RBAC for AAD
The Azure teams have done an awesome job implementing RBAC. I would love to have this same functionality (granular permissions + custom roles) for AAD itself.
Currently there's too many activities that only a global admin can do. RBAC would allow us to delegate appropriate activities without increasing our security attack surface.
Just a quick update here. We’re still actively working on support for custom roles (RBAC) across Azure AD. Stay tuned for more announcements in the next couple of months.
You can have a look at what we’ve shipped thus far (custom roles for application registration management) here – https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-custom-overview.
Azure Active Directory Team
Was shocked to discover this didn't exist already and that it was different from Azure custom roles
Matt Thompson commented
Any update to this?
Gary Forsman commented
Any news or progress on this? Seen the requirement at multiple customers now, it's becoming a major issue.
Mads Højlund commented
Any update to this?
Phiroj Shaik commented
Eagerly waiting to hear its preview release date to run hands on custom AAD roles, currently this is deterrent to make wish delegations
Very much appreciate the feedback here. Just wanted to provide an update - we are actively working on custom roles support for Azure AD. It's a big project, but we are making good progress. Thanks for your patience!
This is a serious impediment to our ability to automate management work. Without the ability to customize roles for AAD, the applications used to automate management work have more permissions than they need.
Please keep us updated.
ashwin sidharthan commented
Eagerly waiting for this feature.
Do you have any roadmap or such around this issue?
Peter Selch Dahl commented
Make sure that these new RBAC permissions covers both Azure AD and Office 365.
/Peter Selch Dahl
Custom roles would be awesome! For example, now it's hard to delegate fine grained permissions to support personnel. As user administrator they have way too much privileges within user and group control.
Andy Simmons commented
Glad to see this planned. Hopefully this includes delegation of device removal.
We use conditional access and non-persistent pooled virtual desktops. This results in thousands of users workplace joining a "new" device 1-2 times daily.
Those users quickly hit the limit on number of registered devices. It's really unsettling that we need GA permissions to automate the device cleanup.
Chad ODell commented
I work at a large company that’s dealing with device limits in Azure AD. Only GA can remove devices after a user hits their limit. We can’t go unlimited due to security concerns.
We would like to see either a way to have a small number of users exceed the number of allowed devices or a way to have a non-GA role be provisioned the ability to remove devices when users hit the limit. The fact that device removal can’t be handled outside of GA is very limiting to our support model and security model.
As we (and other companies) prepare to begin implementing wearables and IoT tech across the org, the GA only model for managing device removal is not going to be sustainable.
Looking for something in between Security Manager and Security Reader for AADIP. So that L1 monitoring engineering can close some of the risk events without having to give them ability to change other security settings
Any news on this planned update?
Currently only global admins can manage MFA, i.e. only global admins can enable or disable MFA on an account. Delegation of MFA Administration to a Help Desk role would be a boon for our support teams.
"View" or "read only" admin would also be nice.
Ben Virkler commented
@Varun Not really. I don't want to give global admin rights to someone who just needs to manage user MFA settings, even if they have to go through PIM to do it.
Varun Karandikar [vakarand@MSFT] commented
Will Privileged Identity Management in Azure help your case? https://azure.microsoft.com/en-us/documentation/articles/active-directory-privileged-identity-management-configure/
Rob de Jong (Azure AD IAM) commented
Yes, this is something that is in our plans