-subject-access.md
 create mode 100644 api-reference/beta/includes/rbac-for-apis/rbac-entitlement-management-end-user-apis-write-including-subject-access.md
 create mode 100644 api-reference/v1.0/includes/rbac-for-apis/accesspackage-getapplicablepolicyrequirements.md
 create mode 100644 api-reference/v1.0/includes/rbac-for-apis/rbac-entitlement-management-access-package-assignment-manager-apis-write-including-subject-access.md
 create mode 100644 api-reference/v1.0/includes/rbac-for-apis/rbac-entitlement-management-end-user-apis-write-including-subject-access.md

diff --git a/api-reference/beta/api/accesspackage-getapplicablepolicyrequirements.md b/api-reference/beta/api/accesspackage-getapplicablepolicyrequirements.md
index 6e6b71fefb4..1603b86ccdf 100644
--- a/api-reference/beta/api/accesspackage-getapplicablepolicyrequirements.md
+++ b/api-reference/beta/api/accesspackage-getapplicablepolicyrequirements.md
@@ -23,6 +23,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "accesspackage_getapplicablepolicyrequirements" } -->
 [!INCLUDE [permissions-table](../includes/permissions/accesspackage-getapplicablepolicyrequirements-permissions.md)]
 
+[!INCLUDE [rbac-accesspackage-getapplicablepolicyrequirements](../includes/rbac-for-apis/accesspackage-getapplicablepolicyrequirements.md)]
+
 ## HTTP request
 
 <!-- {
diff --git a/api-reference/beta/api/accesspackageassignmentrequest-cancel.md b/api-reference/beta/api/accesspackageassignmentrequest-cancel.md
index aae258266a9..2ed95117a54 100644
--- a/api-reference/beta/api/accesspackageassignmentrequest-cancel.md
+++ b/api-reference/beta/api/accesspackageassignmentrequest-cancel.md
@@ -23,7 +23,7 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "accesspackageassignmentrequest_cancel" } -->
 [!INCLUDE [permissions-table](../includes/permissions/accesspackageassignmentrequest-cancel-permissions.md)]
 
-[!INCLUDE [rbac-entitlement-access-package-assignment-manager-write](../includes/rbac-for-apis/rbac-entitlement-management-access-package-assignment-manager-apis-write.md)]
+[!INCLUDE [rbac-entitlement-access-package-assignment-manager-write-including-subject-access](../includes/rbac-for-apis/rbac-entitlement-management-access-package-assignment-manager-apis-write-including-subject-access.md)]
 
 ## HTTP request
 
diff --git a/api-reference/beta/api/entitlementmanagement-post-assignmentrequests.md b/api-reference/beta/api/entitlementmanagement-post-assignmentrequests.md
index 3607e861216..9ad0b68616b 100644
--- a/api-reference/beta/api/entitlementmanagement-post-assignmentrequests.md
+++ b/api-reference/beta/api/entitlementmanagement-post-assignmentrequests.md
@@ -25,7 +25,7 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "entitlementmanagement_post_assignmentrequests" } -->
 [!INCLUDE [permissions-table](../includes/permissions/entitlementmanagement-post-assignmentrequests-permissions.md)]
 
-[!INCLUDE [rbac-entitlement-end-user-apis-write](../includes/rbac-for-apis/rbac-entitlement-management-end-user-apis-write.md)]
+[!INCLUDE [rbac-entitlement-end-user-apis-write-including-subject-access](../includes/rbac-for-apis/rbac-entitlement-management-end-user-apis-write-including-subject-access.md)]
 
 ## HTTP request
 
diff --git a/api-reference/beta/includes/rbac-for-apis/accesspackage-getapplicablepolicyrequirements.md b/api-reference/beta/includes/rbac-for-apis/accesspackage-getapplicablepolicyrequirements.md
new file mode 100644
index 00000000000..371606e9766
--- /dev/null
+++ b/api-reference/beta/includes/rbac-for-apis/accesspackage-getapplicablepolicyrequirements.md
@@ -0,0 +1,11 @@
+---
+author: simranm
+ms.topic: include
+---
+
+<!-- Applies to:
+- accessPackage: getApplicablePolicyRequirements
+-->
+
+> [!TIP]
+> For delegated access using work or school accounts with the `EntitlementMgmt-SubjectAccess.ReadWrite` permission, the signed-in user doesn't need an administrator role. `adminAdd` request types are blocked.
diff --git a/api-reference/beta/includes/rbac-for-apis/rbac-entitlement-management-access-package-assignment-manager-apis-write-including-subject-access.md b/api-reference/beta/includes/rbac-for-apis/rbac-entitlement-management-access-package-assignment-manager-apis-write-including-subject-access.md
new file mode 100644
index 00000000000..3d83c40d744
--- /dev/null
+++ b/api-reference/beta/includes/rbac-for-apis/rbac-entitlement-management-access-package-assignment-manager-apis-write-including-subject-access.md
@@ -0,0 +1,24 @@
+---
+author: simranm
+ms.topic: include
+---
+
+<!-- Applies to:
+- accessPackageAssignmentRequest: cancel
+-->
+
+> [!TIP]
+> For delegated access using work or school accounts, the signed-in user must be assigned an administrator role with supported role permissions through one of the following options:
+> 
+> - A [role in the Entitlement Management system](/entra/id-governance/entitlement-management-delegate) where the least privileged roles are:
+>     - *Access package assignment manager*. **This is the least privileged option**
+>     - *Access package manager*
+>     - Catalog owner
+> - More privileged [Microsoft Entra roles](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) supported for this operation:
+>     - Identity Governance Administrator
+> 
+> In app-only scenarios, the calling app can be assigned one of the preceding supported roles instead of the `EntitlementManagement.ReadWrite.All` application permission. The *Access package assignment manager* role is less privileged than the `EntitlementManagement.ReadWrite.All` application permission.
+> 
+> For more information, see [Delegation and roles in entitlement management](/entra/id-governance/entitlement-management-delegate) and [how to delegate access governance to access package managers in entitlement management](/entra/id-governance/entitlement-management-delegate-managers).
+>
+> For delegated access using work or school accounts with the `EntitlementMgmt-SubjectAccess.ReadWrite` permission, the signed-in user doesn't need an administrator role. Callers can only cancel requests of user-type.
diff --git a/api-reference/beta/includes/rbac-for-apis/rbac-entitlement-management-end-user-apis-write-including-subject-access.md b/api-reference/beta/includes/rbac-for-apis/rbac-entitlement-management-end-user-apis-write-including-subject-access.md
new file mode 100644
index 00000000000..cacced24165
--- /dev/null
+++ b/api-reference/beta/includes/rbac-for-apis/rbac-entitlement-management-end-user-apis-write-including-subject-access.md
@@ -0,0 +1,25 @@
+---
+author: simranm
+ms.topic: include
+---
+
+<!-- Applies to:
+- Create accessPackageAssignmentRequest
+-->
+
+> [!TIP]
+> For delegated access using work or school accounts, the signed-in user must be assigned an administrator role with supported role permissions through one of the following options:
+> 
+> - A user who is specified in the `specificAllowedTargets` property of the access package's policies. **This is the least privileged option**.
+> - More privileged [roles in the Entitlement Management system](/entra/id-governance/entitlement-management-delegate) where the least privileged roles are supported for this operation:
+>     - Access package assignment manager
+>     - Access package manager
+>     - Catalog owner
+> - More privileged [Microsoft Entra roles](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json), where the following least privileged roles are supported for this operation:
+>     - Identity Governance Administrator
+> 
+> In app-only scenarios, the calling app can be assigned one of the preceding supported roles instead of the `EntitlementManagement.ReadWrite.All` application permission. A user who is specified in the `specificAllowedTargets` property of the access package's policies is less privileged than the `EntitlementManagement.ReadWrite.All` application permission.
+> 
+> For more information, see [Delegation and roles in entitlement management](/entra/id-governance/entitlement-management-delegate) and [how to delegate access governance to access package managers in entitlement management](/entra/id-governance/entitlement-management-delegate-managers).
+>
+> For delegated access using work or school accounts with the `EntitlementMgmt-SubjectAccess.ReadWrite` permission, the signed-in user doesn't need an administrator role. Non-user request types (for example, `adminAdd`) are blocked.
diff --git a/api-reference/v1.0/api/accesspackage-getapplicablepolicyrequirements.md b/api-reference/v1.0/api/accesspackage-getapplicablepolicyrequirements.md
index 684827d93f9..8583e424c93 100644
--- a/api-reference/v1.0/api/accesspackage-getapplicablepolicyrequirements.md
+++ b/api-reference/v1.0/api/accesspackage-getapplicablepolicyrequirements.md
@@ -21,6 +21,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "accesspackage_getapplicablepolicyrequirements" } -->
 [!INCLUDE [permissions-table](../includes/permissions/accesspackage-getapplicablepolicyrequirements-permissions.md)]
 
+[!INCLUDE [rbac-accesspackage-getapplicablepolicyrequirements](../includes/rbac-for-apis/accesspackage-getapplicablepolicyrequirements.md)]
+
 ## HTTP request
 
 <!-- {
diff --git a/api-reference/v1.0/api/accesspackageassignmentrequest-cancel.md b/api-reference/v1.0/api/accesspackageassignmentrequest-cancel.md
index 58a7641ff27..24eee63c7c4 100644
--- a/api-reference/v1.0/api/accesspackageassignmentrequest-cancel.md
+++ b/api-reference/v1.0/api/accesspackageassignmentrequest-cancel.md
@@ -21,7 +21,7 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "accesspackageassignmentrequest_cancel" } -->
 [!INCLUDE [permissions-table](../includes/permissions/accesspackageassignmentrequest-cancel-permissions.md)]
 
-[!INCLUDE [rbac-entitlement-access-package-assignment-manager-write](../includes/rbac-for-apis/rbac-entitlement-management-access-package-assignment-manager-apis-write.md)]
+[!INCLUDE [rbac-entitlement-access-package-assignment-manager-write-including-subject-access](../includes/rbac-for-apis/rbac-entitlement-management-access-package-assignment-manager-apis-write-including-subject-access.md)]
 
 ## HTTP request
 
diff --git a/api-reference/v1.0/api/entitlementmanagement-post-assignmentrequests.md b/api-reference/v1.0/api/entitlementmanagement-post-assignmentrequests.md
index ef5da5747be..a94034cfd1f 100644
--- a/api-reference/v1.0/api/entitlementmanagement-post-assignmentrequests.md
+++ b/api-reference/v1.0/api/entitlementmanagement-post-assignmentrequests.md
@@ -22,7 +22,7 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "entitlementmanagement_post_assignmentrequests" } -->
 [!INCLUDE [permissions-table](../includes/permissions/entitlementmanagement-post-assignmentrequests-permissions.md)]
 
-[!INCLUDE [rbac-entitlement-end-user-apis-write](../includes/rbac-for-apis/rbac-entitlement-management-end-user-apis-write.md)]
+[!INCLUDE [rbac-entitlement-end-user-apis-write-including-subject-access](../includes/rbac-for-apis/rbac-entitlement-management-end-user-apis-write-including-subject-access.md)]
 
 ## HTTP request
 
diff --git a/api-reference/v1.0/includes/rbac-for-apis/accesspackage-getapplicablepolicyrequirements.md b/api-reference/v1.0/includes/rbac-for-apis/accesspackage-getapplicablepolicyrequirements.md
new file mode 100644
index 00000000000..371606e9766
--- /dev/null
+++ b/api-reference/v1.0/includes/rbac-for-apis/accesspackage-getapplicablepolicyrequirements.md
@@ -0,0 +1,11 @@
+---
+author: simranm
+ms.topic: include
+---
+
+<!-- Applies to:
+- accessPackage: getApplicablePolicyRequirements
+-->
+
+> [!TIP]
+> For delegated access using work or school accounts with the `EntitlementMgmt-SubjectAccess.ReadWrite` permission, the signed-in user doesn't need an administrator role. `adminAdd` request types are blocked.
diff --git a/api-reference/v1.0/includes/rbac-for-apis/rbac-entitlement-management-access-package-assignment-manager-apis-write-including-subject-access.md b/api-reference/v1.0/includes/rbac-for-apis/rbac-entitlement-management-access-package-assignment-manager-apis-write-including-subject-access.md
new file mode 100644
index 00000000000..3d83c40d744
--- /dev/null
+++ b/api-reference/v1.0/includes/rbac-for-apis/rbac-entitlement-management-access-package-assignment-manager-apis-write-including-subject-access.md
@@ -0,0 +1,24 @@
+---
+author: simranm
+ms.topic: include
+---
+
+<!-- Applies to:
+- accessPackageAssignmentRequest: cancel
+-->
+
+> [!TIP]
+> For delegated access using work or school accounts, the signed-in user must be assigned an administrator role with supported role permissions through one of the following options:
+> 
+> - A [role in the Entitlement Management system](/entra/id-governance/entitlement-management-delegate) where the least privileged roles are:
+>     - *Access package assignment manager*. **This is the least privileged option**
+>     - *Access package manager*
+>     - Catalog owner
+> - More privileged [Microsoft Entra roles](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) supported for this operation:
+>     - Identity Governance Administrator
+> 
+> In app-only scenarios, the calling app can be assigned one of the preceding supported roles instead of the `EntitlementManagement.ReadWrite.All` application permission. The *Access package assignment manager* role is less privileged than the `EntitlementManagement.ReadWrite.All` application permission.
+> 
+> For more information, see [Delegation and roles in entitlement management](/entra/id-governance/entitlement-management-delegate) and [how to delegate access governance to access package managers in entitlement management](/entra/id-governance/entitlement-management-delegate-managers).
+>
+> For delegated access using work or school accounts with the `EntitlementMgmt-SubjectAccess.ReadWrite` permission, the signed-in user doesn't need an administrator role. Callers can only cancel requests of user-type.
diff --git a/api-reference/v1.0/includes/rbac-for-apis/rbac-entitlement-management-end-user-apis-write-including-subject-access.md b/api-reference/v1.0/includes/rbac-for-apis/rbac-entitlement-management-end-user-apis-write-including-subject-access.md
new file mode 100644
index 00000000000..cacced24165
--- /dev/null
+++ b/api-reference/v1.0/includes/rbac-for-apis/rbac-entitlement-management-end-user-apis-write-including-subject-access.md
@@ -0,0 +1,25 @@
+---
+author: simranm
+ms.topic: include
+---
+
+<!-- Applies to:
+- Create accessPackageAssignmentRequest
+-->
+
+> [!TIP]
+> For delegated access using work or school accounts, the signed-in user must be assigned an administrator role with supported role permissions through one of the following options:
+> 
+> - A user who is specified in the `specificAllowedTargets` property of the access package's policies. **This is the least privileged option**.
+> - More privileged [roles in the Entitlement Management system](/entra/id-governance/entitlement-management-delegate) where the least privileged roles are supported for this operation:
+>     - Access package assignment manager
+>     - Access package manager
+>     - Catalog owner
+> - More privileged [Microsoft Entra roles](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json), where the following least privileged roles are supported for this operation:
+>     - Identity Governance Administrator
+> 
+> In app-only scenarios, the calling app can be assigned one of the preceding supported roles instead of the `EntitlementManagement.ReadWrite.All` application permission. A user who is specified in the `specificAllowedTargets` property of the access package's policies is less privileged than the `EntitlementManagement.ReadWrite.All` application permission.
+> 
+> For more information, see [Delegation and roles in entitlement management](/entra/id-governance/entitlement-management-delegate) and [how to delegate access governance to access package managers in entitlement management](/entra/id-governance/entitlement-management-delegate-managers).
+>
+> For delegated access using work or school accounts with the `EntitlementMgmt-SubjectAccess.ReadWrite` permission, the signed-in user doesn't need an administrator role. Non-user request types (for example, `adminAdd`) are blocked.

From 005bcba0721a5e6aa8b2240bc25432ad6ea01485 Mon Sep 17 00:00:00 2001
From: "Simran Moolchandaney (from Dev Box)" <simranm@microsoft.com>
Date: Fri, 12 Jun 2026 11:51:47 -0700
Subject: [PATCH 2/5] Restructure RBAC tip boxes per review feedback

- POST assignment requests: split into end-user vs admin request type sections
- Cancel request: split into end-user vs admin cancellation scenarios
- Remove app-only note from cancel (not supported)
- v1.0 end-user types: userAdd, userUpdate, userRemove, approverRemove
- Beta end-user types: adds userExtend
- v1.0 references allowedTargetScope, specificAllowedTargets, requestorSettings
- Beta references only requestorSettings (different policy model)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 ...ger-apis-write-including-subject-access.md | 29 ++++++++--------
 ...ser-apis-write-including-subject-access.md | 33 +++++++++++--------
 ...ger-apis-write-including-subject-access.md | 29 ++++++++--------
 ...ser-apis-write-including-subject-access.md | 33 +++++++++++--------
 4 files changed, 70 insertions(+), 54 deletions(-)

diff --git a/api-reference/beta/includes/rbac-for-apis/rbac-entitlement-management-access-package-assignment-manager-apis-write-including-subject-access.md b/api-reference/beta/includes/rbac-for-apis/rbac-entitlement-management-access-package-assignment-manager-apis-write-including-subject-access.md
index 3d83c40d744..059d6fb9da3 100644
--- a/api-reference/beta/includes/rbac-for-apis/rbac-entitlement-management-access-package-assignment-manager-apis-write-including-subject-access.md
+++ b/api-reference/beta/includes/rbac-for-apis/rbac-entitlement-management-access-package-assignment-manager-apis-write-including-subject-access.md
@@ -8,17 +8,20 @@ ms.topic: include
 -->
 
 > [!TIP]
-> For delegated access using work or school accounts, the signed-in user must be assigned an administrator role with supported role permissions through one of the following options:
-> 
-> - A [role in the Entitlement Management system](/entra/id-governance/entitlement-management-delegate) where the least privileged roles are:
->     - *Access package assignment manager*. **This is the least privileged option**
->     - *Access package manager*
->     - Catalog owner
-> - More privileged [Microsoft Entra roles](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) supported for this operation:
->     - Identity Governance Administrator
-> 
-> In app-only scenarios, the calling app can be assigned one of the preceding supported roles instead of the `EntitlementManagement.ReadWrite.All` application permission. The *Access package assignment manager* role is less privileged than the `EntitlementManagement.ReadWrite.All` application permission.
-> 
-> For more information, see [Delegation and roles in entitlement management](/entra/id-governance/entitlement-management-delegate) and [how to delegate access governance to access package managers in entitlement management](/entra/id-governance/entitlement-management-delegate-managers).
+> The role and permission required for delegated access using work or school accounts depend on whose request is being canceled.
+>
+> **End users canceling their own request:**
+> - The signed-in user **doesn't need** an administrator role.
+> - The least privileged permission is `EntitlementMgmt-SubjectAccess.ReadWrite`.
 >
-> For delegated access using work or school accounts with the `EntitlementMgmt-SubjectAccess.ReadWrite` permission, the signed-in user doesn't need an administrator role. Callers can only cancel requests of user-type.
+> **Administrators canceling requests submitted by others:**
+> - The signed-in user **must** be assigned a supported administrator role *(or the caller must hold the `EntitlementManagement.ReadWrite.All` permission, which is the least privileged permission for this scenario)*.
+> - Supported roles, from least to most privileged:
+>     - A [role in the Entitlement Management system](/entra/id-governance/entitlement-management-delegate):
+>         - *Access package assignment manager*. **This is the least privileged option**
+>         - *Access package manager*
+>         - *Catalog owner*
+>     - A more privileged [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json):
+>         - *Identity Governance Administrator*
+>
+> For more information, see [Delegation and roles in entitlement management](/entra/id-governance/entitlement-management-delegate) and [how to delegate access governance to access package managers in entitlement management](/entra/id-governance/entitlement-management-delegate-managers).
diff --git a/api-reference/beta/includes/rbac-for-apis/rbac-entitlement-management-end-user-apis-write-including-subject-access.md b/api-reference/beta/includes/rbac-for-apis/rbac-entitlement-management-end-user-apis-write-including-subject-access.md
index cacced24165..a79722b0263 100644
--- a/api-reference/beta/includes/rbac-for-apis/rbac-entitlement-management-end-user-apis-write-including-subject-access.md
+++ b/api-reference/beta/includes/rbac-for-apis/rbac-entitlement-management-end-user-apis-write-including-subject-access.md
@@ -8,18 +8,23 @@ ms.topic: include
 -->
 
 > [!TIP]
-> For delegated access using work or school accounts, the signed-in user must be assigned an administrator role with supported role permissions through one of the following options:
-> 
-> - A user who is specified in the `specificAllowedTargets` property of the access package's policies. **This is the least privileged option**.
-> - More privileged [roles in the Entitlement Management system](/entra/id-governance/entitlement-management-delegate) where the least privileged roles are supported for this operation:
->     - Access package assignment manager
->     - Access package manager
->     - Catalog owner
-> - More privileged [Microsoft Entra roles](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json), where the following least privileged roles are supported for this operation:
->     - Identity Governance Administrator
-> 
-> In app-only scenarios, the calling app can be assigned one of the preceding supported roles instead of the `EntitlementManagement.ReadWrite.All` application permission. A user who is specified in the `specificAllowedTargets` property of the access package's policies is less privileged than the `EntitlementManagement.ReadWrite.All` application permission.
-> 
-> For more information, see [Delegation and roles in entitlement management](/entra/id-governance/entitlement-management-delegate) and [how to delegate access governance to access package managers in entitlement management](/entra/id-governance/entitlement-management-delegate-managers).
+> The role and permission required for delegated access using work or school accounts depend on the `requestType` of the request being submitted.
+>
+> **End-user requests** — `userAdd`, `userExtend`, `userUpdate`, `userRemove`, and `approverRemove`:
+> - The signed-in user **doesn't need** an administrator role.
+> - The least privileged permission is `EntitlementMgmt-SubjectAccess.ReadWrite`.
+> - Holding the permission isn't sufficient on its own — whether an end-user can submit a request is also governed by the corresponding accessPackageAssignmentPolicy, which controls who can be assigned to an access package and who can request it (`requestorSettings`).
+>
+> **Administrator requests** — `adminAdd`, `adminUpdate`, and `adminRemove`:
+> - The signed-in user **must** be assigned a supported administrator role *(or the caller must hold the `EntitlementManagement.ReadWrite.All` permission, which is the least privileged permission for these request types)*.
+> - Supported roles, from least to most privileged:
+>     - A [role in the Entitlement Management system](/entra/id-governance/entitlement-management-delegate):
+>         - *Access package assignment manager*. **This is the least privileged option**
+>         - *Access package manager*
+>         - *Catalog owner*
+>     - A more privileged [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json):
+>         - *Identity Governance Administrator*
 >
-> For delegated access using work or school accounts with the `EntitlementMgmt-SubjectAccess.ReadWrite` permission, the signed-in user doesn't need an administrator role. Non-user request types (for example, `adminAdd`) are blocked.
+> In app-only scenarios, the calling app can be assigned one of the preceding supported roles instead of the `EntitlementManagement.ReadWrite.All` application permission. The *Access package assignment manager* role is less privileged than the `EntitlementManagement.ReadWrite.All` application permission.
+>
+> For more information, see [Delegation and roles in entitlement management](/entra/id-governance/entitlement-management-delegate) and [how to delegate access governance to access package managers in entitlement management](/entra/id-governance/entitlement-management-delegate-managers).
diff --git a/api-reference/v1.0/includes/rbac-for-apis/rbac-entitlement-management-access-package-assignment-manager-apis-write-including-subject-access.md b/api-reference/v1.0/includes/rbac-for-apis/rbac-entitlement-management-access-package-assignment-manager-apis-write-including-subject-access.md
index 3d83c40d744..059d6fb9da3 100644
--- a/api-reference/v1.0/includes/rbac-for-apis/rbac-entitlement-management-access-package-assignment-manager-apis-write-including-subject-access.md
+++ b/api-reference/v1.0/includes/rbac-for-apis/rbac-entitlement-management-access-package-assignment-manager-apis-write-including-subject-access.md
@@ -8,17 +8,20 @@ ms.topic: include
 -->
 
 > [!TIP]
-> For delegated access using work or school accounts, the signed-in user must be assigned an administrator role with supported role permissions through one of the following options:
-> 
-> - A [role in the Entitlement Management system](/entra/id-governance/entitlement-management-delegate) where the least privileged roles are:
->     - *Access package assignment manager*. **This is the least privileged option**
->     - *Access package manager*
->     - Catalog owner
-> - More privileged [Microsoft Entra roles](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) supported for this operation:
->     - Identity Governance Administrator
-> 
-> In app-only scenarios, the calling app can be assigned one of the preceding supported roles instead of the `EntitlementManagement.ReadWrite.All` application permission. The *Access package assignment manager* role is less privileged than the `EntitlementManagement.ReadWrite.All` application permission.
-> 
-> For more information, see [Delegation and roles in entitlement management](/entra/id-governance/entitlement-management-delegate) and [how to delegate access governance to access package managers in entitlement management](/entra/id-governance/entitlement-management-delegate-managers).
+> The role and permission required for delegated access using work or school accounts depend on whose request is being canceled.
+>
+> **End users canceling their own request:**
+> - The signed-in user **doesn't need** an administrator role.
+> - The least privileged permission is `EntitlementMgmt-SubjectAccess.ReadWrite`.
 >
-> For delegated access using work or school accounts with the `EntitlementMgmt-SubjectAccess.ReadWrite` permission, the signed-in user doesn't need an administrator role. Callers can only cancel requests of user-type.
+> **Administrators canceling requests submitted by others:**
+> - The signed-in user **must** be assigned a supported administrator role *(or the caller must hold the `EntitlementManagement.ReadWrite.All` permission, which is the least privileged permission for this scenario)*.
+> - Supported roles, from least to most privileged:
+>     - A [role in the Entitlement Management system](/entra/id-governance/entitlement-management-delegate):
+>         - *Access package assignment manager*. **This is the least privileged option**
+>         - *Access package manager*
+>         - *Catalog owner*
+>     - A more privileged [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json):
+>         - *Identity Governance Administrator*
+>
+> For more information, see [Delegation and roles in entitlement management](/entra/id-governance/entitlement-management-delegate) and [how to delegate access governance to access package managers in entitlement management](/entra/id-governance/entitlement-management-delegate-managers).
diff --git a/api-reference/v1.0/includes/rbac-for-apis/rbac-entitlement-management-end-user-apis-write-including-subject-access.md b/api-reference/v1.0/includes/rbac-for-apis/rbac-entitlement-management-end-user-apis-write-including-subject-access.md
index cacced24165..930d28d6550 100644
--- a/api-reference/v1.0/includes/rbac-for-apis/rbac-entitlement-management-end-user-apis-write-including-subject-access.md
+++ b/api-reference/v1.0/includes/rbac-for-apis/rbac-entitlement-management-end-user-apis-write-including-subject-access.md
@@ -8,18 +8,23 @@ ms.topic: include
 -->
 
 > [!TIP]
-> For delegated access using work or school accounts, the signed-in user must be assigned an administrator role with supported role permissions through one of the following options:
-> 
-> - A user who is specified in the `specificAllowedTargets` property of the access package's policies. **This is the least privileged option**.
-> - More privileged [roles in the Entitlement Management system](/entra/id-governance/entitlement-management-delegate) where the least privileged roles are supported for this operation:
->     - Access package assignment manager
->     - Access package manager
->     - Catalog owner
-> - More privileged [Microsoft Entra roles](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json), where the following least privileged roles are supported for this operation:
->     - Identity Governance Administrator
-> 
-> In app-only scenarios, the calling app can be assigned one of the preceding supported roles instead of the `EntitlementManagement.ReadWrite.All` application permission. A user who is specified in the `specificAllowedTargets` property of the access package's policies is less privileged than the `EntitlementManagement.ReadWrite.All` application permission.
-> 
-> For more information, see [Delegation and roles in entitlement management](/entra/id-governance/entitlement-management-delegate) and [how to delegate access governance to access package managers in entitlement management](/entra/id-governance/entitlement-management-delegate-managers).
+> The role and permission required for delegated access using work or school accounts depend on the `requestType` of the request being submitted.
+>
+> **End-user requests** — `userAdd`, `userUpdate`, `userRemove`, and `approverRemove`:
+> - The signed-in user **doesn't need** an administrator role.
+> - The least privileged permission is `EntitlementMgmt-SubjectAccess.ReadWrite`.
+> - Holding the permission isn't sufficient on its own — whether an end-user can submit a request is also governed by the corresponding accessPackageAssignmentPolicy, which controls who can be assigned to an access package and who can request it (`allowedTargetScope`, `specificAllowedTargets`, and `requestorSettings`).
+>
+> **Administrator requests** — `adminAdd`, `adminUpdate`, and `adminRemove`:
+> - The signed-in user **must** be assigned a supported administrator role *(or the caller must hold the `EntitlementManagement.ReadWrite.All` permission, which is the least privileged permission for these request types)*.
+> - Supported roles, from least to most privileged:
+>     - A [role in the Entitlement Management system](/entra/id-governance/entitlement-management-delegate):
+>         - *Access package assignment manager*. **This is the least privileged option**
+>         - *Access package manager*
+>         - *Catalog owner*
+>     - A more privileged [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json):
+>         - *Identity Governance Administrator*
 >
-> For delegated access using work or school accounts with the `EntitlementMgmt-SubjectAccess.ReadWrite` permission, the signed-in user doesn't need an administrator role. Non-user request types (for example, `adminAdd`) are blocked.
+> In app-only scenarios, the calling app can be assigned one of the preceding supported roles instead of the `EntitlementManagement.ReadWrite.All` application permission. The *Access package assignment manager* role is less privileged than the `EntitlementManagement.ReadWrite.All` application permission.
+>
+> For more information, see [Delegation and roles in entitlement management](/entra/id-governance/entitlement-management-delegate) and [how to delegate access governance to access package managers in entitlement management](/entra/id-governance/entitlement-management-delegate-managers).

From ca986f74467a01099d5523153ee715d5dae78a3f Mon Sep 17 00:00:00 2001
From: "Simran Moolchandaney (from Dev Box)" <simranm@microsoft.com>
Date: Fri, 12 Jun 2026 12:00:11 -0700
Subject: [PATCH 3/5] Simplify admin role wording in RBAC tip boxes

Remove awkward 'or' phrasing in admin sections. State least privileged
permission and role requirement as separate clean bullets.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 ...-assignment-manager-apis-write-including-subject-access.md | 4 ++--
 ...management-end-user-apis-write-including-subject-access.md | 4 ++--
 ...-assignment-manager-apis-write-including-subject-access.md | 4 ++--
 ...management-end-user-apis-write-including-subject-access.md | 4 ++--
 4 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/api-reference/beta/includes/rbac-for-apis/rbac-entitlement-management-access-package-assignment-manager-apis-write-including-subject-access.md b/api-reference/beta/includes/rbac-for-apis/rbac-entitlement-management-access-package-assignment-manager-apis-write-including-subject-access.md
index 059d6fb9da3..e55b9143a29 100644
--- a/api-reference/beta/includes/rbac-for-apis/rbac-entitlement-management-access-package-assignment-manager-apis-write-including-subject-access.md
+++ b/api-reference/beta/includes/rbac-for-apis/rbac-entitlement-management-access-package-assignment-manager-apis-write-including-subject-access.md
@@ -15,8 +15,8 @@ ms.topic: include
 > - The least privileged permission is `EntitlementMgmt-SubjectAccess.ReadWrite`.
 >
 > **Administrators canceling requests submitted by others:**
-> - The signed-in user **must** be assigned a supported administrator role *(or the caller must hold the `EntitlementManagement.ReadWrite.All` permission, which is the least privileged permission for this scenario)*.
-> - Supported roles, from least to most privileged:
+> - The least privileged permission is `EntitlementManagement.ReadWrite.All`.
+> - The signed-in user **must** be assigned a supported administrator role. Supported roles, from least to most privileged:
 >     - A [role in the Entitlement Management system](/entra/id-governance/entitlement-management-delegate):
 >         - *Access package assignment manager*. **This is the least privileged option**
 >         - *Access package manager*
diff --git a/api-reference/beta/includes/rbac-for-apis/rbac-entitlement-management-end-user-apis-write-including-subject-access.md b/api-reference/beta/includes/rbac-for-apis/rbac-entitlement-management-end-user-apis-write-including-subject-access.md
index a79722b0263..27658f76459 100644
--- a/api-reference/beta/includes/rbac-for-apis/rbac-entitlement-management-end-user-apis-write-including-subject-access.md
+++ b/api-reference/beta/includes/rbac-for-apis/rbac-entitlement-management-end-user-apis-write-including-subject-access.md
@@ -16,8 +16,8 @@ ms.topic: include
 > - Holding the permission isn't sufficient on its own — whether an end-user can submit a request is also governed by the corresponding accessPackageAssignmentPolicy, which controls who can be assigned to an access package and who can request it (`requestorSettings`).
 >
 > **Administrator requests** — `adminAdd`, `adminUpdate`, and `adminRemove`:
-> - The signed-in user **must** be assigned a supported administrator role *(or the caller must hold the `EntitlementManagement.ReadWrite.All` permission, which is the least privileged permission for these request types)*.
-> - Supported roles, from least to most privileged:
+> - The least privileged permission is `EntitlementManagement.ReadWrite.All`.
+> - The signed-in user **must** be assigned a supported administrator role. Supported roles, from least to most privileged:
 >     - A [role in the Entitlement Management system](/entra/id-governance/entitlement-management-delegate):
 >         - *Access package assignment manager*. **This is the least privileged option**
 >         - *Access package manager*
diff --git a/api-reference/v1.0/includes/rbac-for-apis/rbac-entitlement-management-access-package-assignment-manager-apis-write-including-subject-access.md b/api-reference/v1.0/includes/rbac-for-apis/rbac-entitlement-management-access-package-assignment-manager-apis-write-including-subject-access.md
index 059d6fb9da3..e55b9143a29 100644
--- a/api-reference/v1.0/includes/rbac-for-apis/rbac-entitlement-management-access-package-assignment-manager-apis-write-including-subject-access.md
+++ b/api-reference/v1.0/includes/rbac-for-apis/rbac-entitlement-management-access-package-assignment-manager-apis-write-including-subject-access.md
@@ -15,8 +15,8 @@ ms.topic: include
 > - The least privileged permission is `EntitlementMgmt-SubjectAccess.ReadWrite`.
 >
 > **Administrators canceling requests submitted by others:**
-> - The signed-in user **must** be assigned a supported administrator role *(or the caller must hold the `EntitlementManagement.ReadWrite.All` permission, which is the least privileged permission for this scenario)*.
-> - Supported roles, from least to most privileged:
+> - The least privileged permission is `EntitlementManagement.ReadWrite.All`.
+> - The signed-in user **must** be assigned a supported administrator role. Supported roles, from least to most privileged:
 >     - A [role in the Entitlement Management system](/entra/id-governance/entitlement-management-delegate):
 >         - *Access package assignment manager*. **This is the least privileged option**
 >         - *Access package manager*
diff --git a/api-reference/v1.0/includes/rbac-for-apis/rbac-entitlement-management-end-user-apis-write-including-subject-access.md b/api-reference/v1.0/includes/rbac-for-apis/rbac-entitlement-management-end-user-apis-write-including-subject-access.md
index 930d28d6550..c31c0882803 100644
--- a/api-reference/v1.0/includes/rbac-for-apis/rbac-entitlement-management-end-user-apis-write-including-subject-access.md
+++ b/api-reference/v1.0/includes/rbac-for-apis/rbac-entitlement-management-end-user-apis-write-including-subject-access.md
@@ -16,8 +16,8 @@ ms.topic: include
 > - Holding the permission isn't sufficient on its own — whether an end-user can submit a request is also governed by the corresponding accessPackageAssignmentPolicy, which controls who can be assigned to an access package and who can request it (`allowedTargetScope`, `specificAllowedTargets`, and `requestorSettings`).
 >
 > **Administrator requests** — `adminAdd`, `adminUpdate`, and `adminRemove`:
-> - The signed-in user **must** be assigned a supported administrator role *(or the caller must hold the `EntitlementManagement.ReadWrite.All` permission, which is the least privileged permission for these request types)*.
-> - Supported roles, from least to most privileged:
+> - The least privileged permission is `EntitlementManagement.ReadWrite.All`.
+> - The signed-in user **must** be assigned a supported administrator role. Supported roles, from least to most privileged:
 >     - A [role in the Entitlement Management system](/entra/id-governance/entitlement-management-delegate):
 >         - *Access package assignment manager*. **This is the least privileged option**
 >         - *Access package manager*

From c928dc22435dca70fa5ffcef40ebc85bb6bc77a0 Mon Sep 17 00:00:00 2001
From: "Simran Moolchandaney (from Dev Box)" <simranm@microsoft.com>
Date: Fri, 12 Jun 2026 12:11:57 -0700
Subject: [PATCH 4/5] Restructure getApplicablePolicyRequirements RBAC tip with
 end-user vs admin sections

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 ...spackage-getapplicablepolicyrequirements.md | 18 +++++++++++++++++-
 ...spackage-getapplicablepolicyrequirements.md | 18 +++++++++++++++++-
 2 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/api-reference/beta/includes/rbac-for-apis/accesspackage-getapplicablepolicyrequirements.md b/api-reference/beta/includes/rbac-for-apis/accesspackage-getapplicablepolicyrequirements.md
index 371606e9766..fd16147f53a 100644
--- a/api-reference/beta/includes/rbac-for-apis/accesspackage-getapplicablepolicyrequirements.md
+++ b/api-reference/beta/includes/rbac-for-apis/accesspackage-getapplicablepolicyrequirements.md
@@ -8,4 +8,20 @@ ms.topic: include
 -->
 
 > [!TIP]
-> For delegated access using work or school accounts with the `EntitlementMgmt-SubjectAccess.ReadWrite` permission, the signed-in user doesn't need an administrator role. `adminAdd` request types are blocked.
+> The role and permission required for delegated access using work or school accounts depend on the caller's scenario.
+>
+> **End users retrieving policies for their own requests:**
+> - The signed-in user **doesn't need** an administrator role.
+> - The least privileged permission is `EntitlementMgmt-SubjectAccess.ReadWrite`.
+>
+> **Administrators retrieving policies for assignment operations:**
+> - The least privileged permission is `EntitlementManagement.Read.All`.
+> - The signed-in user **must** be assigned a supported administrator role. Supported roles, from least to most privileged:
+>     - A [role in the Entitlement Management system](/entra/id-governance/entitlement-management-delegate):
+>         - *Access package assignment manager*. **This is the least privileged option**
+>         - *Access package manager*
+>         - *Catalog owner*
+>     - A more privileged [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json):
+>         - *Identity Governance Administrator*
+>
+> For more information, see [Delegation and roles in entitlement management](/entra/id-governance/entitlement-management-delegate) and [how to delegate access governance to access package managers in entitlement management](/entra/id-governance/entitlement-management-delegate-managers).
diff --git a/api-reference/v1.0/includes/rbac-for-apis/accesspackage-getapplicablepolicyrequirements.md b/api-reference/v1.0/includes/rbac-for-apis/accesspackage-getapplicablepolicyrequirements.md
index 371606e9766..fd16147f53a 100644
--- a/api-reference/v1.0/includes/rbac-for-apis/accesspackage-getapplicablepolicyrequirements.md
+++ b/api-reference/v1.0/includes/rbac-for-apis/accesspackage-getapplicablepolicyrequirements.md
@@ -8,4 +8,20 @@ ms.topic: include
 -->
 
 > [!TIP]
-> For delegated access using work or school accounts with the `EntitlementMgmt-SubjectAccess.ReadWrite` permission, the signed-in user doesn't need an administrator role. `adminAdd` request types are blocked.
+> The role and permission required for delegated access using work or school accounts depend on the caller's scenario.
+>
+> **End users retrieving policies for their own requests:**
+> - The signed-in user **doesn't need** an administrator role.
+> - The least privileged permission is `EntitlementMgmt-SubjectAccess.ReadWrite`.
+>
+> **Administrators retrieving policies for assignment operations:**
+> - The least privileged permission is `EntitlementManagement.Read.All`.
+> - The signed-in user **must** be assigned a supported administrator role. Supported roles, from least to most privileged:
+>     - A [role in the Entitlement Management system](/entra/id-governance/entitlement-management-delegate):
+>         - *Access package assignment manager*. **This is the least privileged option**
+>         - *Access package manager*
+>         - *Catalog owner*
+>     - A more privileged [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json):
+>         - *Identity Governance Administrator*
+>
+> For more information, see [Delegation and roles in entitlement management](/entra/id-governance/entitlement-management-delegate) and [how to delegate access governance to access package managers in entitlement management](/entra/id-governance/entitlement-management-delegate-managers).

From cb8337bbff772edba16cd14a2050c3f77081ee39 Mon Sep 17 00:00:00 2001
From: "Simran Moolchandaney (from Dev Box)" <simranm@microsoft.com>
Date: Fri, 12 Jun 2026 13:44:36 -0700
Subject: [PATCH 5/5] Align getApplicablePolicyRequirements docs with published
 schema

- Beta: Remove Example 2 (subject body) which is not in the published
  CSDL schema; update request body text to 'Don't supply a request body';
  renumber Example 3 to Example 2
- v1.0: Replace empty response example with actual schema properties
  (isApprovalRequiredForAdd, isApprovalRequiredForUpdate,
  allowCustomAssignmentSchedule, schedule, questions)
- Both: Remove RBAC TIP box includes for this API and delete the
  corresponding include files

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 ...package-getapplicablepolicyrequirements.md | 124 +-----------------
 ...package-getapplicablepolicyrequirements.md |  27 ----
 ...package-getapplicablepolicyrequirements.md |  30 ++++-
 ...package-getapplicablepolicyrequirements.md |  27 ----
 4 files changed, 30 insertions(+), 178 deletions(-)
 delete mode 100644 api-reference/beta/includes/rbac-for-apis/accesspackage-getapplicablepolicyrequirements.md
 delete mode 100644 api-reference/v1.0/includes/rbac-for-apis/accesspackage-getapplicablepolicyrequirements.md

diff --git a/api-reference/beta/api/accesspackage-getapplicablepolicyrequirements.md b/api-reference/beta/api/accesspackage-getapplicablepolicyrequirements.md
index 1603b86ccdf..f23b871c6c5 100644
--- a/api-reference/beta/api/accesspackage-getapplicablepolicyrequirements.md
+++ b/api-reference/beta/api/accesspackage-getapplicablepolicyrequirements.md
@@ -23,8 +23,6 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "accesspackage_getapplicablepolicyrequirements" } -->
 [!INCLUDE [permissions-table](../includes/permissions/accesspackage-getapplicablepolicyrequirements-permissions.md)]
 
-[!INCLUDE [rbac-accesspackage-getapplicablepolicyrequirements](../includes/rbac-for-apis/accesspackage-getapplicablepolicyrequirements.md)]
-
 ## HTTP request
 
 <!-- {
@@ -45,14 +43,14 @@ None.
 |Authorization|Bearer {token}. Required. Learn more about [authentication and authorization](/graph/auth/auth-concepts).|
 
 ## Request body
-Don't supply a request body for this method if you wish to retrieve a list of access package requirements as in example 1. If you want to get policy requirements for user scope as in example 2, you must supply a request body.
+Don't supply a request body for this method.
 
 ## Response
 If successful, this method returns a `200 OK` response code and an [accessPackageAssignmentRequestRequirements](../resources/accesspackageassignmentrequestrequirements.md) collection in the response body, one object for each policy for which the user is an **allowedRequestor**. If there's a policy with no requirements, the **accessPackageAssignmentRequestRequirements** has `false` and `null` values. If there are no policies where the user is an **allowedRequestor**, an empty collection is returned instead.
 
 ## Examples
 
-### Example 1: Retrieve a list of access package requirements to create an access package
+### Example 1: Retrieve a list of access package requirements
 
 #### Request
 
@@ -143,123 +141,7 @@ Content-Type: application/json
 }
 ```
 
-### Example 2: Get policy requirements for a given user scope
-
-#### Request
-
-The following example shows a request.
-
-# [HTTP](#tab/http)
-<!-- {
-  "blockType": "request",
-  "sampleKeys": ["b15419bb-5ffc-ea11-b207-c8d9d21f4e9a"],
-  "name": "get_req_for_given_user"
-}-->
-
-```http
-POST https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackages/b15419bb-5ffc-ea11-b207-c8d9d21f4e9a/getApplicablePolicyRequirements
-
-{
-        "subject": {
-            "objectId": "5acd375c-8acb-45de-a958-fa0dd89259ad"
-        }
-    }
-```
-
-# [C#](#tab/csharp)
-[!INCLUDE [sample-code](../includes/snippets/csharp/get-req-for-given-user-csharp-snippets.md)]
-[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)]
-
-# [Go](#tab/go)
-[!INCLUDE [sample-code](../includes/snippets/go/get-req-for-given-user-go-snippets.md)]
-[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)]
-
-# [Java](#tab/java)
-[!INCLUDE [sample-code](../includes/snippets/java/get-req-for-given-user-java-snippets.md)]
-[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)]
-
-# [JavaScript](#tab/javascript)
-[!INCLUDE [sample-code](../includes/snippets/javascript/get-req-for-given-user-javascript-snippets.md)]
-[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)]
-
-# [PHP](#tab/php)
-[!INCLUDE [sample-code](../includes/snippets/php/get-req-for-given-user-php-snippets.md)]
-[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)]
-
-# [PowerShell](#tab/powershell)
-[!INCLUDE [sample-code](../includes/snippets/powershell/get-req-for-given-user-powershell-snippets.md)]
-[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)]
-
-# [Python](#tab/python)
-[!INCLUDE [sample-code](../includes/snippets/python/get-req-for-given-user-python-snippets.md)]
-[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)]
-
----
-
-#### Response
-
-The following example shows the response.
-
-<!-- {
-  "blockType": "response",
-  "truncated": true,
-  "@odata.type": "Collection(microsoft.graph.accessPackageAssignmentRequestRequirements)"
-}
--->
-
-```http
-HTTP/1.1 200 OK
-Content-Type: application/json
-
-{
-    "value": [
-        {
-            "policyId": "d6322c23-04d6-eb11-b22b-c8d9d21f4e9a",
-            "policyDisplayName": "Initial Policy",
-            "policyDescription": "Initial Policy",
-            "isApprovalRequired": false,
-            "isApprovalRequiredForExtension": false,
-            "isRequestorJustificationRequired": false,
-            "questions": [
-                {
-                    "@odata.type": "#microsoft.graph.textInputQuestion",
-                    "id": "5a7f2a8f-b802-4438-bec6-09599bc43e13",
-                    "isRequired": false,
-                    "isAnswerEditable": true,
-                    "sequence": 0,
-                    "isSingleLineQuestion": true,
-                    "text": {
-                        "defaultText": "Enter your mail",
-                        "localizedTexts": []
-                    }
-                }
-            ],
-            "existingAnswers": [
-                {
-                    "@odata.type": "#microsoft.graph.answerString",
-                    "displayValue": "admin@contoso.com",
-                    "value": "admin@contoso.com",
-                    "answeredQuestion": {
-                        "@odata.type": "#microsoft.graph.textInputQuestion",
-                        "id": "5a7f2a8f-b802-4438-bec6-09599bc43e13",
-                        "isRequired": false,
-                        "isAnswerEditable": true,
-                        "sequence": 0,
-                        "isSingleLineQuestion": true,
-                        "text": {
-                            "defaultText": "Enter your mail",
-                            "localizedTexts": []
-                        }
-                    }
-                }
-            ],
-            "schedule": []
-        }
-    ]
-}
-```
-
-### Example 3: Get policy requirements for verifiable credential status requirements
+### Example 2: Get policy requirements for verifiable credential status requirements
 
 #### Request
 
diff --git a/api-reference/beta/includes/rbac-for-apis/accesspackage-getapplicablepolicyrequirements.md b/api-reference/beta/includes/rbac-for-apis/accesspackage-getapplicablepolicyrequirements.md
deleted file mode 100644
index fd16147f53a..00000000000
--- a/api-reference/beta/includes/rbac-for-apis/accesspackage-getapplicablepolicyrequirements.md
+++ /dev/null
@@ -1,27 +0,0 @@
----
-author: simranm
-ms.topic: include
----
-
-<!-- Applies to:
-- accessPackage: getApplicablePolicyRequirements
--->
-
-> [!TIP]
-> The role and permission required for delegated access using work or school accounts depend on the caller's scenario.
->
-> **End users retrieving policies for their own requests:**
-> - The signed-in user **doesn't need** an administrator role.
-> - The least privileged permission is `EntitlementMgmt-SubjectAccess.ReadWrite`.
->
-> **Administrators retrieving policies for assignment operations:**
-> - The least privileged permission is `EntitlementManagement.Read.All`.
-> - The signed-in user **must** be assigned a supported administrator role. Supported roles, from least to most privileged:
->     - A [role in the Entitlement Management system](/entra/id-governance/entitlement-management-delegate):
->         - *Access package assignment manager*. **This is the least privileged option**
->         - *Access package manager*
->         - *Catalog owner*
->     - A more privileged [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json):
->         - *Identity Governance Administrator*
->
-> For more information, see [Delegation and roles in entitlement management](/entra/id-governance/entitlement-management-delegate) and [how to delegate access governance to access package managers in entitlement management](/entra/id-governance/entitlement-management-delegate-managers).
diff --git a/api-reference/v1.0/api/accesspackage-getapplicablepolicyrequirements.md b/api-reference/v1.0/api/accesspackage-getapplicablepolicyrequirements.md
index 8583e424c93..acde5b68dba 100644
--- a/api-reference/v1.0/api/accesspackage-getapplicablepolicyrequirements.md
+++ b/api-reference/v1.0/api/accesspackage-getapplicablepolicyrequirements.md
@@ -21,8 +21,6 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "accesspackage_getapplicablepolicyrequirements" } -->
 [!INCLUDE [permissions-table](../includes/permissions/accesspackage-getapplicablepolicyrequirements-permissions.md)]
 
-[!INCLUDE [rbac-accesspackage-getapplicablepolicyrequirements](../includes/rbac-for-apis/accesspackage-getapplicablepolicyrequirements.md)]
-
 ## HTTP request
 
 <!-- {
@@ -106,7 +104,33 @@ Content-Type: application/json
 {
   "value": [
     {
-      "@odata.type": "microsoft.graph.accessPackageAssignmentRequestRequirements"
+      "policyId": "d6322c23-04d6-eb11-b22b-c8d9d21f4e9a",
+      "policyDisplayName": "Initial Policy",
+      "policyDescription": "Initial Policy",
+      "isApprovalRequiredForAdd": false,
+      "isApprovalRequiredForUpdate": false,
+      "isRequestorJustificationRequired": false,
+      "allowCustomAssignmentSchedule": true,
+      "schedule": {
+        "expiration": {
+          "endDateTime": null,
+          "duration": "P365D",
+          "type": "afterDuration"
+        }
+      },
+      "questions": [
+        {
+          "@odata.type": "#microsoft.graph.textInputQuestion",
+          "id": "0fd349e2-a3a7-4712-af08-660f29c12b90",
+          "isRequired": true,
+          "sequence": 0,
+          "isSingleLineQuestion": true,
+          "text": {
+            "defaultText": "What is your display name",
+            "localizedTexts": []
+          }
+        }
+      ]
     }
   ]
 }
diff --git a/api-reference/v1.0/includes/rbac-for-apis/accesspackage-getapplicablepolicyrequirements.md b/api-reference/v1.0/includes/rbac-for-apis/accesspackage-getapplicablepolicyrequirements.md
deleted file mode 100644
index fd16147f53a..00000000000
--- a/api-reference/v1.0/includes/rbac-for-apis/accesspackage-getapplicablepolicyrequirements.md
+++ /dev/null
@@ -1,27 +0,0 @@
----
-author: simranm
-ms.topic: include
----
-
-<!-- Applies to:
-- accessPackage: getApplicablePolicyRequirements
--->
-
-> [!TIP]
-> The role and permission required for delegated access using work or school accounts depend on the caller's scenario.
->
-> **End users retrieving policies for their own requests:**
-> - The signed-in user **doesn't need** an administrator role.
-> - The least privileged permission is `EntitlementMgmt-SubjectAccess.ReadWrite`.
->
-> **Administrators retrieving policies for assignment operations:**
-> - The least privileged permission is `EntitlementManagement.Read.All`.
-> - The signed-in user **must** be assigned a supported administrator role. Supported roles, from least to most privileged:
->     - A [role in the Entitlement Management system](/entra/id-governance/entitlement-management-delegate):
->         - *Access package assignment manager*. **This is the least privileged option**
->         - *Access package manager*
->         - *Catalog owner*
->     - A more privileged [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json):
->         - *Identity Governance Administrator*
->
-> For more information, see [Delegation and roles in entitlement management](/entra/id-governance/entitlement-management-delegate) and [how to delegate access governance to access package managers in entitlement management](/entra/id-governance/entitlement-management-delegate-managers).