How can we improve Azure Active Directory?

← Azure Active Directory

RBAC for AAD

The Azure teams have done an awesome job implementing RBAC. I would love to have this same functionality (granular permissions + custom roles) for AAD itself.

Currently there's too many activities that only a global admin can do. RBAC would allow us to delegate appropriate activities without increasing our security attack surface.

312 votes
Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Ben Virkler shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
started  ·  AdminAzure AD Team (Product Manager, Microsoft Azure) responded  · 

Hi folks,
Just a quick update here. We’re still actively working on support for custom roles (RBAC) across Azure AD. Stay tuned for more announcements in the next couple of months.

You can have a look at what we’ve shipped thus far (custom roles for application registration management) here – https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-custom-overview.

Regards,
Vince Smith
Azure Active Directory Team

Show previous admin responses (4)

34 comments

Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • sukh rehal commented  ·   ·  Flag as inappropriate

    It will be great if we can customize built in RBAC roles or underlying permissions can be exposed. For e.g if we have any automations running for Office 365 services we have to assign User admin, EXG admin etc permissions which increases risk. In Exchange Online application there are bunch of RBAC roles which can be used however they are not exposed through Azure AD

  • James commented  ·   ·  Flag as inappropriate

    @Anonymous: License assignments can be viewed by a regular user with no special permissions now?

  • Anonymous commented  ·   ·  Flag as inappropriate

    We need custom AAD roles to be expanded so that we can provide Read access to the BitLocker key. I saw that someone else is also requesting this and second it!

  • Tim Nielsen (Admin) commented  ·   ·  Flag as inappropriate

    I would like to modify or create a copy of the Helpdesk Administrator RBAC role, in order to add a few more relevant permissions to either the built in role - or a new role based on that role.
    Unfortunately permssions to "microsoft.directory/users/*" and "microsoft.directory/signInReports/*" are unavailable for a custom role, even though they exist in the built-in roles.

    Why not allow creation of a custom role using already existing allowed resource actions from the built in roles, in order to mix them to custom roles?

  • Cedric commented  ·   ·  Flag as inappropriate

    As part of continous deployment, MSI of Sql managed instance needed to be granted with role "Directory reader". At this time, this operation should be done manualy cause we needed a key user with "global admin" right.
    Should be great if we can delegate attribution's permission of a specfic AAD role (like directory reader) to a user or a group of users.

  • Eric Raff commented  ·   ·  Flag as inappropriate

    Great work being done here. I am interested in creating a custom security reader role but need additional permissions added. Specifically the following 3 permissions. In short granting the Security Reader role does not allow security team to see Conditional Access policies in AAD.
    "microsoft.aad.directory/policies/conditionalAccess/basic/read",
    "microsoft.aad.directory/policies/conditionalAccess/policiesAppliedTo/read",
    "microsoft.aad.directory/policies/conditionalAccess/owners/read"

  • Dennis van Doorn commented  ·   ·  Flag as inappropriate

    Just saw a tweet from AAD PM Rob de Jong stating Microsoft published an update of the AzureAD Preview module to create and assign custom roles in AzureAD.

    Check it out:
    https://docs.microsoft.com/en-us/powershell/azure/active-directory/ad-pshell-v2-version-history?view=azureadps-2.0#20232---preview-release-of-the-azureadpreview-module

    Download:
    https://www.powershellgallery.com/packages/AzureADPreview/2.0.2.32

  • robert meyering commented  ·   ·  Flag as inappropriate

    We are looking to create a Incident Responder role to allows RBAC for acknowledging Azure Identity Protection alerts for risky users.

  • Alan commented  ·   ·  Flag as inappropriate

    Like the other comments and up-votes before me, this functionality is sorely needed. I would rather not grant people the ability to modify AAD polices for instance just to allow them the permission to modify Risky Events (Security Admin required).

    We need more granularity!!!

  • Dan commented  ·   ·  Flag as inappropriate

    Actively blocked by lack of support for this, and it looks like it has been in progress for seven months....

  • Anonymous commented  ·   ·  Flag as inappropriate

    Was shocked to discover this didn't exist already and that it was different from Azure custom roles

  • Gary Forsman commented  ·   ·  Flag as inappropriate

    Hey MS,

    Any news or progress on this? Seen the requirement at multiple customers now, it's becoming a major issue.

  • Phiroj Shaik commented  ·   ·  Flag as inappropriate

    Eagerly waiting to hear its preview release date to run hands on custom AAD roles, currently this is deterrent to make wish delegations

← Previous 1

Azure Active Directory: Role-based Access Control

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice