Assigning groups to Azure AD roles is now in public preview!

Great thank you!

Great,

Alex, when you will support on Prem AD sync groups thing about supporting nested groups.

We have a complete tree structure for our IT and we use it to provide autorisation in AD, applications, … actually we are obliged to assign O365/AzureAD role manually by user but if we can use our on prem tree structure it will be great. Our goal is to manage users within one team groups and then all authorization within our IT systems are setup correctly without needing to add accounts somewhere else.

This is a great feature, but I'm slightly concerned about abuse/misuse. Where a user is granted a role that allows them to edit group membership, which then allows them to add themselves, or others to groups that grant access to other privileged roles.

With on-prem, we can restrict certain sensitive groups to OUs with different permissions to protect them, but I don't believe this is possible with Azure AD?

@Vincent VALENTIN - Yes, supporting on-prem groups is on our roadmap.

@Wesley-Trust - That's great observation. That's why we have put measures to protect these group so that there is no elevation of privilege. Only a Privileged Role Admin or a Global Admin can modify the membership of a role assignable group by default.

Please take a look at this - https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-groups-concept#why-...

@Abhijeet Kumar Sinha Fantastic, thanks.

This is still susceptible to the sync delays of the Primary Refresh Token in Windows 10 clients, right? Plus or minus 4 hours of privileged access breaks “just-in-time” for me. 

@Abhijeet Kumar Sinha For On-prem group you will support nesting?

@Vincent VALENTIN - We are working on design. It is difficult to commit anything at this time. Having said that, I really appreciate you sharing the scenario with us. It was very helpful. Thanks!

OMG finally, have been waithing for this in ages.

Tought there was som sort of an security issue since this feature has been unavailable for so long.

Nice finally to se it comming to On-prem Groups to soon.

That's very good that you have made measures against abuse, @Abhijeet Kumar Sinha. However I did find a severe weakness now that allows for non-wanted elevation of privilege with these new role groups.

By using Azure AD Entitlement Management > Access Packages. Example:

- Group "azuread-role-intune_administratror" created and assigned to role "Intune Administrator" (created by global admin or privileged role admin)

Now another user, "USER X" with the role "User administrator" can create an access package in Entitlement Management, and select "azuread-role-intune_administrator" as a resource role in the access package.

Now USER X can assign the access package to himself and will thus also be made a member of "azuread-role-intune_administator" effectively giving the user access to something it should have been able to do.

This happens because the Entitlement Management-engine apparently runs on very high privileges or is exempt from the security measures made for these new role groups.

I would like to see this patched, but still be able to use the functionality of access packages with this new role group functionality. Maybe an extra check in Entitlement Management where the active roles of the user creating the user assignment can be assessed before allowing/disallowing the action?

@omega3 - To put a role-assignable group into an access package, you must be a User Administrator and also owner of the role-assignable group. 

See this - https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-groups-faq-troubles....

@Abhijeet Kumar SinhaAha! I tested again now, and I realize I wrote the above scenario slightly wrong.

You are correct, the User Administrator user were not able to add the role-assignable group to the access package (catalog), but if there is an access package present with role assignable groups already, the User administrator is able to assign this access package to whoever.

I tested this again now, just to be sure.

Are you able to share if this functionality will work with a mail-enabled security group in the future? That would help my use case considerably. Thanks!

@MelissaCoates - An Azure AD security group with mail-enabled=true is supported. See this example - https://docs.microsoft.com/en-us/graph/api/group-post-groups?view=graph-rest-beta&tabs=http#example-...

However, a mail-enabled security group that is mastered in Exchange is not supported. We do not have plans to support such type of groups right now.

@Abhijeet Kumar Sinha Thank you very much for confirming. Yes, it's an Exchange-backed mailed-enabled security group that I'm after rather than a unified (M365) group. I was able to confirm that the Graph API does not currently support creating a mail-enabled security group (even prior to dealing with IsAssignableToRole).

FYI, my use case relates to Power BI administration. I intend to align my Power BI Administrator group with the Power BI Administrator role. In the Power BI tenant settings, there is one setting which requires a mail-enabled security group so a unified group won't work (this particular setting provides alerts if there's a service outage or incident). I can still make some headway with simplifying group/role membership maintenance & reducing overall risk with the new capabilities discussed above in this post. The trade-off is treating that alerting group as a separate thing. Still a step forward.

Is there a plan to allow nested groups?  Like Azure roles have it today?  I don't believe you should allow endless nested groups, there should be a limit, and the limit should be small, and only two layers deep.
I have a design like the following:
Company-Specific-Groups (Such as Developers, Dev-Ops, Insfrastructure, Support, etc)
I have Azure Role Groups (Two for every role - One Active, one Eligible)
I place the users in the Company-Specific groups, place the Company-Specific groups into all the Azure Role Groups they require, and each Azure Role Group is permanently assigned to it's corresponding Azure role.
For example:
XXX-Developers (Contains all developers)
XXX-Active-Subsc1-Contributor (One for each Azure role), assigned permanently Active to Subscription#1's Azure Contributor role
XXX-Eligible-Subsc1-Contributor (One for each Azure role), assigned permanently Eligible to Subscription#1's Azure Contributor role

With this design, when a new Developer joins the company, or leaves:
1. I simply add/remove them from a single group to allow/revoke everything a Developer needs access to.
2. It keeps the constant in/out of PIM to a minimum
3. It keeps cleanup easy as there's not the leftover GUID/ObjectID stuck in the role's assignment list.

Auditing is a challenge, Access Reviews are a challenge.  But I'm hoping Microsoft is accounting for simplified designs like these.  Very recently, something changed with the AzureAD role-assignable groups, as I was able to assign groups to those AzureAD groups, but that has recently disappeared.  Was that a bug?  Something that should've never been released?  It offered hope that the design was going to be like Azure role groups.

Maximus: You should use Access packages in Entitlement Management, not nested groups. This would fulfill your purpose in a better way.

@Abhijeet Kumar Sinha: I am still worried about the security regarding my last comment:
"You are correct, the User Administrator user were not able to add the role-assignable group to the access package (catalog), but if there is an access package present with role assignable groups already, the User administrator is able to assign this access package to whoever.

I tested this again now, just to be sure."

@omega3 thanks for your feedback.  Yes, as part of this preview, in addition to documentation updates, we are also looking at updates to the use of existing and new directory roles, across entitlement management and other Azure AD features, so that customers can use the entitlement management and role-assignable groups features together, and have more finer-grained control on what catalogs and access packages are available for existing administrators to manage.

@Alex Simons (AZURE), any ETA on when the below two known issues ( https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-groups-concept#know... ) will be resolved?

• Azure AD P2 licensed customers only: Don't assign a group as Active to a role through both Azure AD and Privileged Identity Management (PIM). Specifically, don't assign a role to a role-assignable group when it's being created and assign a role to the group using PIM later. This will lead to issues where users can’t see their active role assignments in the PIM as well as the inability to remove that PIM assignment. Eligible assignments are not affected in this scenario. If you do attempt to make this assignment, you might see unexpected behavior such as:
  • End time for the role assignment might display incorrectly.
  • In the PIM portal, My Roles can show only one role assignment regardless of how many methods by which the assignment is granted (through one or more groups and directly).
• Azure AD P2 licensed customers only Even after deleting the group, it is still shown an eligible member of the role in PIM UI. Functionally there's no problem; it's just a cache issue in the Azure portal.

 Thanks!

@TechUser152 - We are working actively on it. The fix is a bit involved, so sharing the exact ETA is not possible. 
@Shaun Liu  - FYI.

@Abhijeet Kumar Sinha, any updates? We are still facing some of the issues. Thanks :) 

Hello everyone,

does the tennant need the P2 lic or only the affected user inside the group?

Did anybody test the feature with? https://protection.office.com/

Thanks in advance for a feedback!

• Hello Folks, 
•  
• Per the article : https://docs.microsoft.com/en-us/azure/active-directory/roles/groups-concept 
• Use the new Exchange Admin Center for role assignments via group membership. The old Exchange Admin Center doesn’t support this feature yet. Exchange PowerShell cmdlets will work as expected.) - but I am still unable to locate a way to perform the action from New EAC - Can somebody guide?

@TechAB - You will have to create such a group in Azure AD portal. Above documentation means that once someone is assigned a role via a group, it will be honored in new Exchange Admin Center. For example, you want to put a user Alice in a group and assign that group to Exchange Admin role. This is what needs to be done - 

highly needed feature ! - just wanted to ask if there is an approximate timeline of when this will come out of preview and become a mainline feature? Also when the AD groups and custom Roles integration might be available?

Thanks

@PhilRiceUoS - 

1. Support for assigning cloud groups to custom roles and AU-scoped roles was released in Dec 2020. You can start using it.

2. Regarding general availability of cloud group support - Yes, we are working on it. Tentative timeline is 1st half of CY21.

@Abhijeet Kumar Sinha  - thanks , I must have missed that about the custom roles when trying this out recently.

By cloud group support , are you refering to AD groups , synced via ad-connect?

@PhilRiceUoS - No, by cloud groups I meant Azure AD groups, the ones that are created ands mastered in Azure AD.

@Abhijeet Kumar Sinha  - sorry, I understand, you mean that feature will be out of preview and in general availability. Thanks, good to know as we are planning on implementing it but there was some questions over it being a preview feature.

This is a great feature and we plan on using it 'across the board'. I have noticed something odd though and am not sure if this is by design? Here is the scenario:

• I am logged in as a GlobalAdmin.
• UserJoe was already assigned AAD Role XYX.
• We created CloudGroup, made it Role Assignable, assigned it AAD Role XYX.
• We added UserJoe to CloudGroup.
• UserJoe now 'exists' in both lists (AAD Role XYX and CloudGroup)
• 1 month has passed since the previous steps took place.
• I tried to remove UserJoe from AAD Role XYX today since he now exists in CloudGroup as well, and am presented with the error:
  Title : Removing role assignment failed
  Message : The Role assignment does not exist.

@JohnHart - It could be because of a known issue we documented here - https://docs.microsoft.com/en-us/azure/active-directory/roles/groups-concept#known-issues.

We are working on the fix.

Hi Abhijeet. When I get into Privileged Access (preview) it just displays a blank page and does not give me an option to Enable Privileged Access. 
- Preview Features are turned ON

- The group has Azure AD role assignable toggle ON

What could be causing this issue?

When can we expect on-premises AD security groups to be supported?

What is the planned date for this to come out of preview?

Hi @Abhijeet Kumar Sinha 

Any dates on when on-premises AD groups will be supported for Azure AD Roles?

Thanks

Hello @Alex Simons (AZURE)

Hello @Abhijeet Kumar Sinha

Is it possible to have an update regarding this preview? have you process on your roadmap and started to work on the possibility to use On-prenises AD group (synchronised over AD Connect) to an azure role?

Thanks 

Best regards,

Jonathan 

@Jonathan_BLESZ , @RobW1972 - Yes, support for assigning groups to on-prem groups is work in progress. 

@Abhijeet Kumar SinhaIs there an option to enroll to private preview for that feature?

Folks,

Assigning roles to Azure AD groups is now generally available!

We are working on bringing this capability to on-prem synced groups as well. Stay tuned.

@Abhijeet Kumar Sinha - Greetings, is there any update for on-prem synced group role assignment capability?

@JReppYou can open a support ticket and ask to be enrolled in private preview.

@Daniel Niccoli I tried opening a support ticket from admin.microsoft.com to be enrolled in the private preview but was told the Office 365 team can't and to open a ticket for on-prem ad support instead.  I don't think the on-prem support would be able to assist in this matter.

How did you get enrolled in the private preview?

Thanks

Try to open a Ticket with the Azure AD (Identity) support through the Azure Portal.

Btw. I was told they plan to go public preview in September.

@Abhijeet Kumar Sinha  Hi, its been over 2 years since this post. Are on-prem synced groups still on the roadmap to be used? If so, do you have a timeframe? thanks!

Hi @Abhijeet Kumar Sinha, 

Does the product group has an update regarding on-prem synced group role assignment capability?

@vmjgrund @darkrai Yes, we are still working on the on-prem groups as well, though I don't have a date estimate at this time.

Hi @Abhijeet Kumar Sinha @Doug_Kirschner ,

One year after the last post, do you have updates regarding the support of on-prem synced groups?