Forum Discussion
Assign Permissions To Certain CMDlets for powershell?
For example the New-AzureADDirectorySetting cmdlet is generally only allowed to be used by global admins. Is it possible to be able to grant that cmdlet to a certain user to be able to use or not? Or is there any other roles that can do this in the azure AD?
I've never seen a way to do this and I honestly can't imagine the complexity of implementing something like this. Like you said, the actions of the various cmdlets are controlled by the users permission to Office 365.
Limiting what cmdlets people could use would be the equivalent of limiting permissions in the Office 365 admin center on a link by link basis. Not something that would really even be feasible to do (or easy to manage).
The only way I've come close to something like this is by building my own "front end" for the actions. At a hight level:
- Create a SharePoint list that a user has access to (let's say a list for adding people to that need a specific O365 license)
- Trigger a flow when a list item is added
- Launch Azure Automation as part of that flow
- Run the specific cmdlet(s) to assign license within an Azure Automation runbook using credentials stored in Azure Automation and parameters past from the list to Azure Automation via Flow
this would allow you to grant people access to the list to assign licenses without having to give them any rights in Office 365 Admin Center.
11 Replies
I've never seen a way to do this and I honestly can't imagine the complexity of implementing something like this. Like you said, the actions of the various cmdlets are controlled by the users permission to Office 365.
Limiting what cmdlets people could use would be the equivalent of limiting permissions in the Office 365 admin center on a link by link basis. Not something that would really even be feasible to do (or easy to manage).
The only way I've come close to something like this is by building my own "front end" for the actions. At a hight level:
- Create a SharePoint list that a user has access to (let's say a list for adding people to that need a specific O365 license)
- Trigger a flow when a list item is added
- Launch Azure Automation as part of that flow
- Run the specific cmdlet(s) to assign license within an Azure Automation runbook using credentials stored in Azure Automation and parameters past from the list to Azure Automation via Flow
this would allow you to grant people access to the list to assign licenses without having to give them any rights in Office 365 Admin Center.
- What about this?
https://cloudblogs.microsoft.com/enterprisemobility/2015/12/10/custom-roles-in-azure-rbac-is-now-ga/
Could creating a custom role give access to certain cmdlets?Bill,
The link you posted below refers to Azure RBAC, not Office 365. This also isn't something that you can apply to just anything when building custom roles. It's also not limiting cmdlets, but rather what people may (or may not be) allowed to do with them.
Right now RBAC is only Azure functionality, there isn't anything with RBAC in Office 365.
I also don't believe there is any way to do RBAC or define custom roles even if you wanted to focus just an Azure AD (a small subset of Office 365).
So..while the link below might allow you to sort of do it with certain Azure resources and Azure cmdlets (by limiting permissions, not necessarily cmdlets), it doesn't apply to Office 365 and limiting Office 365 cmdlets.
- Totally agree with Ben, this is something not possible Today and don't think we will have in the short-medium term
