How can we improve Azure Active Directory?

← Azure Active Directory

AzureAD Role Delegation to Groups

Currently in AzureAD msolroles can only be assigned to users and servicePrincipals using the add-msolRoleMember cmdlet. Groups cannot be a msol-roleMember - although the add-msolroleMember cmdlets' RoleMemberType Parameter can be set to Group. But we always get an exception which says that this value is invalid....
Usually we delegate access to resources using ActiveDirectory Groups instead of users, which makes the Management much easier. To achieve a Role Delegation to Groups we have to deploy a Powershell that synchronizes Group-Members with Role-Members of a specific role. This is a valid Workaround but a nasty one compared to a direct delegation to AzureAD Groups.

452 votes
Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Pirmin Felber shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
started  ·  AdminAzure AD Team (Product Manager, Microsoft Azure) responded  · 

Folks,
We are working on it. There is an elevation of privilege concern associated with this feature. If a group is assigned a role, any IT admin who can manage group membership can manage that group’s membership and indirectly manage who gets the role. So, we have to ensure that the feature is secure.

We are taking a staged approach to execute this feature –
Stage 1: Supporting cloud groups to be assigned to roles
Stage 2: Supporting on-prem groups to be assigned to roles

Stay tuned!

Regards,
Abhijeet Kumar Sinha
Azure Active Directory Team

Show previous admin responses (2)

64 comments

Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Diego commented  ·   ·  Flag as inappropriate

    Definitively a must to have this feature available. When will it be available?

  • Anonymous commented  ·   ·  Flag as inappropriate

    I am in need of this feature and the ability to customize AAD roles for attributes outside of applications.

  • kevin commented  ·   ·  Flag as inappropriate

    After many years, it's nice to see Microsoft has decided to start working on this "high priority". Though it sounds like you're not sure how to do it, so I guess implementation is going to be a long ways out.

  • Anonymous commented  ·   ·  Flag as inappropriate

    This is a blocker for us moving services to Azure for +20K devices.

    Ideally we need Custom Role to provide support for microsoft.directory/devices/bitLockerRecoveryKeys/read

    As well as this feature being enabled.

  • Gilles Bignens commented  ·   ·  Flag as inappropriate

    High priority but not implemented after almost 4 years. I dare not imagine the implementation time of a low or medium priority....
    Please provide us this feature !

  • Stefan Roth commented  ·   ·  Flag as inappropriate

    +1000 This is urgently needed for better automation / management of roles assignment, any update guys?

  • Ayo Dada commented  ·   ·  Flag as inappropriate

    This is urgently needed for better automation of roles assignment, any update guys

  • Kristian commented  ·   ·  Flag as inappropriate

    We are also urgently needing this - is there any update on when this will come in preview (interested) or GA?

  • Ben Eldridge commented  ·   ·  Flag as inappropriate

    Hi Azure AD team,

    If/when this feature is added, it would be really benficial if it also applies to PIM.

    I.e. we wish to assign members of an Azure AD group to be eligible for an Azure AD role via PIM.

    Could you please advise if this is also being worked on?

    Thanks!

  • Dan commented  ·   ·  Flag as inappropriate

    Any update or any information on this at all? Last ADMIN update was a year ago.

  • Jim Kuterbach commented  ·   ·  Flag as inappropriate

    My customer is also interested in any updates. The workaround is just not something they care to do.

  • Nick commented  ·   ·  Flag as inappropriate

    In response to the post from "Azure AD Team".
    "any IT admin who can manage group membership can indirectly manage the membership of that role" - but that's exactly what I want. I already have a well defined RBAC model built on AD security groups. Those groups can only be managed by a dedicated Sec Admin team. I want all their admin to be with AD. I don't want them to have to have to use another management console.
    "we have to ensure that the feature is secure" - Really - it's already secure surely? Of course it is. This reads like Microsoft is trying to protect us from ourselves, which is a little patronising.
    I actually didn't believe this was a "feature" at first. I couldn't believe that anyone would consider this implementation by design. This is going to be a major PITA as we are looking to migrate to Intune which requires "Global Reader" in addition to the Intune role assignment for administration. I now have to manage "Global Reader" as individual users.

  • Kai Burkard commented  ·   ·  Flag as inappropriate

    Amazing. Did not believe this feature could not exist. Was searching and searching for it. Absolute must have to migrate with an enterprise size Company with more than 100.000 seats to the Cloud. Any updates on this?

← Previous 1 3 4

Azure Active Directory: Role-based Access Control

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice