Forum Discussion
Using groups to assign admin roles - works great except...
About a year ago we migrated our internal processes to using Entra ID security groups to manage Entra ID role assignment. It is mostly a good solution, but over time we started finding issues that Microsoft either can't or is unwilling to fix. Their "solution" is always to "assign the role directly", which isn't scalable for an organization that doesn't own entitlement to PIM. Below are the roles and functionality that are broken if roles are not directly assigned:
Exchange Administrator - Unable to download message trace logs
Groups Administrator / Global Administrator - Unable to configure group expiration policy
Power Platform Administrator / Global Administrator - Unable to elevate to Power Platform System Administrator role in environments
Do others have this issue? Is there any hope of MS actually fixing this, or are we going to have to switch our process back to direct role assignment by some other means?