Forum Discussion
Azure AD Roles
Is it possible to create a custom azure role that is specific for only one security group? I would like to grant a user access to view members of a specific security group that they are an owner of.
- ibnmbodjiSteel ContributorHi
You could restrict the scope to an azure ad group for the custom role scope .
You might need to consider the following license requirement :
Using built-in roles in Azure AD is free, while custom roles requires an Azure AD Premium P1 license.
https://docs.microsoft.com/en-us/azure/active-directory/roles/custom-overview?WT.mc_id=AZ-MVP-5004274 - Abdurrahman_UluCopper Contributor
Hello, JawanL
Azure has Role-Based Access Control (RBAC) for scope-based device management like Intune Administration, Application ADministration, etc. You can use Built-in roles or create your customized RBAC role according to your needs. You need an Administrator group under a role that will have assigned privileges for the target scope and device groups. I have been using different Intune roles at the District level and Campus level for our Distributed network with RBAC for a long time for my different Districts and School Campuses.
To use RBAC, you need a license of at least P1 level.
https://docs.microsoft.com/en-us/azure/active-directory/roles/custom-overview
You can also use Administrative Units for user account management such as help desk, password, authentication methods, etc. You can assign administrators for specific roles and lists of target users or groups under Administrative Units.
- LainRobertsonSilver Contributor
Azure AD RBAC might be overkill for your requirement.
Have you considered the pre-existing groups self-service management?
First, have a read of the Microsoft literature on this topic, as there are different configurations items, each with implications you should consider and plan around rather than just "winging it".
Set up self-service group management - Azure Active Directory | Microsoft Docs
Given you've already made the person you're referring to a group owner, then you can turn on the option for the owners to manage that group as described in the article.
Once you have enable self-servicing on that specific group, provide the following instructions to your user(s):
- Go to the landing page at https://myapplications.microsoft.com
- Up the top-left of the page, click on the down-facing chevron next to the label "My Apps"
- Choose "My Groups" from the menu
That will take the user to the self-service groups management landing page, from which they should see the group you've made them an owner of and be able to manage its members.
Cheers,
Lain