Azure Active Directory Custom Roles and Possible Scopes

0
votes

I would like to create an Azure Active Directory Custom role with the following perimeters:

Who to assign the role to:

  • Either a user, or group

What access will the role have:

  • Default role permissions from "User Access Administrator" directory role

    Scope:

  • The custom role would only grant access in the specified AAD Groups

(My idea is to have users with this custom role, be able to fill the roles of a User Access Administrator ONLY in the Scoped AAD Groups)

This would provide application administrators the required rights to assign application roles to the specified "Scope" AAD groups, with least privileged in Active Directory

Is it possible to scope an Azure Active Directory custom role to an AAD Group? Not assign the role to a group, but rather the custom role only grant permissions to manage the AAD Group (Assign / Remove application roles to the group... etc)?

  • Meaning no rights/permissions exist in AAD, except for User Access Administration of that specified "Scope" AAD Group

If so, what would the scope format be, when creating the custom role? Preferable in JSON or Powershell

2
jsonpowershellazure-active-directory

2 Answers

1
votes

There is no support today for custom roles in Azure Active Directory. Only the predefined Administrator Roles, as described in the documentation, are available for use.

You may, however take a look at the advanced self-service or delegated group management capabilities and combine them with some existing role (like User Access Adminsitrator or Application Administrator). You may also like to see the difference between Application Administrator and Cloud Application Administrator.

In persuade for least privilege access, you may find the Least Privilege Role by Task document useful. And also the Microsoft Azure AD Privileged Identity Management to control and audit privileged tasks.

Last, but not least, a preview feature - Administrative Units may be of interest to you.

To summarize it

As of today (2018-12-04), there is no option to create custom role within Azure AD. Neither to constrain given role to a specific Group (be it security or office)