How can we improve Azure Active Directory?

← Azure Active Directory

AzureAD Role Delegation to Groups

Currently in AzureAD msolroles can only be assigned to users and servicePrincipals using the add-msolRoleMember cmdlet. Groups cannot be a msol-roleMember - although the add-msolroleMember cmdlets' RoleMemberType Parameter can be set to Group. But we always get an exception which says that this value is invalid....
Usually we delegate access to resources using ActiveDirectory Groups instead of users, which makes the Management much easier. To achieve a Role Delegation to Groups we have to deploy a Powershell that synchronizes Group-Members with Role-Members of a specific role. This is a valid Workaround but a nasty one compared to a direct delegation to AzureAD Groups.

555 votes
Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Pirmin Felber shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
started  ·  AdminAzure AD Team (Product Manager, Microsoft Azure) responded  · 

Folks,
We are working on it. There is an elevation of privilege concern associated with this feature. If a group is assigned a role, any IT admin who can manage group membership can manage that group’s membership and indirectly manage who gets the role. So, we have to ensure that the feature is secure.

We are taking a staged approach to execute this feature –
Stage 1: Supporting cloud groups to be assigned to roles
Stage 2: Supporting on-prem groups to be assigned to roles

Stay tuned!

Regards,
Abhijeet Kumar Sinha
Azure Active Directory Team

Show previous admin responses (2)

72 comments

Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Anonymous commented  ·   ·  Flag as inappropriate

    @Azure AD Team (Product Manager, Microsoft Azure): Is there any update you can share with us? It's been a while since February.
    (And when OP mentions msol-roles, do I understand correctly this is all Azure AD roles that one can find in the /Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RolesAndAdministrators blade? (Azure AD, Roles and administrators), I mean built-in and custom (though I know custom roles are in preview)

    BTW, I am confused, as AAD groups can have Azure role assignments, at least that is what I can see in the portal when viewing group details. O no, wait... that's *Azure resource* roles, not Azure *AD* roles.

  • Anonymous commented  ·   ·  Flag as inappropriate

    If privilege escalation is the issue then tie Role Assignment --> AD Group to the use of Azure AD PIM. If someone wants to implement AD Groups in roles Azure AD PIM is a requirement. That way even if users are added to a group that is a member of a role they still have to go through PIM. This would solve that issue.

  • Gardam, Martin (Latitude Financial) commented  ·   ·  Flag as inappropriate

    We too need this feature ASAP. I would like to tie the request process for PIM role eligibility into the Azure Identity Governance workflow, so we can approve eligibility for PIM roles using this workflow. If we can assign AAD privileged roles based on AAD group, then this can tie the two processes together.

  • Claude Cantin commented  ·   ·  Flag as inappropriate

    I opened a support ticket because I could not add an AD group to an AD admin role. I do that with my cloud subscriptions all the time, so why should I not be able to manage AD admin roles using groups? Much easier to manage that way.

    The MS support person pointed me to this thread for me to give feedback.

    I say, as most people in the thread do, bring on that feature. It is needed!

  • Ivo commented  ·   ·  Flag as inappropriate

    Come on guys, when will this finally be implemented?! Last update on February 6, almost 4 months ago.... Are you really taking this enormous omission seriously?

  • Justin commented  ·   ·  Flag as inappropriate

    Sorry but this isn't a valid approach IMO. The IT administrators who are managing on-prem groups are the same ones who will be managing cloud resources, so what's the concern? The cloud is an extension (or replacement) of on-prem infrastructure and the same people will ultimately be doing the job. Bottom line, if I've got rights to assign access via groups on prem it's a ridiculous argument that I wouldn't be allowed to do the same in the cloud.

  • Diego commented  ·   ·  Flag as inappropriate

    Definitively a must to have this feature available. When will it be available?

  • Anonymous commented  ·   ·  Flag as inappropriate

    I am in need of this feature and the ability to customize AAD roles for attributes outside of applications.

  • kevin commented  ·   ·  Flag as inappropriate

    After many years, it's nice to see Microsoft has decided to start working on this "high priority". Though it sounds like you're not sure how to do it, so I guess implementation is going to be a long ways out.

  • Anonymous commented  ·   ·  Flag as inappropriate

    This is a blocker for us moving services to Azure for +20K devices.

    Ideally we need Custom Role to provide support for microsoft.directory/devices/bitLockerRecoveryKeys/read

    As well as this feature being enabled.

  • Gilles Bignens commented  ·   ·  Flag as inappropriate

    High priority but not implemented after almost 4 years. I dare not imagine the implementation time of a low or medium priority....
    Please provide us this feature !

  • Stefan Roth commented  ·   ·  Flag as inappropriate

    +1000 This is urgently needed for better automation / management of roles assignment, any update guys?

  • Ayo Dada commented  ·   ·  Flag as inappropriate

    This is urgently needed for better automation of roles assignment, any update guys

← Previous 1 3 4

Azure Active Directory: Role-based Access Control

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice