How can we improve Azure Active Directory?

← Azure Active Directory

RBAC for AAD

The Azure teams have done an awesome job implementing RBAC. I would love to have this same functionality (granular permissions + custom roles) for AAD itself.

Currently there's too many activities that only a global admin can do. RBAC would allow us to delegate appropriate activities without increasing our security attack surface.

357 votes
Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Ben Virkler shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
started  ·  AdminAzure AD Team (Product Manager, Microsoft Azure) responded  · 

Hi folks,
Just a quick update here. We’re still actively working on support for custom roles (RBAC) across Azure AD. Stay tuned for more announcements in the next couple of months.

You can have a look at what we’ve shipped thus far (custom roles for application registration management) here – https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-custom-overview.

Regards,
Vince Smith
Azure Active Directory Team

Show previous admin responses (4)

40 comments

Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Anonymous commented  ·   ·  Flag as inappropriate

    Was shocked to discover this didn't exist already and that it was different from Azure custom roles

  • Gary Forsman commented  ·   ·  Flag as inappropriate

    Hey MS,

    Any news or progress on this? Seen the requirement at multiple customers now, it's becoming a major issue.

  • Phiroj Shaik commented  ·   ·  Flag as inappropriate

    Eagerly waiting to hear its preview release date to run hands on custom AAD roles, currently this is deterrent to make wish delegations

  • Anonymous commented  ·   ·  Flag as inappropriate

    This is a serious impediment to our ability to automate management work. Without the ability to customize roles for AAD, the applications used to automate management work have more permissions than they need.

    Please keep us updated.

  • Dennis commented  ·   ·  Flag as inappropriate

    Custom roles would be awesome! For example, now it's hard to delegate fine grained permissions to support personnel. As user administrator they have way too much privileges within user and group control.

  • Andy Simmons commented  ·   ·  Flag as inappropriate

    Glad to see this planned. Hopefully this includes delegation of device removal.

    We use conditional access and non-persistent pooled virtual desktops. This results in thousands of users workplace joining a "new" device 1-2 times daily.

    Those users quickly hit the limit on number of registered devices. It's really unsettling that we need GA permissions to automate the device cleanup.

  • Chad ODell commented  ·   ·  Flag as inappropriate

    I work at a large company that’s dealing with device limits in Azure AD. Only GA can remove devices after a user hits their limit. We can’t go unlimited due to security concerns.
    We would like to see either a way to have a small number of users exceed the number of allowed devices or a way to have a non-GA role be provisioned the ability to remove devices when users hit the limit. The fact that device removal can’t be handled outside of GA is very limiting to our support model and security model.
    As we (and other companies) prepare to begin implementing wearables and IoT tech across the org, the GA only model for managing device removal is not going to be sustainable.

  • Anonymous commented  ·   ·  Flag as inappropriate

    Looking for something in between Security Manager and Security Reader for AADIP. So that L1 monitoring engineering can close some of the risk events without having to give them ability to change other security settings

  • paul commented  ·   ·  Flag as inappropriate

    Currently only global admins can manage MFA, i.e. only global admins can enable or disable MFA on an account. Delegation of MFA Administration to a Help Desk role would be a boon for our support teams.

  • Ben Virkler commented  ·   ·  Flag as inappropriate

    @Varun Not really. I don't want to give global admin rights to someone who just needs to manage user MFA settings, even if they have to go through PIM to do it.

2 Next →

Azure Active Directory: Role-based Access Control

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice