Howdy folks,
I’m very excited to kick off a series of announcements on capabilities related to Azure Active Directory (Azure AD) role-based access control (RBAC). These capabilities will support the enablement of fine-grained authorization and simplify management at scale for RBAC in Azure AD and Microsoft 365.
I’d like to start this series by sharing the general availability of custom roles for delegated app management.
Together, custom roles for app registration and enterprise apps provide fine-grained control over what access your admins have for app management. As a reminder, Azure AD custom roles require an Azure AD Premium P1 subscription.
Let’s see how Alice, a centralized IT admin at the fictitious company Woodgrove, can effectively and securely delegate app management.
Woodgrove, a geographically distributed organization, has a small, centralized IT team that manages the delegation of Azure AD roles. Senior IT admin Alice is responsible for delegating Azure AD roles by exercising least privilege to keep the IT system secure.
Charlie is the owner of Woodgrove Portal app, one of the many line of business (LOB) applications in Woodgrove. Alice wants to delegate the access management of the LOB applications to their owners. Specifically, she wants to grant a role to Charlie so he can manage access to the Woodgrove Portal app.
Let’s see how Alice can build a new custom role for this scenario and assign it to Charlie.
In the following example, Alice will create a custom role with just the permissions to manage user and group assignments for applications. Once the custom role is created, Alice can assign this role to Charlie with the scope of the Woodgrove Portal app. This will grant Charlie the ability to manage user and group assignments for the Woodgrove Portal app.
Create a custom role
Assign the custom role
Like built-in roles, custom roles can be assigned at the directory level to grant access over all Enterprise applications. Additionally, you can assign custom roles over just one application, as shown in our example. This allows you to give the assignee the permission to manage user and group assignments for a single application without having to create a second custom role.
That’s it. Charlie can now manage access to the Woodgrove Portal app. You can refer here for additional documentation on the other roles you can create.
We're working on more great features for Azure AD RBAC, including additional capabilities around custom roles and administrative units, plus other least-privileged experiences that we think you’ll love. Stay tuned for coming announcements.
As always, we'd love to hear your feedback, thoughts, and suggestions. Feel free to share with us on the Azure AD administrative roles forum or leave comments below. We look forward to hearing from you.
Best regards,
Alex Simons (@Alex_A_Simons)
Corporate VP of Program Management
Microsoft Identity Division
Learn more about Microsoft identity:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.