How can we improve Azure Active Directory?

← Azure Active Directory

AzureAD Role Delegation to Groups

Currently in AzureAD msolroles can only be assigned to users and servicePrincipals using the add-msolRoleMember cmdlet. Groups cannot be a msol-roleMember - although the add-msolroleMember cmdlets' RoleMemberType Parameter can be set to Group. But we always get an exception which says that this value is invalid....
Usually we delegate access to resources using ActiveDirectory Groups instead of users, which makes the Management much easier. To achieve a Role Delegation to Groups we have to deploy a Powershell that synchronizes Group-Members with Role-Members of a specific role. This is a valid Workaround but a nasty one compared to a direct delegation to AzureAD Groups.

263 votes
Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Pirmin Felber shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

43 comments

Attach a File
Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • AdminAzure AD Team (Product Manager, Microsoft Azure) commented  ·   ·  Flag as inappropriate

    Folks,
    We are working on it. There is an elevation of privilege concern associated with this feature. If a group is assigned a role, any IT admin who can manage group membership can indirectly manage the membership of that role. So, we have to ensure that the feature is secure.

    Stay tuned!

    Regards,
    Abhijeet Kumar Sinha
    Azure Active Directory Team

  • Anonymous commented  ·   ·  Flag as inappropriate

    Hi Team,

    Can you please update on this feature as it is requested by lot of clients and this need to be done on priority.

  • Nicholas Hart commented  ·   ·  Flag as inappropriate

    Customers are begging for this feature , please can we have the ability to manage roles via group membership ?
    Or at least a commitment for an ETA on this needed feature ?

    "high priority"

  • Anonymous commented  ·   ·  Flag as inappropriate

    Is there any ETA on this? Soon a year since you replied that this is a high priority.

  • Bhargav Patel commented  ·   ·  Flag as inappropriate

    Any update on this? This is a big shame, we have RBAC but not for the most important piece of service.

  • Tor commented  ·   ·  Flag as inappropriate

    This is very much needed! Eagerly anticipating some progress on this topic.

  • Adam commented  ·   ·  Flag as inappropriate

    any update,, the fact that this basic principle of security and IAM was left out of AAD roles , makes me question our move this!!!

  • Anonymous commented  ·   ·  Flag as inappropriate

    When is this basic capability going to be added into the system. Its absurd that it was skipped.

  • Volz, Gary commented  ·   ·  Flag as inappropriate

    Azure Active Directory doesn't support group assignment to roles? How much more contradictory does it get? An enterprise directory doesn't support enterprise management.

  • Anonymous commented  ·   ·  Flag as inappropriate

    Do you have any news about this feature of support of AAD security groups in a AAD Roles ?

  • Christian Wiese commented  ·   ·  Flag as inappropriate

    Agree with the others. Not having this feature really goes against RBAC fundamentals and increases management overheads for our IT department.

    Microsoft please resolve asap.

  • JasonG commented  ·   ·  Flag as inappropriate

    is a reference item for the planned work available so customers can look for updates and status, if not is this possible?

  • Ben Gliddon commented  ·   ·  Flag as inappropriate

    Agree with the others. Not having this feature really goes against RBAC fundamentals and increases management overheads for our IT department.

    Microsoft please resolve asap.

← Previous 1 3

Azure Active Directory: Role-based Access Control

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice