Azure AD RBAC: Custom roles & administrative units for devices now available
Published Mar 31 2022 12:00 PM 14.7K Views

Howdy folks,


In our first blog of this series, we discussed general availability of custom roles for delegated app management. Continuing the series of announcements for Azure Active Directory (Azure AD) role-based access control (RBAC), I’m excited to share several new features to enable fine-grained delegation of device administration in Azure AD. With these new capabilities, you can now:


  • Create custom roles using permissions for device objects.
  • Add devices as members of administrative units and assign built-in or custom roles for managing devices over the scope of an administrative unit.


Let’s take a look at some of the cool things you can do with these new capabilities.


You can also watch and experience these new features in action:



Create a custom role
To create a custom role using device permissions, go to Roles and administrators, then select New Custom Role. In this example, we’ll create a custom role called “BitLocker Recovery Key Reader.”




Give the role a name and description. Next, use the new device permissions for custom roles to select only the BitLocker permissions for this role.




Finally, click Next and create the role. Now you have a custom role that you can use to delegate access only to read BitLocker recovery keys without having to grant any unnecessary permissions.

Add devices to an administrative unit

In addition to customizing the permissions in the role, you can also use administrative units to scope those permissions to a specific set of devices.


In the example below, devices have been added to an administrative unit called “Service Department.” You can click Add device to add additional device(s) to the administrative unit.




Putting it all together

You can now go to the Roles and administrators tab and assign the custom role you created over the scope of the administrative unit. This allows you to ensure that the BitLocker permissions you specified when you created the role apply only to the devices specified in the administrative unit.




Note: we highly recommend assigning the custom role as an eligible assignment through Privileged Identity Management.


That’s it! For more information, check out our documentation on custom roles or administrative units. You can also access these same capabilities using PowerShell and Microsoft Graph APIs.


What’s next

Stay tuned for more great features around Azure AD RBAC. In the meantime, we'd love to hear your feedback, thoughts, and suggestions. You can share these with us on the Azure AD administrative roles forum or leave comments below.


Best Regards, 

Alex Simons (Twitter: @Alex_A_Simons)

Corporate VP of Program Management   

Microsoft Identity Division



Learn more about Microsoft identity:

Senior Member

Not trying to say this is bad, but AU still has the MAJOR issue of manually putting in devices instead of device groups. The same issues exist as before with users, but now devices also can be added manually. This is not scalable.


We need AU's to be able to add users or devices by GROUP MEMBERSHIP and include DYNAMIC GROUPS too for scalability and operationalization.


@Peter_Holdridge Good news. We are actively rolling out support for dynamic AU membership as well - look for an official announcement soon on this blog very soon, and in the meantime you can check it out for yourself under the "Properties" tab of an administrative unit.  For more information:


@Doug_Kirschner Great thx! Might be idea to change the red Xs listed here for 'Add or remove groups dynamically based on rules'Administrative units in Azure Active Directory | Microsoft Docs


Edit: I noticed in the rules that you can have Dynamic User or Dynamic Device can you use dynamic rules to populate both users and devices to a single AU? 


@Peter_Holdridge - For the last couple of years we used the following to bridge the gap. and might still be cheaper than granting every admin a Azure premium license but depends on your requirements and budget. 

Senior Member

@Joshua Bines Thanks. Yes, we already use Azure Automation to update the AU users from an existing dynamic group to get around this but we shouldn't have to. AU should have this built-in. You don't even need to setup rules in AU. Just the ability to select an existing dynamic group would be fine. Or any group...


This is certainly a move in the right direction, at least in terms of being able to delegate access to read BitLocker keys for specific devices but there’s a much larger hole in Microsoft’s desktop management strategy that needs to be addressed, at least in terms of delegation.

Some InTune features can only be targeted at device groups and group ownership allows for selection of any device in the directory.  It’s effectively impossible to delegate both these features and ownership of the associated groups without giving a delegate the ability to target and affect every device.  MECM(SCCM) does this by allowing us to limit selections to specific collections (eg not All Devices).  What are the  Azure and InTune teams doing to correct this gap?


@Joshua Bines thanks, actually that line "adding and removing groups dynamically based on rules" is not yet supported so the red X is correct. The line above ("add or remove users or devices dynamically based on rules) is what we are rolling out the support for in this initial release, i.e. the same things you can currently do with dynamic groups, you can do with administrative units.


@ENT57 thanks for the feedback. This release is just a first step, and also we're looking into ways to improve the scenario you describe with Intune.  Stay tuned!

Regular Contributor

Hello @Doug_Kirschner this sounds like a welcomed and needed step forward.

What do you think about having the example of Bitlocker Key readers as an integrated part instead of a custom role.


Bitlocker is a major part of the security concept of Secured Core.


Thank you! 

Trusted Contributor

Thank you for sharing.

This is a really valuable feature and it is helpful in different cases.

New Contributor

Nice, thank you for sharing.

Is it also planned to be able to use the  administrative unit in Intune?
I'm thinking of software assignment by administrative unit and things like that.

New Contributor


I was trying to assign cloud device administrator at  administrative unit for scoped device management, but it seems that with such role I can only disable device not to delete. if assigned at directory level, then it works as expected. is it issue of the preview Device per administrative unit feature or did I miss anything ?

sorry to ask here ;)


Version history
Last update:
‎Mar 31 2022 11:29 AM
Updated by: