Using groups to assign admin roles - works great except...

Iron Contributor

About a year ago we migrated our internal processes to using Entra ID security groups to manage Entra ID role assignment.  It is mostly a good solution, but over time we started finding issues that Microsoft either can't or is unwilling to fix.  Their "solution" is always to "assign the role directly", which isn't scalable for an organization that doesn't own entitlement to PIM.  Below are the roles and functionality that are broken if roles are not directly assigned:

 

Exchange Administrator - Unable to download message trace logs

Groups Administrator / Global Administrator - Unable to configure group expiration policy

Power Platform Administrator / Global Administrator - Unable to elevate to Power Platform System Administrator role in environments

 

Do others have this issue?  Is there any hope of MS actually fixing this, or are we going to have to switch our process back to direct role assignment by some other means?

0 Replies