Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
In July 2025, we announced that the visibility behavior for access packages scoped to "Specific users and groups" would be changing. The previously announced changes to access package visibility have been cancelled. No action is required at this time.
The My Access portal is the central place for users to request, approve, and review their access to resources within Microsoft Entra. For administrators, the Microsoft Entra admin center provides extra functionalities, enabling configuration of access packages and the ability to conduct access reviews.
When you manage access to resources in Microsoft Entra, understanding how access packages appear to users in the My Access portal is essential. Access package visibility determines which packages users can discover and request, and is influenced by several configuration settings and planned changes. This article provides a detailed overview of the factors that control access package visibility in the My Access portal, explains how it currently works, and highlights important changes effective October 10, 2025.
Discover requestable access packages
When a user lands on the "Available" tab, searches for requestable packages, or selects "View all," Microsoft Entra evaluates which access packages they should be able to see and potentially request. This visibility is determined by a specific sequence of checks.
The following flow diagram, which can be selected to enlarge, illustrates the current logic used to determine if an access package appears in the browse/search view for a specific user:
Explaining the current visibility flow
The logic of this diagram is as follows:
Is the catalog enabled? The system first checks if the catalog containing the access package is enabled. If the entire catalog is disabled, none of its packages are visible for discovery.
Is the end-user an external user? The system checks if the user is an external user or an internal user. This affects the next step.
- (If external user) Is the catalog enabled for external users? For external users, the catalog must also be enabled for external users in its settings. If not, external users don't see packages from this catalog. Internal users skip this check.
Is the access package hidden? This checks the specific "hidden" setting directly on the access package's properties (under "Edit"). If set to "Yes," the package is hidden from the browse/search view, regardless of policies.
Does at least one enabled policy exist for the access package where 'Who can request' matches the end-user? This is the final, crucial policy check. The system looks for at least one policy associated with the access package that meets ALL these criteria:
The policy itself is enabled (the 'Enable new requests' setting in the policy UI is toggled on).
The policy's "Who can request" setting logically includes the current user based on their identity, group memberships, or connected organization affiliation.
Policies set to "None (Administrator direct assignments only)" don't make a package visible for Browse or searching.
If all these checks pass, then the access package is Visible in the user's browse/search view. Otherwise, it's not visible.