RBAC for AAD

The Azure teams have done an awesome job implementing RBAC. I would love to have this same functionality (granular permissions + custom roles) for AAD itself.

Currently there's too many activities that only a global admin can do. RBAC would allow us to delegate appropriate activities without increasing our security attack surface.

280 votes

(thinking…)

Microsoft

Forgot password?

Create a password

Signed in as (Sign out)

We’ll send you updates on this idea

Ben Virkler shared this idea · March 09, 2016 · Flag idea as inappropriate… · Admin →

started ·

AdminAzure AD Team (Product Manager, Microsoft Azure) responded · August 09, 2019

We have released a public preview of custom roles with support for a handful of permissions related to managing application registrations. We’re now working on support for enterprise application management permissions, and will continue to release more permissions iteratively over time.

https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-custom-overview

We very much appreciate all of your feedback here. We’re not done yet, so please keep letting us know what you think and where we can improve.

Regards,
Vince Smith
Azure Active Directory team

Show previous admin responses (3)

30 comments

Add a comment…

Attach a File

(thinking…)

Microsoft

Forgot password?

Create a password

Signed in as (Sign out)

Submitting...

An error occurred while saving the comment

Cedric commented · August 10, 2019 03:09 · Flag as inappropriate

As part of continous deployment, MSI of Sql managed instance needed to be granted with role "Directory reader". At this time, this operation should be done manualy cause we needed a key user with "global admin" right.
Should be great if we can delegate attribution's permission of a specfic AAD role (like directory reader) to a user or a group of users.

Submitting...
Eric Raff commented · August 09, 2019 15:29 · Flag as inappropriate

Great work being done here. I am interested in creating a custom security reader role but need additional permissions added. Specifically the following 3 permissions. In short granting the Security Reader role does not allow security team to see Conditional Access policies in AAD.
"microsoft.aad.directory/policies/conditionalAccess/basic/read",
"microsoft.aad.directory/policies/conditionalAccess/policiesAppliedTo/read",
"microsoft.aad.directory/policies/conditionalAccess/owners/read"

Submitting...
Paweł Borkowski (CodeTwo) commented · August 05, 2019 06:18 · Flag as inappropriate

MS has finally released this feature, check out this: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-create-custom

Submitting...
Dennis van Doorn commented · August 02, 2019 22:11 · Flag as inappropriate

Just saw a tweet from AAD PM Rob de Jong stating Microsoft published an update of the AzureAD Preview module to create and assign custom roles in AzureAD.

Check it out:
https://docs.microsoft.com/en-us/powershell/azure/active-directory/ad-pshell-v2-version-history?view=azureadps-2.0#20232---preview-release-of-the-azureadpreview-module

Download:
https://www.powershellgallery.com/packages/AzureADPreview/2.0.2.32

Submitting...
Chris Swigart commented · July 24, 2019 13:49 · Flag as inappropriate

Could MS provide an update on this?

Submitting...
Anonymous commented · June 19, 2019 01:17 · Flag as inappropriate

Anu update on this?

Submitting...
robert meyering commented · June 11, 2019 08:57 · Flag as inappropriate

We are looking to create a Incident Responder role to allows RBAC for acknowledging Azure Identity Protection alerts for risky users.

Submitting...
Alan commented · June 06, 2019 10:21 · Flag as inappropriate

Like the other comments and up-votes before me, this functionality is sorely needed. I would rather not grant people the ability to modify AAD polices for instance just to allow them the permission to modify Risky Events (Security Admin required).

We need more granularity!!!

Submitting...
Dan commented · May 28, 2019 18:40 · Flag as inappropriate

Actively blocked by lack of support for this, and it looks like it has been in progress for seven months....

Submitting...
Anonymous commented · May 21, 2019 02:59 · Flag as inappropriate

Any update?

Submitting...
Anonymous commented · May 01, 2019 08:42 · Flag as inappropriate

Was shocked to discover this didn't exist already and that it was different from Azure custom roles

Submitting...
Matt Thompson commented · April 22, 2019 16:04 · Flag as inappropriate

Any update to this?

Submitting...
Gary Forsman commented · March 25, 2019 22:54 · Flag as inappropriate

Hey MS,

Any news or progress on this? Seen the requirement at multiple customers now, it's becoming a major issue.

Submitting...
Mads Højlund commented · March 22, 2019 02:09 · Flag as inappropriate

Any update to this?

Submitting...
Phiroj Shaik commented · March 18, 2019 23:19 · Flag as inappropriate

Eagerly waiting to hear its preview release date to run hands on custom AAD roles, currently this is deterrent to make wish delegations

Submitting...
AdminAzure AD Team (Product Manager, Microsoft Azure) commented · November 21, 2018 10:20 · Flag as inappropriate

Hi folks,
Very much appreciate the feedback here. Just wanted to provide an update - we are actively working on custom roles support for Azure AD. It's a big project, but we are making good progress. Thanks for your patience!

Vince

Submitting...
Anonymous commented · November 01, 2018 07:28 · Flag as inappropriate

This is a serious impediment to our ability to automate management work. Without the ability to customize roles for AAD, the applications used to automate management work have more permissions than they need.

Please keep us updated.

Submitting...
ashwin sidharthan commented · October 22, 2018 07:41 · Flag as inappropriate

Eagerly waiting for this feature.

Submitting...
Kristoffer commented · September 02, 2018 23:58 · Flag as inappropriate

Do you have any roadmap or such around this issue?

Submitting...
Peter Selch Dahl commented · August 13, 2018 04:48 · Flag as inappropriate

@Vince
Make sure that these new RBAC permissions covers both Azure AD and Office 365.

https://office365.uservoice.com/forums/264636-general/suggestions/19758058-azure-ad-custom-admin-roles

/Peter Selch Dahl
Azure MVP

Submitting...