Previously, to access Azure AD Identity Protection, a user needed to be a global administrator. These new roles eliminate that requirement.
A user still needs to be in the global administrator role to enable Azure AD PIM in a directory. When they enable Azure AD PIM, they are automatically added to the Security Administrator and Privileged Role Administrator roles as well.
You can also click the "Make perm" button on the user's role assignment so that they have permanent membership of the role. Alternatively, if you're not using Azure AD PIM, you can assign users to these roles from the command line with the Azure Active Directory Module for PowerShell . First, connect and authenticate as a global administrator in your directory. Type the following command, and enter your administrator credentials when prompted.
Connect-MsolServiceTo see who (if anyone) is already permanently assigned to these three new roles in your directory, type:
$pra = Get-MsolRole -RoleName "Privileged Role Administrator"
Write-Output "Privileged Role Administrator permanent members"
Get-MsolRoleMember -RoleObjectId $pra.ObjectID | ft EmailAddress,DisplayName
$sa = Get-MsolRole -RoleName "Security Administrator"
Write-Output "Security Administrator permanent members"
Get-MsolRoleMember -RoleObjectId $sa.ObjectID | ft EmailAddress,DisplayName
$sr = Get-MsolRole -RoleName "Security Reader"
Write-Output "Security Reader permanent members"
Get-MsolRoleMember -RoleObjectId $sr.ObjectID | ft EmailAddress,DisplayNameThen, to add a user to a role with a permanent assignment, use the Add-MsolRoleMember command. For instance, to make a user a security administrator, type:
Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "email@example.com"And more good news - these roles will soon light up in other features and applications as well. I'll blog about them when they do. And as always, we'd love to get any feedback suggestions you have. Just head on over to the Azure AD Identity Protection and Azure AD Privileged Identity Management forums and let us know what you think. Best Regards, Alex Simons (Twitter: @Alex_A_Simons ) Director of Program Management Microsoft Identity Division
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.