Blog Post

Microsoft Entra Blog
2 MIN READ

Azure AD RBAC: Custom roles & administrative units for devices now available

Alex_Simons's avatar
Alex_Simons
Icon for Microsoft rankMicrosoft
Mar 31, 2022
Howdy folks,   In our first blog of this series, we discussed general availability of custom roles for delegated app management. Continuing the series of announcements for Azure Active Directory ...
Updated Mar 31, 2022
Version 1.0
Product Announcements
Alex_Simons's avatar
Icon for Microsoft rankMicrosoft
Joined May 01, 2017
View Profile
Microsoft Entra Blog
Stay informed on how to secure access for employees, customers, and non-human identities, from anywhere, to multicloud and on-premises resources, with comprehensive identity and network access solutions powered by AI.
25564's avatar
25564
Copper Contributor
Jun 22, 2023

I have the same issue, Administrative Units are limited to a very short list of permissions. This unfortunately isn't enough to even delegate to each site helpdesk permissions.

 

Our helpdesk converts leavers mailboxes to shared before deleting the account.
We have found out that they need the Directory Exchange Administrator role, giving them permissions to manage every user and mailbox in our company, not just their Administrative Unit users and their mailboxes. 

 

Maybe I'm missing something but this isn't working as expected. The dynamic membership is great, we can populate them by country using that AD field automatically with a very simple rule. But the permissions that can be given are VERY limited. You cannot delegate MFA administration within the administrative unit, so instead we have to give each IT manager permissions to the whole Directory with the Privileged Authentication Administrator. 

 

You might say, well you're trying to delegate stuff that's Directory based by design and you cannot limit it to your AU. And you are probably right, but if you give someone the User Administrator at their AU level this is what happens:

 

They cannot see the Azure Active Directory admin center in the Microsoft 365 Admin Center sidebar. Is this a bug or is it intentional? Because they can still type entra.microsoft.com and login, where they will see thousands of users instead of just their AU. At least they're unable to modify them and this shouldn't be an issue, it's read only after all. But they still can see them. And because of that, the moment you give that user a Directory based permission (because there's no way to delegate most things within an AU) they can now see AND modify all the MFA users at the company, for example.

 

I tried making custom roles but to no avail. Those MFA management or Exchange mailbox permissions are set at the Directory level.

 

Maybe we're using it wrong and each site should have their own tenant? But the license pool would not be global anymore which is a big no no, and some other issues would come with that.

 

The official documentation makes great promises and that's why we implemented it, but unfortunately the feature seems to still be in beta: 


Administrative units restrict permissions in a role to any portion of your organization that you define. You could, for example, use administrative units to delegate the Helpdesk Administrator role to regional support specialists, so they can manage users only in the region that they support.

 

Please Alex Simons let me know if I'm wrong and there's a way to make it work, I really hope I'm wrong because the feature is promising and RBAC is the foundation of Azure.