AzureAD Role Delegation to Groups
Currently in AzureAD msolroles can only be assigned to users and servicePrincipals using the add-msolRoleMember cmdlet. Groups cannot be a msol-roleMember - although the add-msolroleMember cmdlets' RoleMemberType Parameter can be set to Group. But we always get an exception which says that this value is invalid....
Usually we delegate access to resources using ActiveDirectory Groups instead of users, which makes the Management much easier. To achieve a Role Delegation to Groups we have to deploy a Powershell that synchronizes Group-Members with Role-Members of a specific role. This is a valid Workaround but a nasty one compared to a direct delegation to AzureAD Groups.
We are working on it. There is an elevation of privilege concern associated with this feature. If a group is assigned a role, any IT admin who can manage group membership can manage that group’s membership and indirectly manage who gets the role. So, we have to ensure that the feature is secure.
We are taking a staged approach to execute this feature –
Stage 1: Supporting cloud groups to be assigned to roles
Stage 2: Supporting on-prem groups to be assigned to roles
Abhijeet Kumar Sinha
Azure Active Directory Team
We are also urgently needing this - is there any update on when this will come in preview (interested) or GA?
Ben Eldridge commented
Hi Azure AD team,
If/when this feature is added, it would be really benficial if it also applies to PIM.
I.e. we wish to assign members of an Azure AD group to be eligible for an Azure AD role via PIM.
Could you please advise if this is also being worked on?
Josh C. commented
@Nick 💯% on all counts. What a load of **** from the Azure AD team.
Any update or any information on this at all? Last ADMIN update was a year ago.
Jim Kuterbach commented
My customer is also interested in any updates. The workaround is just not something they care to do.
Grayson Bishop commented
Any update on this? Or link to this feature on the roadmap?
In response to the post from "Azure AD Team".
"any IT admin who can manage group membership can indirectly manage the membership of that role" - but that's exactly what I want. I already have a well defined RBAC model built on AD security groups. Those groups can only be managed by a dedicated Sec Admin team. I want all their admin to be with AD. I don't want them to have to have to use another management console.
"we have to ensure that the feature is secure" - Really - it's already secure surely? Of course it is. This reads like Microsoft is trying to protect us from ourselves, which is a little patronising.
I actually didn't believe this was a "feature" at first. I couldn't believe that anyone would consider this implementation by design. This is going to be a major PITA as we are looking to migrate to Intune which requires "Global Reader" in addition to the Intune role assignment for administration. I now have to manage "Global Reader" as individual users.
Kai Burkard commented
Amazing. Did not believe this feature could not exist. Was searching and searching for it. Absolute must have to migrate with an enterprise size Company with more than 100.000 seats to the Cloud. Any updates on this?
Is there anywhere where you've posted about the specific concerns around elevation of privilege (especially since this only seems like an issue with Azure AD, unless I'm missing something)?
Not being able to manage roles by groups seems like such a feature gap (per comments from others on here) that I'm struggling to explain it internally - it makes it seems like I'm making it up!
We are working on it. There is an elevation of privilege concern associated with this feature. If a group is assigned a role, any IT admin who can manage group membership can indirectly manage the membership of that role. So, we have to ensure that the feature is secure.
Abhijeet Kumar Sinha
Azure Active Directory Team
Can you please update on this feature as it is requested by lot of clients and this need to be done on priority.
Nicholas Hart commented
Customers are begging for this feature , please can we have the ability to manage roles via group membership ?
Or at least a commitment for an ETA on this needed feature ?
Is there any ETA on this? Soon a year since you replied that this is a high priority.
Jiri Formacek commented
Hello, any update on this feature availability?
Bhargav Patel commented
Any update on this? This is a big shame, we have RBAC but not for the most important piece of service.
This is very much needed! Eagerly anticipating some progress on this topic.
any update,, the fact that this basic principle of security and IAM was left out of AAD roles , makes me question our move this!!!
Is there any news?
When is this basic capability going to be added into the system. Its absurd that it was skipped.
Volz, Gary commented
Azure Active Directory doesn't support group assignment to roles? How much more contradictory does it get? An enterprise directory doesn't support enterprise management.