Howdy folks,
I’m very excited to kick off a series of announcements on capabilities related to Azure Active Directory (Azure AD) role-based access control (RBAC). These capabilities will support the enablement of fine-grained authorization and simplify management at scale for RBAC in Azure AD and Microsoft 365.
I’d like to start this series by sharing the general availability of custom roles for delegated app management.
Together, custom roles for app registration and enterprise apps provide fine-grained control over what access your admins have for app management. As a reminder, Azure AD custom roles require an Azure AD Premium P1 subscription.
Let’s see how Alice, a centralized IT admin at the fictitious company Woodgrove, can effectively and securely delegate app management.
Woodgrove uses custom roles for app management for secure app management delegation
Woodgrove, a geographically distributed organization, has a small, centralized IT team that manages the delegation of Azure AD roles. Senior IT admin Alice is responsible for delegating Azure AD roles by exercising least privilege to keep the IT system secure.
Charlie is the owner of Woodgrove Portal app, one of the many line of business (LOB) applications in Woodgrove. Alice wants to delegate the access management of the LOB applications to their owners. Specifically, she wants to grant a role to Charlie so he can manage access to the Woodgrove Portal app.
Let’s see how Alice can build a new custom role for this scenario and assign it to Charlie.
Create and assign a custom role
In the following example, Alice will create a custom role with just the permissions to manage user and group assignments for applications. Once the custom role is created, Alice can assign this role to Charlie with the scope of the Woodgrove Portal app. This will grant Charlie the ability to manage user and group assignments for the Woodgrove Portal app.
Create a custom role
- On the Roles and administrators tab, select New custom role.
- Provide a name and description for the role and select Next.
- Assign the permissions for the role. Search for servicePrincipal to select the microsoft.directory/servicePrincipals/appRoleAssignedTo/update permission.
- Review the new role. If everything looks good, select Create to create the new role.
Assign the custom role
Like built-in roles, custom roles can be assigned at the directory level to grant access over all Enterprise applications. Additionally, you can assign custom roles over just one application, as shown in our example. This allows you to give the assignee the permission to manage user and group assignments for a single application without having to create a second custom role.
- Select the Enterprise applications tab and pick an application that you want to give someone access to manage user and group assignments.
- Navigate to the new Roles and administrators tab. You’ll see the custom role created above.
- Select the role to open the assignment blade, select Add assignment, and then select a person to add to the role.
- The assignee can now navigate to the application’s users and groups blade to verify the Add user option is enabled.
That’s it. Charlie can now manage access to the Woodgrove Portal app. You can refer here for additional documentation on the other roles you can create.
What’s next
We're working on more great features for Azure AD RBAC, including additional capabilities around custom roles and administrative units, plus other least-privileged experiences that we think you’ll love. Stay tuned for coming announcements.
As always, we'd love to hear your feedback, thoughts, and suggestions. Feel free to share with us on the Azure AD administrative roles forum or leave comments below. We look forward to hearing from you.
Best regards,
Alex Simons (@Alex_A_Simons)
Corporate VP of Program Management
Microsoft Identity Division
Learn more about Microsoft identity:
- Return to the Azure Active Directory Identity blog home
- Join the conversation on Twitter and LinkedIn
- Share product suggestions on the Azure Feedback Forum
Microsoft
