Azure AD SSO App Management Permissions

Hi, I've got a query around access to manage Azure AD SSO applications. Our IT provider "specialists" are suggesting that in order to manage Azure AD SSO applications they need to be Global Admins. ...

Azure Active Directory (AAD)

Dean_Gross

Silver Contributor

May 19, 2017

Your consultant was correct, that level of Admin was required. However, that screen is from the classic Azure portal which is being phased out. Azure AD was recenty released to General Availability in the new Azure portal which provides many improvements (such a extensive Role Based Access Controls) and you will want to start using that location for your AAD tasks. A listing of the various admin roles is at https://docs.microsoft.com/en-us/azure/active-directory/active-directory-assign-admin-roles. Unfortunately, there does not seem to be a specific role to limit admins to manage just the apps that need SSO. You may want to create a custom Role if this is a requirement..

On a related note, you may want to use the Azure Privileged Identity Management functionality to control the time period used by Admins, see https://docs.microsoft.com/en-us/azure/active-directory/active-directory-privileged-identity-management-getting-started

Anonymous

May 19, 2017

Thanks, I've been using the new portal for a while, but not entirely sure where the specific area is to create a custom role... I'll have a dig around.

Dean_Gross
Silver Contributor
May 19, 2017
The instructions are at https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-custom-roles

Forum Discussion

Azure AD SSO App Management Permissions

Resources