microsoftgraph · simoolchandaney · Jun 10, 2026 · Jun 12, 2026 · Jun 12, 2026 · Jun 12, 2026
diff --git a/api-reference/beta/api/accesspackage-getapplicablepolicyrequirements.md b/api-reference/beta/api/accesspackage-getapplicablepolicyrequirements.md
@@ -43,14 +43,14 @@ None.
 |Authorization|Bearer {token}. Required. Learn more about [authentication and authorization](/graph/auth/auth-concepts).|
 
 ## Request body
-Don't supply a request body for this method if you wish to retrieve a list of access package requirements as in example 1. If you want to get policy requirements for user scope as in example 2, you must supply a request body.
+Don't supply a request body for this method.
 
 ## Response
 If successful, this method returns a `200 OK` response code and an [accessPackageAssignmentRequestRequirements](../resources/accesspackageassignmentrequestrequirements.md) collection in the response body, one object for each policy for which the user is an **allowedRequestor**. If there's a policy with no requirements, the **accessPackageAssignmentRequestRequirements** has `false` and `null` values. If there are no policies where the user is an **allowedRequestor**, an empty collection is returned instead.
 
 ## Examples
 
-### Example 1: Retrieve a list of access package requirements to create an access package
+### Example 1: Retrieve a list of access package requirements
 
 #### Request
 
@@ -141,123 +141,7 @@ Content-Type: application/json
 }
 ```
 
-### Example 2: Get policy requirements for a given user scope
-
-#### Request
-
-The following example shows a request.
-
-# [HTTP](#tab/http)
-<!-- {
-  "blockType": "request",
-  "sampleKeys": ["b15419bb-5ffc-ea11-b207-c8d9d21f4e9a"],
-  "name": "get_req_for_given_user"
-}-->
-
-```http
-POST https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackages/b15419bb-5ffc-ea11-b207-c8d9d21f4e9a/getApplicablePolicyRequirements
-
-{
-        "subject": {
-            "objectId": "5acd375c-8acb-45de-a958-fa0dd89259ad"
-        }
-    }
-```
-
-# [C#](#tab/csharp)
-[!INCLUDE [sample-code](../includes/snippets/csharp/get-req-for-given-user-csharp-snippets.md)]
-[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)]
-
-# [Go](#tab/go)
-[!INCLUDE [sample-code](../includes/snippets/go/get-req-for-given-user-go-snippets.md)]
-[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)]
-
-# [Java](#tab/java)
-[!INCLUDE [sample-code](../includes/snippets/java/get-req-for-given-user-java-snippets.md)]
-[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)]
-
-# [JavaScript](#tab/javascript)
-[!INCLUDE [sample-code](../includes/snippets/javascript/get-req-for-given-user-javascript-snippets.md)]
-[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)]
-
-# [PHP](#tab/php)
-[!INCLUDE [sample-code](../includes/snippets/php/get-req-for-given-user-php-snippets.md)]
-[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)]
-
-# [PowerShell](#tab/powershell)
-[!INCLUDE [sample-code](../includes/snippets/powershell/get-req-for-given-user-powershell-snippets.md)]
-[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)]
-
-# [Python](#tab/python)
-[!INCLUDE [sample-code](../includes/snippets/python/get-req-for-given-user-python-snippets.md)]
-[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)]
-
----
-
-#### Response
-
-The following example shows the response.
-
-<!-- {
-  "blockType": "response",
-  "truncated": true,
-  "@odata.type": "Collection(microsoft.graph.accessPackageAssignmentRequestRequirements)"
-}
--->
-
-```http
-HTTP/1.1 200 OK
-Content-Type: application/json
-
-{
-    "value": [
-        {
-            "policyId": "d6322c23-04d6-eb11-b22b-c8d9d21f4e9a",
-            "policyDisplayName": "Initial Policy",
-            "policyDescription": "Initial Policy",
-            "isApprovalRequired": false,
-            "isApprovalRequiredForExtension": false,
-            "isRequestorJustificationRequired": false,
-            "questions": [
-                {
-                    "@odata.type": "#microsoft.graph.textInputQuestion",
-                    "id": "5a7f2a8f-b802-4438-bec6-09599bc43e13",
-                    "isRequired": false,
-                    "isAnswerEditable": true,
-                    "sequence": 0,
-                    "isSingleLineQuestion": true,
-                    "text": {
-                        "defaultText": "Enter your mail",
-                        "localizedTexts": []
-                    }
-                }
-            ],
-            "existingAnswers": [
-                {
-                    "@odata.type": "#microsoft.graph.answerString",
-                    "displayValue": "admin@contoso.com",
-                    "value": "admin@contoso.com",
-                    "answeredQuestion": {
-                        "@odata.type": "#microsoft.graph.textInputQuestion",
-                        "id": "5a7f2a8f-b802-4438-bec6-09599bc43e13",
-                        "isRequired": false,
-                        "isAnswerEditable": true,
-                        "sequence": 0,
-                        "isSingleLineQuestion": true,
-                        "text": {
-                            "defaultText": "Enter your mail",
-                            "localizedTexts": []
-                        }
-                    }
-                }
-            ],
-            "schedule": []
-        }
-    ]
-}
-```
-
-### Example 3: Get policy requirements for verifiable credential status requirements
+### Example 2: Get policy requirements for verifiable credential status requirements
 
 #### Request
 

diff --git a/api-reference/beta/api/accesspackageassignmentrequest-cancel.md b/api-reference/beta/api/accesspackageassignmentrequest-cancel.md
@@ -23,7 +23,7 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "accesspackageassignmentrequest_cancel" } -->
 [!INCLUDE [permissions-table](../includes/permissions/accesspackageassignmentrequest-cancel-permissions.md)]
 
-[!INCLUDE [rbac-entitlement-access-package-assignment-manager-write](../includes/rbac-for-apis/rbac-entitlement-management-access-package-assignment-manager-apis-write.md)]
+[!INCLUDE [rbac-entitlement-access-package-assignment-manager-write-including-subject-access](../includes/rbac-for-apis/rbac-entitlement-management-access-package-assignment-manager-apis-write-including-subject-access.md)]
 
 ## HTTP request
 

diff --git a/api-reference/beta/api/entitlementmanagement-post-assignmentrequests.md b/api-reference/beta/api/entitlementmanagement-post-assignmentrequests.md
@@ -25,7 +25,7 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "entitlementmanagement_post_assignmentrequests" } -->
 [!INCLUDE [permissions-table](../includes/permissions/entitlementmanagement-post-assignmentrequests-permissions.md)]
 
-[!INCLUDE [rbac-entitlement-end-user-apis-write](../includes/rbac-for-apis/rbac-entitlement-management-end-user-apis-write.md)]
+[!INCLUDE [rbac-entitlement-end-user-apis-write-including-subject-access](../includes/rbac-for-apis/rbac-entitlement-management-end-user-apis-write-including-subject-access.md)]
 
 ## HTTP request
 

diff --git a/...gement-access-package-assignment-manager-apis-write-including-subject-access.md b/...gement-access-package-assignment-manager-apis-write-including-subject-access.md
@@ -0,0 +1,27 @@
+---
+author: simranm
+ms.topic: include
+---
+
+<!-- Applies to:
+- accessPackageAssignmentRequest: cancel
+-->
+
+> [!TIP]
+> The role and permission required for delegated access using work or school accounts depend on whose request is being canceled.
+>
+> **End users canceling their own request:**
+> - The signed-in user **doesn't need** an administrator role.
+> - The least privileged permission is `EntitlementMgmt-SubjectAccess.ReadWrite`.
+>
+> **Administrators canceling requests submitted by others:**
+> - The least privileged permission is `EntitlementManagement.ReadWrite.All`.
+> - The signed-in user **must** be assigned a supported administrator role. Supported roles, from least to most privileged:
+>     - A [role in the Entitlement Management system](/entra/id-governance/entitlement-management-delegate):
+>         - *Access package assignment manager*. **This is the least privileged option**
+>         - *Access package manager*
+>         - *Catalog owner*
+>     - A more privileged [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json):
+>         - *Identity Governance Administrator*
+>
+> For more information, see [Delegation and roles in entitlement management](/entra/id-governance/entitlement-management-delegate) and [how to delegate access governance to access package managers in entitlement management](/entra/id-governance/entitlement-management-delegate-managers).
diff --git a/...pis/rbac-entitlement-management-end-user-apis-write-including-subject-access.md b/...pis/rbac-entitlement-management-end-user-apis-write-including-subject-access.md
@@ -0,0 +1,30 @@
+---
+author: simranm
+ms.topic: include
+---
+
+<!-- Applies to:
+- Create accessPackageAssignmentRequest
+-->
+
+> [!TIP]
+> The role and permission required for delegated access using work or school accounts depend on the `requestType` of the request being submitted.
+>
+> **End-user requests** — `userAdd`, `userExtend`, `userUpdate`, `userRemove`, and `approverRemove`:
+> - The signed-in user **doesn't need** an administrator role.
+> - The least privileged permission is `EntitlementMgmt-SubjectAccess.ReadWrite`.
+> - Holding the permission isn't sufficient on its own — whether an end-user can submit a request is also governed by the corresponding accessPackageAssignmentPolicy, which controls who can be assigned to an access package and who can request it (`requestorSettings`).
+>
+> **Administrator requests** — `adminAdd`, `adminUpdate`, and `adminRemove`:
+> - The least privileged permission is `EntitlementManagement.ReadWrite.All`.
+> - The signed-in user **must** be assigned a supported administrator role. Supported roles, from least to most privileged:
+>     - A [role in the Entitlement Management system](/entra/id-governance/entitlement-management-delegate):
+>         - *Access package assignment manager*. **This is the least privileged option**
+>         - *Access package manager*
+>         - *Catalog owner*
+>     - A more privileged [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json):
+>         - *Identity Governance Administrator*
+>
+> In app-only scenarios, the calling app can be assigned one of the preceding supported roles instead of the `EntitlementManagement.ReadWrite.All` application permission. The *Access package assignment manager* role is less privileged than the `EntitlementManagement.ReadWrite.All` application permission.
+>
+> For more information, see [Delegation and roles in entitlement management](/entra/id-governance/entitlement-management-delegate) and [how to delegate access governance to access package managers in entitlement management](/entra/id-governance/entitlement-management-delegate-managers).
diff --git a/api-reference/v1.0/api/accesspackage-getapplicablepolicyrequirements.md b/api-reference/v1.0/api/accesspackage-getapplicablepolicyrequirements.md
@@ -104,7 +104,33 @@ Content-Type: application/json
 {
   "value": [
     {
-      "@odata.type": "microsoft.graph.accessPackageAssignmentRequestRequirements"
+      "policyId": "d6322c23-04d6-eb11-b22b-c8d9d21f4e9a",
+      "policyDisplayName": "Initial Policy",
+      "policyDescription": "Initial Policy",
+      "isApprovalRequiredForAdd": false,
+      "isApprovalRequiredForUpdate": false,
+      "isRequestorJustificationRequired": false,
+      "allowCustomAssignmentSchedule": true,
+      "schedule": {
+        "expiration": {
+          "endDateTime": null,
+          "duration": "P365D",
+          "type": "afterDuration"
+        }
+      },
+      "questions": [
+        {
+          "@odata.type": "#microsoft.graph.textInputQuestion",
+          "id": "0fd349e2-a3a7-4712-af08-660f29c12b90",
+          "isRequired": true,
+          "sequence": 0,
+          "isSingleLineQuestion": true,
+          "text": {
+            "defaultText": "What is your display name",
+            "localizedTexts": []
+          }
+        }
+      ]
     }
   ]
 }

diff --git a/api-reference/v1.0/api/accesspackageassignmentrequest-cancel.md b/api-reference/v1.0/api/accesspackageassignmentrequest-cancel.md
@@ -21,7 +21,7 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "accesspackageassignmentrequest_cancel" } -->
 [!INCLUDE [permissions-table](../includes/permissions/accesspackageassignmentrequest-cancel-permissions.md)]
 
-[!INCLUDE [rbac-entitlement-access-package-assignment-manager-write](../includes/rbac-for-apis/rbac-entitlement-management-access-package-assignment-manager-apis-write.md)]
+[!INCLUDE [rbac-entitlement-access-package-assignment-manager-write-including-subject-access](../includes/rbac-for-apis/rbac-entitlement-management-access-package-assignment-manager-apis-write-including-subject-access.md)]
 
 ## HTTP request
 

diff --git a/api-reference/v1.0/api/entitlementmanagement-post-assignmentrequests.md b/api-reference/v1.0/api/entitlementmanagement-post-assignmentrequests.md
@@ -22,7 +22,7 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "entitlementmanagement_post_assignmentrequests" } -->
 [!INCLUDE [permissions-table](../includes/permissions/entitlementmanagement-post-assignmentrequests-permissions.md)]
 
-[!INCLUDE [rbac-entitlement-end-user-apis-write](../includes/rbac-for-apis/rbac-entitlement-management-end-user-apis-write.md)]
+[!INCLUDE [rbac-entitlement-end-user-apis-write-including-subject-access](../includes/rbac-for-apis/rbac-entitlement-management-end-user-apis-write-including-subject-access.md)]
 
 ## HTTP request
 

diff --git a/...gement-access-package-assignment-manager-apis-write-including-subject-access.md b/...gement-access-package-assignment-manager-apis-write-including-subject-access.md
@@ -0,0 +1,27 @@
+---
+author: simranm
+ms.topic: include
+---
+
+<!-- Applies to:
+- accessPackageAssignmentRequest: cancel
+-->
+
+> [!TIP]
+> The role and permission required for delegated access using work or school accounts depend on whose request is being canceled.
+>
+> **End users canceling their own request:**
+> - The signed-in user **doesn't need** an administrator role.
+> - The least privileged permission is `EntitlementMgmt-SubjectAccess.ReadWrite`.
+>
+> **Administrators canceling requests submitted by others:**
+> - The least privileged permission is `EntitlementManagement.ReadWrite.All`.
+> - The signed-in user **must** be assigned a supported administrator role. Supported roles, from least to most privileged:
+>     - A [role in the Entitlement Management system](/entra/id-governance/entitlement-management-delegate):
+>         - *Access package assignment manager*. **This is the least privileged option**
+>         - *Access package manager*
+>         - *Catalog owner*
+>     - A more privileged [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json):
+>         - *Identity Governance Administrator*
+>
+> For more information, see [Delegation and roles in entitlement management](/entra/id-governance/entitlement-management-delegate) and [how to delegate access governance to access package managers in entitlement management](/entra/id-governance/entitlement-management-delegate-managers).
diff --git a/...pis/rbac-entitlement-management-end-user-apis-write-including-subject-access.md b/...pis/rbac-entitlement-management-end-user-apis-write-including-subject-access.md
@@ -0,0 +1,30 @@
+---
+author: simranm
+ms.topic: include
+---
+
+<!-- Applies to:
+- Create accessPackageAssignmentRequest
+-->
+
+> [!TIP]
+> The role and permission required for delegated access using work or school accounts depend on the `requestType` of the request being submitted.
+>
+> **End-user requests** — `userAdd`, `userUpdate`, `userRemove`, and `approverRemove`:
+> - The signed-in user **doesn't need** an administrator role.
+> - The least privileged permission is `EntitlementMgmt-SubjectAccess.ReadWrite`.
+> - Holding the permission isn't sufficient on its own — whether an end-user can submit a request is also governed by the corresponding accessPackageAssignmentPolicy, which controls who can be assigned to an access package and who can request it (`allowedTargetScope`, `specificAllowedTargets`, and `requestorSettings`).
+>
+> **Administrator requests** — `adminAdd`, `adminUpdate`, and `adminRemove`:
+> - The least privileged permission is `EntitlementManagement.ReadWrite.All`.
+> - The signed-in user **must** be assigned a supported administrator role. Supported roles, from least to most privileged:
+>     - A [role in the Entitlement Management system](/entra/id-governance/entitlement-management-delegate):
+>         - *Access package assignment manager*. **This is the least privileged option**
+>         - *Access package manager*
+>         - *Catalog owner*
+>     - A more privileged [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json):
+>         - *Identity Governance Administrator*
+>
+> In app-only scenarios, the calling app can be assigned one of the preceding supported roles instead of the `EntitlementManagement.ReadWrite.All` application permission. The *Access package assignment manager* role is less privileged than the `EntitlementManagement.ReadWrite.All` application permission.
+>
+> For more information, see [Delegation and roles in entitlement management](/entra/id-governance/entitlement-management-delegate) and [how to delegate access governance to access package managers in entitlement management](/entra/id-governance/entitlement-management-delegate-managers).