Forum Discussion

JawanL's avatar
JawanL
Copper Contributor
Mar 11, 2022

Azure AD Roles

Is it possible to create a custom azure role that is specific for only one security group? I would like to grant a user access to view members of a specific security group that they are an owner of.

  • Abdurrahman_Ulu's avatar
    Abdurrahman_Ulu
    Copper Contributor

    Hello, JawanL 

    Azure has Role-Based Access Control (RBAC) for scope-based device management like Intune Administration, Application ADministration, etc. You can use Built-in roles or create your customized RBAC role according to your needs. You need an Administrator group under a role that will have assigned privileges for the target scope and device groups. I have been using different Intune roles at the District level and Campus level for our Distributed network with RBAC for a long time for my different Districts and School Campuses.

    To use RBAC, you need a license of at least P1 level.

    https://docs.microsoft.com/en-us/azure/active-directory/roles/custom-overview

    You can also use Administrative Units for user account management such as help desk, password, authentication methods, etc. You can assign administrators for specific roles and lists of target users or groups under Administrative Units.

  • LainRobertson's avatar
    LainRobertson
    Silver Contributor

    JawanL 

     

    Azure AD RBAC might be overkill for your requirement.

     

    Have you considered the pre-existing groups self-service management?

     

    First, have a read of the Microsoft literature on this topic, as there are different configurations items, each with implications you should consider and plan around rather than just "winging it".

     

    Set up self-service group management - Azure Active Directory | Microsoft Docs

     

    Given you've already made the person you're referring to a group owner, then you can turn on the option for the owners to manage that group as described in the article.

     

    Once you have enable self-servicing on that specific group, provide the following instructions to your user(s):

     

    • Go to the landing page at https://myapplications.microsoft.com
    • Up the top-left of the page, click on the down-facing chevron next to the label "My Apps"
    • Choose "My Groups" from the menu

    That will take the user to the self-service groups management landing page, from which they should see the group you've made them an owner of and be able to manage its members.

     

    Cheers,

    Lain

Resources