AzureAD Role Delegation to Groups
Currently in AzureAD msolroles can only be assigned to users and servicePrincipals using the add-msolRoleMember cmdlet. Groups cannot be a msol-roleMember - although the add-msolroleMember cmdlets' RoleMemberType Parameter can be set to Group. But we always get an exception which says that this value is invalid....
Usually we delegate access to resources using ActiveDirectory Groups instead of users, which makes the Management much easier. To achieve a Role Delegation to Groups we have to deploy a Powershell that synchronizes Group-Members with Role-Members of a specific role. This is a valid Workaround but a nasty one compared to a direct delegation to AzureAD Groups.
Pirmin Felber
shared this idea
Folks,
Assigning built-in roles, custom roles and admin unit scoped roles to cloud groups is in public preview. Thanks a ton for all the great feedback that you shared with us. Here’s the published documentation -
https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-groups-concept
Next steps —> Support for on-prem groups. Stay tuned!
Regards,
Abhijeet Kumar Sinha
Azure Active Directory Team
83 comments
-
Aaron Sawmadal
commented
Please work to implement this feature in Azure.
-
ray
commented
It's pretty confusing/frustrating that just being a member of a group with a role assigned - even something like "Guest Inviter" - makes those users "privileged". It seems like there should be some way to mark a group as privileged, or do that based on the role assigned - not just privileged by default.
-
jd
commented
Hi Azure AD Team, I have found a bug.
Under Identity Protection | Users at risk detected alerts
"Users in the Global administrator, Security administrator, or Security reader roles are automatically added to this list"Users added to a 'preview' group which has those roles assigned, are not automatically being added.
-
Anonymous
commented
If you assign a role using this method that would normally enable admins to use SSPR it will return a not allowed when they try to reset password, it appears SSPR checks for direct assignment only
-
Chris
commented
From the MS doc: Use the new Exchange Admin Center for role assignments via group membership. The old Exchange Admin Center doesn’t support this feature yet.
-
Fred
commented
There is also an issue with the management of Teams apps and access to policies for office applications :-(
-
Fred
commented
It is not functional for Exchange administration and reporting :-/
-
Folks,
Assigning cloud groups to built-in roles is in public preview starting today. Thanks a ton for all the great feedback that you shared with us. Here's the published documentation -https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-groups-concept
Next steps --> Support for custom roles and on-prem groups. Stay tuned!
Regards,
Abhijeet Kumar Sinha
Azure Active Directory Team -
Anonymous
commented
We need this feature ASAP!
-
Tore Olav Kristiansen
commented
See here for how to try this feature now:
https://stackoverflow.com/questions/63056469/assign-aad-administrative-roles-to-aad-group -
De Greyt Jurgen
commented
We definitely need this feature. We are working in a 10000+ environment. Do you expect to perform micromanagement in these kinds of environments?!
-
Andreplusplus
commented
@Azure AD Team (Product Manager, Microsoft Azure): Is there any update you can share with us? It's been a while since February.
(And when OP mentions msol-roles, do I understand correctly this is all Azure AD roles that one can find in the /Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RolesAndAdministrators blade? (Azure AD, Roles and administrators), I mean built-in and custom (though I know custom roles are in preview)BTW, I am confused, as AAD groups can have Azure role assignments, at least that is what I can see in the portal when viewing group details. O no, wait... that's *Azure resource* roles, not Azure *AD* roles.
-
Anonymous
commented
If privilege escalation is the issue then tie Role Assignment --> AD Group to the use of Azure AD PIM. If someone wants to implement AD Groups in roles Azure AD PIM is a requirement. That way even if users are added to a group that is a member of a role they still have to go through PIM. This would solve that issue.
-
Gardam, Martin (Latitude Financial)
commented
We too need this feature ASAP. I would like to tie the request process for PIM role eligibility into the Azure Identity Governance workflow, so we can approve eligibility for PIM roles using this workflow. If we can assign AAD privileged roles based on AAD group, then this can tie the two processes together.
-
Archimedes Trajano
commented
Can you add the capability of doing it through the Azure AD Go SDK so it can be Terraformed as well?
-
Claude Cantin
commented
I opened a support ticket because I could not add an AD group to an AD admin role. I do that with my cloud subscriptions all the time, so why should I not be able to manage AD admin roles using groups? Much easier to manage that way.
The MS support person pointed me to this thread for me to give feedback.
I say, as most people in the thread do, bring on that feature. It is needed!
-
Ivo
commented
Come on guys, when will this finally be implemented?! Last update on February 6, almost 4 months ago.... Are you really taking this enormous omission seriously?
-
Taylor Knight
commented
Looking forward to once this feature becomes available, we need it!
-
Justin
commented
Sorry but this isn't a valid approach IMO. The IT administrators who are managing on-prem groups are the same ones who will be managing cloud resources, so what's the concern? The cloud is an extension (or replacement) of on-prem infrastructure and the same people will ultimately be doing the job. Bottom line, if I've got rights to assign access via groups on prem it's a ridiculous argument that I wouldn't be allowed to do the same in the cloud.
-
Diego
commented
Definitively a must to have this feature available. When will it be available?