How can we improve Azure Active Directory?

AzureAD Role Delegation to Groups

Currently in AzureAD msolroles can only be assigned to users and servicePrincipals using the add-msolRoleMember cmdlet. Groups cannot be a msol-roleMember - although the add-msolroleMember cmdlets' RoleMemberType Parameter can be set to Group. But we always get an exception which says that this value is invalid....
Usually we delegate access to resources using ActiveDirectory Groups instead of users, which makes the Management much easier. To achieve a Role Delegation to Groups we have to deploy a Powershell that synchronizes Group-Members with Role-Members of a specific role. This is a valid Workaround but a nasty one compared to a direct delegation to AzureAD Groups.

218 votes
Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)

We’ll send you updates on this idea

Pirmin Felber shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

32 comments

Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)
Submitting...
An error occurred while saving the comment
  • Anonymous commented  ·   ·  Flag as inappropriate

    Do you have any news about this feature of support of AAD security groups in a AAD Roles ?

  • Christian Wiese commented  ·   ·  Flag as inappropriate

    Agree with the others. Not having this feature really goes against RBAC fundamentals and increases management overheads for our IT department.

    Microsoft please resolve asap.

  • JasonG commented  ·   ·  Flag as inappropriate

    is a reference item for the planned work available so customers can look for updates and status, if not is this possible?

  • Ben Gliddon commented  ·   ·  Flag as inappropriate

    Agree with the others. Not having this feature really goes against RBAC fundamentals and increases management overheads for our IT department.

    Microsoft please resolve asap.

  • MikeN commented  ·   ·  Flag as inappropriate

    I just wanted to provide feedback that this is very much a needed feature.
    It seems like a pretty bad engineering oversight when the service was first designed.

    Best practices 101 says that you should never assign permissions to individual users, you assign permissions to groups and add users to the groups.

  • Anonymous commented  ·   ·  Flag as inappropriate

    Please make this very necessary change to your roles. It took our entire IT management team by surprise that you could not assign Groups to Azure AD Roles.

  • Chris Allen commented  ·   ·  Flag as inappropriate

    I have a customer who is running into this limitation and it is hampering their ability to manage what is a large group of user through RBAC. The option of Role Assignments does not meet their need. Do we have any kind of ETA on this change going in?

  • AdminAzure AD Team (Product Manager, Microsoft Azure) commented  ·   ·  Flag as inappropriate

    RE: "High Priority? Request has been posted 2,5 years ago?! Come on Microsoft, this is ridiculous"

    Ugh, you are right to be frustrated with us here. I'm not happy with the pace of progress on assigning groups as members of roles, either. It is a high priority for us, but it's proving more difficult for reasons that aren't obvious.

    I appreciate everyone who has taken the time to provide feedback. It is valuable, and we take it into account in our planning and prioritization process.

    Vince

  • AdminAzure AD Team (Product Manager, Microsoft Azure) commented  ·   ·  Flag as inappropriate

    RE: "High Priority? Request has been posted 2,5 years ago?! Come on Microsoft, this is ridiculous"

    Ugh, you are right to be frustrated with us here. I'm not happy with the pace of progress on assigning groups as members of roles, either. It is a high priority for us, but it's proving more difficult for reasons that aren't obvious.

    I appreciate everyone who has taken the time to provide feedback. It is valuable, and we take it into account in our planning and prioritization process.

    Vince

  • Anonymous commented  ·   ·  Flag as inappropriate

    High Priority? Request has been posted 2,5 years ago?! Come on Microsoft, this is ridiculous.....

← Previous 1

Feedback and Knowledge Base