RBAC for AAD
The Azure teams have done an awesome job implementing RBAC. I would love to have this same functionality (granular permissions + custom roles) for AAD itself.
Currently there's too many activities that only a global admin can do. RBAC would allow us to delegate appropriate activities without increasing our security attack surface.
Just a quick update here. We’re still actively working on support for custom roles (RBAC) across Azure AD. Stay tuned for more announcements in the next couple of months.
You can have a look at what we’ve shipped thus far (custom roles for application registration management) here – https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-custom-overview.
Azure Active Directory Team
AAD built in role Security Administrator has a lot of permissions outside Azure AD, e.g. Exchange Online Admin and Defender for Endpoint administrator (default) amongst others.
We have a dedicated team managing DfE settings etc, which should be the sole group being able to do this. We have assigned them the DfE administrator (default) role.
But we find that other people also are fiddling with it, which they can do because they have the built in AAD Security Administrator role (as well as Global Admin for that matter, but that is not as important as these are very few in number)
For the Sec Admin people it is legitimate to have this role, but they should not be able to touch DfE.
So, either we would like to remove the Sec Admins from the DfE administrator role or create custom roles for all components outside AAD and stop using the built-in roles.
Would it be possible to create a custom AAD role from cloning Security Administrator and subsequently removing the DfE permissions from it?
Like removing microsoft.office365.protectionCenter/allEntities/update from it?
Alternatively, we would like the ability to take Security Reader off of the "Defender for Endpoint administrator (default)" role (perhaps only possible if at least one other principal is assigned to it, top prevent lockouts)
Jakob Østergaard Nielsen commented
The ability to create custom Azure AD roles that support more areas than the current application permissions is a highly requested feature in Azure AD.
Can you (MS) please provide an update on this topic - or ideally the plan for an upcoming preview ?
Samir Sultanali commented
Hope that i'm not the only one pointing this out:
"Microsoft.Resources/deployments/write - Creates or updates an deployment."
We need to allow users do update/deploy into/change/modify existing resources but deny the ability to create new resources and/or upgrade/downgrade these resources to a different tier/cost (basic, standard, premium, etc)
if I deny this permissions, users will not be able to create new resources (which is what we want) but will be denied to deploy into to current resources (which is what we don't want).
Rocky Ortega commented
It looks like the current Custom Role is limited to only "Microsoft.directory/apps" but this functionality would be super helpful if you could edit the "Microsoft.directory/user" to expand the Guest Inviter role to still be able to invite guests, but not see all items in the tenant. This would be a big step forward in B2B access for external clients to invite and manage their users without seeing the host tenant.
We'd like to create a custom role group borrowing from the User, Authentication and HelpDesk roles.
Looking forward to this feature being introduced. Any ETA?
Emma Bailey commented
I badly need the ability to make a custom role for Teams administration - disappointingly none of the existing built in roles are appropriate or useful for our help desk.
We’re now heavily reliant on Teams for everything from one to one/group communications (text/voice/video) to shared file storage and group collaboration and productivity, especially to support remote working now. We have frequent support questions related to managing Team members/guests/owners, as well as managing channels and apps/connectors/tabs... but the help desk support team has almost no visibility or access to provide any support for these issues, and they either can’t help the users at all, or have to escalate straight to the few of us at a higher level with global admin, which is silly - senior specialists and architects having to provide user support on everyday issues.
I can’t assign the help desk to the Teams Service Administrator role because it gives far too much control (specifically, creating/deleting unified groups, changing org wide settings, changing any kind of policies), but there’s no other way to give them access to the Teams admin dashboard.
I need to grant access for them to manage Teams (Teams/Manage teams menu item - but not to create or delete), view/change users coexistence mode, view/change users assigned policies, view-only access for really all kinds of policies, including Teams apps policies and org-wide settings (and I second the earlier suggestion for a custom security reader role with view-only access to conditional access policies!), plus the comms support tasks already provided as a role.
They already have various other assigned roles pertaining to the tasks they need to do (user admin, authentication admin, reports/message centre reader, and an expanded custom EXO recip. management role), but the Teams administration ability is sorely lacking. It would also be nice to create one custom role that bundles all their related role permissions together, but having this subset of Teams permissions is definitely the priority!
sukh rehal commented
It will be great if we can customize built in RBAC roles or underlying permissions can be exposed. For e.g if we have any automations running for Office 365 services we have to assign User admin, EXG admin etc permissions which increases risk. In Exchange Online application there are bunch of RBAC roles which can be used however they are not exposed through Azure AD
@Anonymous: License assignments can be viewed by a regular user with no special permissions now?
We need custom AAD roles to be expanded so that we can provide Read access to the BitLocker key. I saw that someone else is also requesting this and second it!
Tim Nielsen (Admin) commented
I would like to modify or create a copy of the Helpdesk Administrator RBAC role, in order to add a few more relevant permissions to either the built in role - or a new role based on that role.
Unfortunately permssions to "microsoft.directory/users/*" and "microsoft.directory/signInReports/*" are unavailable for a custom role, even though they exist in the built-in roles.
Why not allow creation of a custom role using already existing allowed resource actions from the built in roles, in order to mix them to custom roles?
As part of continous deployment, MSI of Sql managed instance needed to be granted with role "Directory reader". At this time, this operation should be done manualy cause we needed a key user with "global admin" right.
Should be great if we can delegate attribution's permission of a specfic AAD role (like directory reader) to a user or a group of users.
Eric Raff commented
Great work being done here. I am interested in creating a custom security reader role but need additional permissions added. Specifically the following 3 permissions. In short granting the Security Reader role does not allow security team to see Conditional Access policies in AAD.
Paweł Borkowski (CodeTwo) commented
MS has finally released this feature, check out this: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-create-custom
Dennis van Doorn commented
Just saw a tweet from AAD PM Rob de Jong stating Microsoft published an update of the AzureAD Preview module to create and assign custom roles in AzureAD.
Chris Swigart commented
Could MS provide an update on this?
Anu update on this?
robert meyering commented
We are looking to create a Incident Responder role to allows RBAC for acknowledging Azure Identity Protection alerts for risky users.
Like the other comments and up-votes before me, this functionality is sorely needed. I would rather not grant people the ability to modify AAD polices for instance just to allow them the permission to modify Risky Events (Security Admin required).
We need more granularity!!!
Actively blocked by lack of support for this, and it looks like it has been in progress for seven months....