Forum Discussion
Azure AD SSO App Management Permissions
Hi, I've got a query around access to manage Azure AD SSO applications. Our IT provider "specialists" are suggesting that in order to manage Azure AD SSO applications they need to be Global Admins. ...
Your consultant was correct, that level of Admin was required. However, that screen is from the classic Azure portal which is being phased out. Azure AD was recenty released to General Availability in the new Azure portal which provides many improvements (such a extensive Role Based Access Controls) and you will want to start using that location for your AAD tasks. A listing of the various admin roles is at https://docs.microsoft.com/en-us/azure/active-directory/active-directory-assign-admin-roles. Unfortunately, there does not seem to be a specific role to limit admins to manage just the apps that need SSO. You may want to create a custom Role if this is a requirement..
On a related note, you may want to use the Azure Privileged Identity Management functionality to control the time period used by Admins, see https://docs.microsoft.com/en-us/azure/active-directory/active-directory-privileged-identity-management-getting-started
Thanks, I've been using the new portal for a while, but not entirely sure where the specific area is to create a custom role... I'll have a dig around.