Forum Discussion

bubufun's avatar
bubufun
Copper Contributor
Jun 27, 2024

Setting up Limited Account Creation Role in Azure AD

Hi everyone,

I'm looking to set up a specific role in Azure AD that allows a user to only create AD accounts without additional administrative privileges(Only "microsoft.directory/users/create" this function ). I've explored the default roles but couldn't find one suitable for this purpose. Could anyone advise on how to create a custom role or modify permissions to achieve this?

Thank you in advance for your assistance!

Best regards,

 

Bu

  • DTB's avatar
    DTB
    Iron Contributor

    Hi bubufun,

     

    To set up a specific role in Azure AD that allows a user to only create AD accounts without additional administrative privileges, you will need to create a custom role with the necessary permissions. Here’s a step-by-step guide to help you achieve this:

    Step-by-Step Guide to Create a Custom Role in Azure AD

    1. Access Azure AD in the Azure Portal

    • Sign in to the Azure portal.
    • Navigate to Azure Active Directory > Roles and administrators.

    2. Create a Custom Role

    1. Click on “+ New custom role”:

      • Enter a name and description for the custom role (e.g., “Limited Account Creation Role”).
      • Click on Next to proceed to the Permissions tab.
    2. Add Required Permissions:

      • Click on + Add permissions.
      • In the Permissions pane, search for and select the microsoft.directory/users/create permission.
      • Click Add to add the permission to the role.
    3. Review and Create:

      • Review the permissions you have added.
      • Click on Review + create to create the custom role.

    3. Assign the Custom Role to a User

    1. Go to the custom role you created:

      • Navigate to Azure Active Directory > Roles and administrators.
      • Find and select your custom role (e.g., “Limited Account Creation Role”).
    2. Click on “+ Add assignments”:

      • Select the users or groups you want to assign this custom role to.
      • Click Add to assign the role.

    Example Script to Create a Custom Role Using PowerShell

    If you prefer to use PowerShell, you can create and assign the custom role using the Microsoft Graph PowerShell module.

    1. Install and Connect to Microsoft Graph:

     

    Install-Module Microsoft.Graph -Scope CurrentUser
    Connect-MgGraph -Scopes "RoleManagement.ReadWrite.Directory"

     

    2. Create the Custom Role:

     

    $roleDefinition = @{
        "description" = "Allows user to create AD accounts"
        "displayName" = "Limited Account Creation Role"
        "isEnabled" = $true
        "rolePermissions" = @(
            @{
                "allowedResourceActions" = @("microsoft.directory/users/create")
            }
        )
    }
    
    $customRole = New-MgRoleManagementDirectoryRoleDefinition -BodyParameter $roleDefinition

     

     

    3. Assign the Role to a User:

     

    $roleAssignment = @{
        "principalId" = "<UserObjectId>"
        "roleDefinitionId" = $customRole.Id
        "directoryScopeId" = "/"
    }
    
    New-MgRoleManagementDirectoryRoleAssignment -BodyParameter $roleAssignment

     

     

    Conclusion

    By following these steps, you can create a custom role in Azure AD that allows users to only create AD accounts without additional administrative privileges. This ensures that users have the necessary permissions for their tasks while maintaining security and limiting access.

     

    I hope this helps! If you have any further questions or need additional assistance, feel free to ask.

     

    Please click Mark as Best Response & Like if my post helped you to solve your issue.

    This will help others to find the correct solution easily. It also closes the item.

    If the post was useful in other ways, please consider giving it Like.

Resources