Blog Post

Microsoft Entra Blog
3 MIN READ

Azure AD RBAC: Custom roles for app management now available

Alex_Simons's avatar
Alex_Simons
Icon for Microsoft rankMicrosoft
Mar 02, 2022

Howdy folks, 

 

I’m very excited to kick off a series of announcements on capabilities related to Azure Active Directory (Azure AD) role-based access control (RBAC). These capabilities will support the enablement of fine-grained authorization and simplify management at scale for RBAC in Azure AD and Microsoft 365.

 

I’d like to start this series by sharing the general availability of custom roles for delegated app management.

 

Together, custom roles for app registration and enterprise apps provide fine-grained control over what access your admins have for app management. As a reminder, Azure AD custom roles require an Azure AD Premium P1 subscription.

 

Let’s see how Alice, a centralized IT admin at the fictitious company Woodgrove, can effectively and securely delegate app management.

 

Woodgrove uses custom roles for app management for secure app management delegation

Woodgrove, a geographically distributed organization, has a small, centralized IT team that manages the delegation of Azure AD roles. Senior IT admin Alice is responsible for delegating Azure AD roles by exercising least privilege to keep the IT system secure.

 

Charlie is the owner of Woodgrove Portal app, one of the many line of business (LOB) applications in Woodgrove. Alice wants to delegate the access management of the LOB applications to their owners. Specifically, she wants to grant a role to Charlie so he can manage access to the Woodgrove Portal app.

 

Let’s see how Alice can build a new custom role for this scenario and assign it to Charlie.  


Create and assign a custom role

In the following example, Alice will create a custom role with just the permissions to manage user and group assignments for applications. Once the custom role is created, Alice can assign this role to Charlie with the scope of the Woodgrove Portal app. This will grant Charlie the ability to manage user and group assignments for the Woodgrove Portal app. 

 

Create a custom role 

  1. On the Roles and administrators tab, select New custom role.

 

  1. Provide a name and description for the role and selectNext.

 

  1. Assign the permissions for the role. Search forservicePrincipalto select themicrosoft.directory/servicePrincipals/appRoleAssignedTo/update permission.

 

  1. Review the new role. If everything looks good, selectCreateto create the new role.

 

 

Assign the custom role 

Like built-in roles, custom roles can be assigned at the directory level to grant access over all Enterprise applications. Additionally, you can assign custom roles over just one application, as shown in our example. This allows you to give the assignee the permission to manage user and group assignments for a single application without having to create a second custom role.

 

  1. Select theEnterprise applications taband pick an application that you want to give someone access to manage user and group assignments.

 

  1. Navigate to the newRoles and administratorstab. You’ll see the custom role created above.

 

  1. Select the role to open the assignment blade, select Add assignment, and then select a person to add to the role.

 

  1. The assignee can now navigate to the application’s users and groups blade to verify the Add user option is enabled.

 

That’s it. Charlie can now manage access to the Woodgrove Portal app. You can refer here for additional documentation on the other roles you can create.

 

What’s next

We're working on more great features for Azure AD RBAC, including additional capabilities around custom roles and administrative units, plus other least-privileged experiences that we think you’ll love. Stay tuned for coming announcements.

 

As always, we'd love to hear your feedback, thoughts, and suggestions. Feel free to share with us on theAzure AD administrative roles forumor leave comments below. We look forward to hearing from you. 

 

Best regards, 

Alex Simons (@Alex_A_Simons

Corporate VP of Program Management 

Microsoft Identity Division 

 

 

Learn more about Microsoft identity:

Updated Mar 04, 2022
Version 5.0
Alex_Simons's avatar
Icon for Microsoft rankMicrosoft
Joined May 01, 2017
View Profile
Microsoft Entra Blog
Stay informed on how to secure access for employees, customers, and non-human identities, from anywhere, to multicloud and on-premises resources, with comprehensive identity and network access solutions powered by AI.

7 Comments

Sort By
  • sat22's avatar
    sat22
    Former Employee
    Mar 21, 2022

    Kris Titeca  Tad Crandall  NicolasHon Thanks for the feedback! AAD Custom roles currently target only AAD permissions. Support for permissions from more resource providers is part of our long term roadmap, but is not something we will get to at the short term. We are taking note of these feedbacks and will be used in our prioritization process. Will keep the group posted as we get closer to working on permissions from additional resource providers. This is also one of the reasons we don't have clone from built-in roles yet. But we may be looking at enabling this capability for some roles that only have AAD permissions (once all underlying AAD permissions are enabled for custom roles).

  • pammnd's avatar
    pammnd
    Copper Contributor
    Mar 07, 2022

    NicolasHonI haven't seen the ability to build a custom role based on the InTune Adminstrator role, and I've tried. I even opened a Support Case with Microsoft to help me build it. This is a small improvement, but as stated by others above, we need the ability to limit access to InTune, Teams, SharePoint, Azure AD. This doesn't exist yet. It does exist for Exchange, but not the others. 

  • Tad Crandall's avatar
    Tad Crandall
    Copper Contributor
    Mar 04, 2022

    Adding to Kris' question will additional resource providers (microsoft.intune, microsoft.office365.exchange, microsoft.office365.network, etc) be added to allow delegation to Intune, ExO, etc?  It would be great if the "Clone" capability allowed cloning from a built-in role and then administrators could create delegations that match job roles.

  • Kris Titeca's avatar
    Kris Titeca
    Copper Contributor
    Mar 03, 2022

    NicolasHon Would be interested in how you achieve that because I never see an option to grant microsoft.intune permissions from a custom role, I only see Azure AD permissions. I also don't see an option to create a custom role based on an existing role but maybe I'm missing something. Or is this a preview feature?

  • NicolasHon's avatar
    NicolasHon
    Copper Contributor
    Mar 03, 2022

    Kris Titeca, you can built custom AD roles, based on the built-in Intune Administrator role but with less privileges, to achieve your needs. Then they will be available in PIM and you can add your users in a permanent eligible way.

  • Kris Titeca's avatar
    Kris Titeca
    Copper Contributor
    Mar 03, 2022

    Hey Alex , This is a great improvement. But I'm still missing permissions like for Intune, Defender for endpoint, etc. Any plans to bring that as well? The built-in roles don't work for us, we really need more granularity. Are there also plans to be able to remove permissions from built-in roles such as global admin, security admin etc? For example: security admin is by default admin in defender for endpoint and you can't even see it in the interface and you also can't change it. far from ideal. Anyway, happy to see improvements are made in this area.