Right role to reading groups members on Azure AD

Contributor

Hi Azure community,

 

I have a user who needs to access to the Azure Portal so he can look up only for Azure AD Groups/Members and Ownership. I just want to give right and enough privilege to does his job.

Which role is the best to assign to him via PIM?

 

Thanks

3 Replies

@Ali Fadavinia 

 

The built-in Azure AD roles are reasonably broad by nature but probably the best fit would be the Directory Readers role, which is more restrictive than Global Readers.

 

 

I meant to add that this role will not allow the member to read the membership list of a group that is marked as having hidden members. If this is required then things start getting a bit tricky in the read-only context, but if this isn't something you're concerned about, stick with the Directory Readers role.

 

Cheers,

Lain

Thanks Lain for the insights,

It does the job for him, but the drawback is he is able to see all configurations like Users, or all resources across Azure portal - so it is not just limited to Groups there.

Is there anyway to limit his access just to "Groups" or just the places he needs to use as part of his daily job?

@Ali Fadavinia 

 

Hey, Ali.

 

There's nothing as granular as what you're looking for out-of-the-box, unfortunately.

 

It's important to note that I'm basing this and the previous statement on the following quote from your original post which implies read-only access:

 

"... so he can look up only ..."

 

It's worth noting that from a security perspective, every user can read group memberships (excluding what I said before about groups marked as having hidden memberships). Similarly, every user can read basic properties of other user accounts ("basic properties" still accounts for a fair number of attributes, but this has always been true even with Active Directory on-premise.)

 

 

I'd wager this is why there's no "Groups Reader" role, since it's something everyone (talking about normal users, not guests) has the rights to do by default.

 

Therefore, the requirement you're really trying to solve is how to provide an easy-to-use way of browsing such things, and it's in this context you're looking to grant access to the Azure portal.

 

If we re-frame your requirement to just this one aspect (granting access to the Azure portal), then you might consider a left-field solution which is to add them to the Message Center Reader role, which is - as far as I can see - the least-privileged out-of-the-box Azure AD role you can add someone to that also allows them to sign into the Azure portal.

 

 

There's no harm in being able to read the Message Centre announcements, and in being a read-only role, there's no risk of them submitting support tickets, etc.

 

But as I said initially, the Azure AD roles are broad by nature and will encompass more than just the one specific requirement you're looking to fulfil.

 

You could look at whether creating and publishing a dashboard based on the Users and Groups tile from the Tile Gallery meets your needs. Otherwise, if you're adamant the person should not see anything from users - even the public properties that all users technically have the by-default rights to see, you're stuck with having to create something bespoke like a Power Apps solution.

 

 

While I won't discuss it here, I will at least acknowledge the topic of administrative units, which may or may not help you. That functionality costs you extra and isn't a silver bullet either, which is why I won't get into those here.

 

Cheers,

Lain