Assigning groups to Azure AD roles is now in public preview!

Published Aug 13 2020 01:00 PM 48.5K Views

Howdy folks,

 

Today, we’re excited to share that you can assign groups to Azure Active Directory (Azure AD) roles, now in public preview. Role delegation to groups is one of the most requested features in our feedback forum. Currently this is available for Azure AD groups and Azure AD built-in roles, and we’ll be extending this in the future to on-premises groups as well as Azure AD custom roles.

 

To use this feature, you’ll need to create an Azure AD group and enable it to have roles assigned. This can be done by anyone who is either a Privileged Role Administrator or a Global Administrator.

 

Group roles 1.png

 

After that, any of the Azure AD built-in roles, such as Teams Administrator or SharePoint Administrator, can have groups assigned to them.

 

group roles 2.png

 

The owner of the group can then manage group memberships and control who can get the role, allowing you to effectively delegate the administration of Azure AD roles and reduce the dependency on Privileged Role Administrator or Global Administrator. 

 

You can also use this along with Privileged Identity Management (PIM) to enable just-in-time role assignment for the group. With this integration, each member of the group activates their role separately when needed and their access is revoked when the role assignment expires. 

 

We’ve also added a new preview capability in PIM called Privileged Access Groups. Turning on this capability will allow you to enhance the security of group management, such as just-in-time group ownership and requiring an approval workflow for adding members to the group.

 

group roles 3.png

 

Assigning groups to Azure AD roles requires an Azure AD Premium P1 license. Privileged Identity Management requires Azure AD Premium P2 license. To learn more about these changes, check out our documentation on this topic:

 

 

As always, we’d love to hear any feedback or suggestions you may have. Please let us know what you think in the comments below or on the Azure AD feedback forum.

 

Best regards,

Alex Simons (@Alex_A_Simons)

Corporate VP of Program Management

Microsoft Identity Division

 

41 Comments
%3CLINGO-SUB%20id%3D%22lingo-sub-1257372%22%20slang%3D%22en-US%22%3EAssigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1257372%22%20slang%3D%22en-US%22%3E%3CP%3EHowdy%20folks%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EToday%2C%20we%E2%80%99re%20excited%20to%20share%20that%20you%20can%20assign%20groups%20to%20Azure%20Active%20Directory%20(Azure%20AD)%20roles%2C%20now%20in%20public%20preview.%20Role%20delegation%20to%20groups%20is%20one%20of%20the%20most%20requested%20features%20in%20our%20%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fforums%2F169401-azure-active-directory%2Fsuggestions%2F12938997-azuread-role-delegation-to-groups%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Efeedback%20forum%3C%2FA%3E.%20Currently%20this%20is%20available%20for%20Azure%20AD%20groups%20and%20Azure%20AD%20built-in%20roles%2C%20and%20we%E2%80%99ll%20be%20extending%20this%20in%20the%20future%20to%20on-premises%20groups%20as%20well%20as%20Azure%20AD%20custom%20roles.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ETo%20use%20this%20feature%2C%20you%E2%80%99ll%20need%20to%20create%20an%20Azure%20AD%20group%20and%20enable%20it%20to%20have%20roles%20assigned.%20This%20can%20be%20done%20by%20anyone%20who%20is%20either%20a%20Privileged%20Role%20Administrator%20or%20a%20Global%20Administrator.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Group%20roles%201.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F212285i030927403CBAA20B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Group%20roles%201.png%22%20alt%3D%22Group%20roles%201.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAfter%20that%2C%20any%3CSPAN%3E%20of%20the%20Azure%20AD%20built-in%20roles%2C%20such%20as%20%3C%2FSPAN%3E%3CSPAN%3ETeams%20Administrator%20or%20SharePoint%20Administrator%2C%20can%20have%20groups%20assigned%20to%20them.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22group%20roles%202.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F212286i18F19F1766FF17C3%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22group%20roles%202.png%22%20alt%3D%22group%20roles%202.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThe%20owner%20of%20the%20group%20can%20then%20manage%20group%20memberships%20and%20control%20who%20can%20get%20the%20role%2C%20allowing%20you%20to%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Beffectively%20delegate%26nbsp%3Bthe%26nbsp%3Badministration%20of%20Azure%20AD%20roles%3C%2FSPAN%3E%3CSPAN%3E%20and%3C%2FSPAN%3E%20%3CSPAN%3Ereduce%3C%2FSPAN%3E%3CSPAN%3E%20the%20dependency%20on%20Privileged%20Role%20Administrator%20%3C%2FSPAN%3E%3CSPAN%3Eor%20%3C%2FSPAN%3E%3CSPAN%3EGlobal%20Administrator.%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EYou%20can%20also%20use%20this%20along%20with%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fprivileged-identity-management%2Fpim-configure%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EPrivileged%20Identity%20Management%20(PIM)%3C%2FA%3E%20to%20enable%20just-in-time%20role%20assignment%20for%20the%20group.%20With%20this%20integration%2C%20each%20member%20of%20the%20group%20activates%20their%20role%20separately%20when%20needed%20and%20their%E2%80%AFaccess%20is%20revoked%20when%20the%E2%80%AFrole%20assignment%E2%80%AFexpires.%3C%2FSPAN%3E%3CSPAN%3E%E2%80%AF%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EWe%E2%80%99ve%20also%20added%20a%20new%20preview%20capability%20in%20PIM%20called%20Privileged%20Access%20Groups.%20Turning%20on%20this%20capability%20will%20allow%20you%20to%20enhance%20the%20security%20of%20group%20management%2C%20such%20as%20just-in-time%20group%20ownership%20and%20requiring%20an%20approval%20workflow%20for%20adding%20members%20to%20the%20group.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22group%20roles%203.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F212287i77F611DB575B26B4%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22group%20roles%203.png%22%20alt%3D%22group%20roles%203.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAssigning%20groups%20to%20Azure%20AD%20roles%20requires%20an%20Azure%20AD%20Premium%20P1%20license.%20Privileged%20Identity%20Management%20requires%20Azure%20AD%20Premium%20P2%20license.%20To%20learn%20more%20about%20these%20changes%2C%20check%20out%20our%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgo.microsoft.com%2Ffwlink%2F%3Flinkid%3D2103037%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%3Edocumentation%26nbsp%3B%3C%2FSPAN%3E%3C%2FA%3Eon%20this%20topic%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Froles-groups-concept%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EUse%20groups%20to%20manage%20role%20assignments%3C%2FA%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fprivileged-identity-management%2Fgroups-features%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EManage%20Privileged%20access%20groups%3C%2FA%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20always%2C%20we%E2%80%99d%20love%20to%20hear%20any%20feedback%20or%20suggestions%20you%20may%20have.%20Please%20let%20us%20know%20what%20you%20think%20in%20the%20comments%20below%20or%20on%20the%26nbsp%3B-ERR%3AREF-NOT-FOUND-Azure%20AD%20feedback%20forum.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBest%20regards%2C%3C%2FP%3E%0A%3CP%3EAlex%20Simons%20(-ERR%3AREF-NOT-FOUND-%40Alex_A_Simons)%3C%2FP%3E%0A%3CP%3ECorporate%20VP%20of%20Program%20Management%3C%2FP%3E%0A%3CP%3EMicrosoft%20Identity%20Division%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1257372%22%20slang%3D%22en-US%22%3E%3CP%3EAzure%20AD%20now%20supports%20assigning%20groups%20to%20roles.%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22group%20roles%20teaser.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F212284iC632DDF23370B4FB%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22group%20roles%20teaser.png%22%20alt%3D%22group%20roles%20teaser.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1257372%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EProduct%20Announcements%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1588351%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1588351%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20thank%20you!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1588406%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1588406%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%2C%3C%2FP%3E%3CP%3EAlex%2C%20when%20you%20will%20support%20on%20Prem%20AD%20sync%20groups%20thing%20about%20supporting%20nested%20groups.%3C%2FP%3E%3CP%3EWe%20have%20a%20complete%20tree%20structure%20for%20our%20IT%20and%20we%20use%20it%20to%20provide%20autorisation%20in%20AD%2C%20applications%2C%20%E2%80%A6%20actually%20we%20are%20obliged%20to%20assign%20O365%2FAzureAD%20role%20manually%20by%20user%20but%20if%20we%20can%20use%20our%20on%20prem%20tree%20structure%20it%20will%20be%20great.%20Our%20goal%20is%20to%20manage%20users%20within%20one%20team%20groups%20and%20then%20all%20authorization%20within%20our%20IT%20systems%20are%20setup%20correctly%20without%20needing%20to%20add%20accounts%20somewhere%20else.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1588854%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1588854%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20a%20great%20feature%2C%20but%20I'm%20slightly%20concerned%20about%20abuse%2Fmisuse.%20Where%20a%20user%20is%20granted%20a%20role%20that%20allows%20them%20to%20edit%20group%20membership%2C%20which%20then%20allows%20them%20to%20add%20themselves%2C%20or%20others%20to%20groups%20that%20grant%20access%20to%20other%20privileged%20roles.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20on-prem%2C%20we%20can%20restrict%20certain%20sensitive%20groups%20to%20OUs%20with%20different%20permissions%20to%20protect%20them%2C%20but%20I%20don't%20believe%20this%20is%20possible%20with%20Azure%20AD%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1589215%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1589215%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5162%22%20target%3D%22_blank%22%3E%40Vincent%20VALENTIN%3C%2FA%3E%26nbsp%3B-%20Yes%2C%20supporting%20on-prem%20groups%20is%20on%20our%20roadmap.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1589224%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1589224%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F759568%22%20target%3D%22_blank%22%3E%40Wesley-Trust%3C%2FA%3E%26nbsp%3B-%20That's%20great%20observation.%20That's%20why%20we%20have%20put%20measures%20to%20protect%20these%20group%20so%20that%20there%20is%20no%20elevation%20of%20privilege.%20Only%20a%20Privileged%20Role%20Admin%20or%20a%20Global%20Admin%20can%20modify%20the%20membership%20of%20a%20role%20assignable%20group%20by%20default.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPlease%20take%20a%20look%20at%20this%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Froles-groups-concept%23why-we-enforce-creation-of-a-special-group-for-assigning-it-to-a-role%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Froles-groups-concept%23why-we-enforce-creation-of-a-special-group-for-assigning-it-to-a-role.%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1589255%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1589255%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F84425%22%20target%3D%22_blank%22%3E%40Abhijeet%20Kumar%20Sinha%3C%2FA%3E%26nbsp%3BFantastic%2C%20thanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1590168%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1590168%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20still%20susceptible%20to%20the%20sync%20delays%20of%20the%20Primary%20Refresh%20Token%20in%20Windows%2010%20clients%2C%20right%3F%20Plus%20or%20minus%204%20hours%20of%20privileged%20access%20breaks%20%E2%80%9Cjust-in-time%E2%80%9D%20for%20me.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1591486%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1591486%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F84425%22%20target%3D%22_blank%22%3E%40Abhijeet%20Kumar%20Sinha%3C%2FA%3E%26nbsp%3BFor%20On-prem%20group%20you%20will%20support%20nesting%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1591709%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1591709%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5162%22%20target%3D%22_blank%22%3E%40Vincent%20VALENTIN%3C%2FA%3E%26nbsp%3B-%20We%20are%20working%20on%20design.%20It%20is%20difficult%20to%20commit%20anything%20at%20this%20time.%20Having%20said%20that%2C%20I%20really%20appreciate%20you%20sharing%20the%20scenario%20with%20us.%20It%20was%20very%20helpful.%20Thanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1592625%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1592625%22%20slang%3D%22en-US%22%3E%3CP%3ECannot%20believe%20we%20managed%20to%20survive%20so%20long%20without%20it%20%3AD%3C%2Fimg%3E%20Excellent%20addition!%20Keep%20it%20up%20please!%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1595648%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1595648%22%20slang%3D%22en-US%22%3E%3CP%3EOMG%20finally%2C%20have%20been%20waithing%20for%20this%20in%20ages.%3C%2FP%3E%3CP%3ETought%20there%20was%20som%20sort%20of%20an%20security%20issue%20since%20this%20feature%20has%20been%20unavailable%20for%20so%20long.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENice%20finally%20to%20se%20it%20comming%20to%20On-prem%20Groups%20to%20soon.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1602430%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1602430%22%20slang%3D%22en-US%22%3E%3CP%3EThat's%20very%20good%20that%20you%20have%20made%20measures%20against%20abuse%2C%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F84425%22%20target%3D%22_blank%22%3E%40Abhijeet%20Kumar%20Sinha%3C%2FA%3E.%20However%20I%20did%20find%20a%20severe%20weakness%20now%20that%20allows%20for%20non-wanted%20elevation%20of%20privilege%20with%20these%20new%20role%20groups.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBy%20using%20Azure%20AD%20Entitlement%20Management%20%26gt%3B%20Access%20Packages.%20Example%3A%3C%2FP%3E%3CP%3E-%20Group%20%22azuread-role-intune_administratror%22%20created%20and%20assigned%20to%20role%20%22Intune%20Administrator%22%20(created%20by%20global%20admin%20or%20privileged%20role%20admin)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20another%20user%2C%20%22USER%20X%22%20with%20the%20role%20%22User%20administrator%22%20can%20create%20an%20access%20package%20in%20Entitlement%20Management%2C%20and%20select%20%22azuread-role-intune_administrator%22%20as%20a%20resource%20role%20in%20the%20access%20package.%3C%2FP%3E%3CP%3ENow%20USER%20X%20can%20assign%20the%20access%20package%20to%20himself%20and%20will%20thus%20also%20be%20made%20a%20member%20of%20%22azuread-role-intune_administator%22%20effectively%20giving%20the%20user%20access%20to%20something%20it%20should%20have%20been%20able%20to%20do.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20happens%20because%20the%20Entitlement%20Management-engine%20apparently%20runs%20on%20very%20high%20privileges%20or%20is%20exempt%20from%20the%20security%20measures%20made%20for%20these%20new%20role%20groups.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20like%20to%20see%20this%20patched%2C%20but%20still%20be%20able%20to%20use%20the%20functionality%20of%20access%20packages%20with%20this%20new%20role%20group%20functionality.%20Maybe%20an%20extra%20check%20in%20Entitlement%20Management%20where%20the%20active%20roles%20of%20the%20user%20creating%20the%20user%20assignment%20can%20be%20assessed%20before%20allowing%2Fdisallowing%20the%20action%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1602504%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1602504%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F766218%22%20target%3D%22_blank%22%3E%40omega3%3C%2FA%3E%26nbsp%3B-%26nbsp%3B%3CSPAN%3ETo%20put%20a%20role-assignable%20group%20into%20an%20access%20package%2C%20you%20must%20be%20a%20User%20Administrator%20and%20also%20owner%20of%20the%20role-assignable%20group.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3ESee%20this%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Froles-groups-faq-troubleshooting%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Froles-groups-faq-troubleshooting%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1603046%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1603046%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F84425%22%20target%3D%22_blank%22%3E%40Abhijeet%20Kumar%20Sinha%3C%2FA%3EAha!%20I%20tested%20again%20now%2C%20and%20I%20realize%20I%20wrote%20the%20above%20scenario%20slightly%20wrong.%3C%2FP%3E%3CP%3EYou%20are%20correct%2C%20the%20User%20Administrator%20user%20were%20not%20able%20to%20add%20the%20role-assignable%20group%20to%20the%20access%20package%20(catalog)%2C%20but%20if%20there%20is%20an%20access%20package%20present%20with%20role%20assignable%20groups%20already%2C%20the%20User%20administrator%20is%20able%20to%20assign%20this%20access%20package%20to%20whoever.%3C%2FP%3E%3CP%3EI%20tested%20this%20again%20now%2C%20just%20to%20be%20sure.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1650930%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1650930%22%20slang%3D%22en-US%22%3E%3CP%3EAre%20you%20able%20to%20share%20if%20this%20functionality%20will%20work%20with%20a%20mail-enabled%20security%20group%20in%20the%20future%3F%20That%20would%20help%20my%20use%20case%20considerably.%20Thanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1650982%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1650982%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F442124%22%20target%3D%22_blank%22%3E%40MelissaCoates%3C%2FA%3E%26nbsp%3B-%20An%20Azure%20AD%20security%20group%20with%20mail-enabled%3Dtrue%20is%20supported.%20See%20this%20example%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fapi%2Fgroup-post-groups%3Fview%3Dgraph-rest-beta%26amp%3Btabs%3Dhttp%23example-3-create-a-group-that-can-be-assigned-to-an-azure-ad-role%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fapi%2Fgroup-post-groups%3Fview%3Dgraph-rest-beta%26amp%3Btabs%3Dhttp%23example-3-create-a-group-that-can-be-assigned-to-an-azure-ad-role%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHowever%2C%20a%20mail-enabled%20security%20group%20that%20is%20mastered%20in%20Exchange%20is%20not%20supported.%20We%20do%20not%20have%20plans%20to%20support%20such%20type%20of%20groups%20right%20now.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1665281%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1665281%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F84425%22%20target%3D%22_blank%22%3E%40Abhijeet%20Kumar%20Sinha%3C%2FA%3E%20Thank%20you%20very%20much%20for%20confirming.%20Yes%2C%20it's%20an%20Exchange-backed%20mailed-enabled%20security%20group%20that%20I'm%20after%20rather%20than%20a%20unified%20(M365)%20group.%20I%20was%20able%20to%20confirm%20that%20the%20Graph%20API%20does%20not%20currently%20support%20creating%20a%20mail-enabled%20security%20group%20(even%20prior%20to%20dealing%20with%20IsAssignableToRole).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFYI%2C%20my%20use%20case%20relates%20to%20Power%20BI%20administration.%20I%20intend%20to%20align%20my%20Power%20BI%20Administrator%20group%20with%20the%20Power%20BI%20Administrator%20role.%20In%20the%20Power%20BI%20tenant%20settings%2C%20there%20is%20one%20setting%20which%20requires%20a%20mail-enabled%20security%20group%20so%20a%20unified%20group%20won't%20work%20(this%20particular%20setting%20provides%20alerts%20if%20there's%20a%20service%20outage%20or%20incident).%20I%20can%20still%20make%20some%20headway%20with%20simplifying%20group%2Frole%20membership%20maintenance%20%26amp%3B%20reducing%20overall%20risk%20with%20the%20new%20capabilities%20discussed%20above%20in%20this%20post.%20The%20trade-off%20is%20treating%20that%20alerting%20group%20as%20a%20separate%20thing.%20Still%20a%20step%20forward.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1680957%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1680957%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20a%20plan%20to%20allow%20nested%20groups%3F%26nbsp%3B%20Like%20Azure%20roles%20have%20it%20today%3F%26nbsp%3B%20I%20don't%20believe%20you%20should%20allow%20endless%20nested%20groups%2C%20there%20should%20be%20a%20limit%2C%20and%20the%20limit%20should%20be%20small%2C%20and%20only%20two%20layers%20deep.%3CBR%20%2F%3EI%20have%20a%20design%20like%20the%20following%3A%3CBR%20%2F%3ECompany-Specific-Groups%20(Such%20as%20Developers%2C%20Dev-Ops%2C%20Insfrastructure%2C%20Support%2C%20etc)%3CBR%20%2F%3EI%20have%20Azure%20Role%20Groups%20(Two%20for%20every%20role%20-%20One%20Active%2C%20one%20Eligible)%3CBR%20%2F%3EI%20place%20the%20users%20in%20the%20Company-Specific%20groups%2C%20place%20the%20Company-Specific%20groups%20into%20all%20the%20Azure%20Role%20Groups%20they%20require%2C%20and%20each%20Azure%20Role%20Group%20is%20permanently%20assigned%20to%20it's%20corresponding%20Azure%20role.%3CBR%20%2F%3EFor%20example%3A%3CBR%20%2F%3EXXX-Developers%20(Contains%20all%20developers)%3CBR%20%2F%3EXXX-Active-Subsc1-Contributor%20(One%20for%20each%20Azure%20role)%2C%20assigned%20permanently%20Active%20to%20Subscription%231's%20Azure%20Contributor%20role%3CBR%20%2F%3EXXX-Eligible-Subsc1-Contributor%20(One%20for%20each%20Azure%20role)%2C%20assigned%20permanently%20Eligible%20to%20Subscription%231's%20Azure%20Contributor%20role%3CBR%20%2F%3E%3CBR%20%2F%3EWith%20this%20design%2C%20when%20a%20new%20Developer%20joins%20the%20company%2C%20or%20leaves%3A%3CBR%20%2F%3E1.%20I%20simply%20add%2Fremove%20them%20from%20a%20single%20group%20to%20allow%2Frevoke%20everything%20a%20Developer%20needs%20access%20to.%3CBR%20%2F%3E2.%20It%20keeps%20the%20constant%20in%2Fout%20of%20PIM%20to%20a%20minimum%3CBR%20%2F%3E3.%20It%20keeps%20cleanup%20easy%20as%20there's%20not%20the%20leftover%20GUID%2FObjectID%20stuck%20in%20the%20role's%20assignment%20list.%3CBR%20%2F%3E%3CBR%20%2F%3EAuditing%20is%20a%20challenge%2C%20Access%20Reviews%20are%20a%20challenge.%26nbsp%3B%20But%20I'm%20hoping%20Microsoft%20is%20accounting%20for%20simplified%20designs%20like%20these.%26nbsp%3B%20Very%20recently%2C%20something%20changed%20with%20the%20AzureAD%20role-assignable%20groups%2C%20as%20I%20was%20able%20to%20assign%20groups%20to%20those%20AzureAD%20groups%2C%20but%20that%20has%20recently%20disappeared.%26nbsp%3B%20Was%20that%20a%20bug%3F%26nbsp%3B%20Something%20that%20should've%20never%20been%20released%3F%26nbsp%3B%20It%20offered%20hope%20that%20the%20design%20was%20going%20to%20be%20like%20Azure%20role%20groups.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1728130%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1728130%22%20slang%3D%22en-US%22%3E%3CP%3EMaximus%3A%20You%20should%20use%20Access%20packages%20in%20Entitlement%20Management%2C%20not%20nested%20groups.%20This%20would%20fulfill%20your%20purpose%20in%20a%20better%20way.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F84425%22%20target%3D%22_blank%22%3E%40Abhijeet%20Kumar%20Sinha%3C%2FA%3E%3A%20I%20am%20still%20worried%20about%20the%20security%20regarding%20my%20last%20comment%3A%3CBR%20%2F%3E%22You%20are%20correct%2C%20the%20User%20Administrator%20user%20were%20not%20able%20to%20add%20the%20role-assignable%20group%20to%20the%20access%20package%20(catalog)%2C%20but%20if%20there%20is%20an%20access%20package%20present%20with%20role%20assignable%20groups%20already%2C%20the%20User%20administrator%20is%20able%20to%20assign%20this%20access%20package%20to%20whoever.%3C%2FP%3E%3CP%3EI%20tested%20this%20again%20now%2C%20just%20to%20be%20sure.%22%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1730948%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1730948%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F766218%22%20target%3D%22_blank%22%3E%40omega3%3C%2FA%3E%26nbsp%3Bthanks%20for%20your%20feedback.%26nbsp%3B%20Yes%2C%20as%20part%20of%20this%20preview%2C%20in%20addition%20to%20documentation%20updates%2C%20we%20are%20also%20looking%20at%20updates%20to%20the%20use%20of%20existing%20and%20new%20directory%20roles%2C%20across%20entitlement%20management%20and%20other%20Azure%20AD%20features%2C%20so%20that%20customers%20can%20use%20the%20entitlement%20management%20and%20role-assignable%20groups%20features%20together%2C%20and%20have%20more%20finer-grained%20control%20on%20what%20catalogs%20and%20access%20packages%20are%20available%20for%20existing%20administrators%20to%20manage.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1783891%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1783891%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F53477%22%20target%3D%22_blank%22%3E%40Alex%20Simons%20(AZURE)%3C%2FA%3E%2C%20any%20ETA%20on%20when%20the%20below%20two%20known%20issues%20(%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Froles-groups-concept%23known-issues%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Froles-groups-concept%23known-issues%3C%2FA%3E%26nbsp%3B)%20will%20be%20resolved%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3E%3CEM%3EAzure%20AD%20P2%20licensed%20customers%20only%3C%2FEM%3E%3A%20Don't%20assign%20a%20group%20as%20Active%20to%20a%20role%20through%20both%20Azure%20AD%20and%20Privileged%20Identity%20Management%20(PIM).%20Specifically%2C%20don't%20assign%20a%20role%20to%20a%20role-assignable%20group%20when%20it's%20being%20created%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CEM%3Eand%3C%2FEM%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eassign%20a%20role%20to%20the%20group%20using%20PIM%20later.%20This%20will%20lead%20to%20issues%20where%20users%20can%E2%80%99t%20see%20their%20active%20role%20assignments%20in%20the%20PIM%20as%20well%20as%20the%20inability%20to%20remove%20that%20PIM%20assignment.%20Eligible%20assignments%20are%20not%20affected%20in%20this%20scenario.%20If%20you%20do%20attempt%20to%20make%20this%20assignment%2C%20you%20might%20see%20unexpected%20behavior%20such%20as%3A%3CUL%3E%3CLI%3EEnd%20time%20for%20the%20role%20assignment%20might%20display%20incorrectly.%3C%2FLI%3E%3CLI%3EIn%20the%20PIM%20portal%2C%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3EMy%20Roles%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ecan%20show%20only%20one%20role%20assignment%20regardless%20of%20how%20many%20methods%20by%20which%20the%20assignment%20is%20granted%20(through%20one%20or%20more%20groups%20and%20directly).%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3CLI%3E%3CEM%3EAzure%20AD%20P2%20licensed%20customers%20only%3C%2FEM%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3EEven%20after%20deleting%20the%20group%2C%20it%20is%20still%20shown%20an%20eligible%20member%20of%20the%20role%20in%20PIM%20UI.%20Functionally%20there's%20no%20problem%3B%20it's%20just%20a%20cache%20issue%20in%20the%20Azure%20portal.%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3BThanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1785155%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1785155%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F833767%22%20target%3D%22_blank%22%3E%40TechUser152%3C%2FA%3E%26nbsp%3B-%20We%20are%20working%20actively%20on%20it.%20The%20fix%20is%20a%20bit%20involved%2C%20so%20sharing%20the%20exact%20ETA%20is%20not%20possible.%26nbsp%3B%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F207649%22%20target%3D%22_blank%22%3E%40Shaun%20Liu%3C%2FA%3E%26nbsp%3B%20-%20FYI.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2006427%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2006427%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F84425%22%20target%3D%22_blank%22%3E%40Abhijeet%20Kumar%20Sinha%3C%2FA%3E%2C%20any%20updates%3F%20We%20are%20still%20facing%20some%20of%20the%20issues.%20Thanks%20%3A)%3C%2Fimg%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2033421%22%20slang%3D%22de-DE%22%3ESubject%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2033421%22%20slang%3D%22de-DE%22%3E%3CP%3EHello%20everyone%2C%3C%2FP%3E%3CP%3Edoes%20the%20tennant%20need%20the%20P2%20lic%20or%20only%20the%20affected%20user%20inside%20the%20group%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDid%20anybody%20test%20the%20feature%20with%3F%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fprotection.office.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fprotection.office.com%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance%20for%20a%20feedback!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2095022%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2095022%22%20slang%3D%22en-US%22%3E%3CUL%3E%3CLI%3EHello%20Folks%2C%26nbsp%3B%3C%2FLI%3E%3CLI%3E%26nbsp%3B%3C%2FLI%3E%3CLI%3EPer%20the%20article%20%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Froles%2Fgroups-concept%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Froles%2Fgroups-concept%3C%2FA%3E%26nbsp%3B%3C%2FLI%3E%3CLI%3EUse%20the%20new%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fadmin.exchange.microsoft.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EExchange%20Admin%20Center%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Efor%20role%20assignments%20via%20group%20membership.%20The%20old%20Exchange%20Admin%20Center%20doesn%E2%80%99t%20support%20this%20feature%20yet.%20Exchange%20PowerShell%20cmdlets%20will%20work%20as%20expected.)%20-%20%3CSTRONG%3Ebut%20I%20am%20still%20unable%20to%20locate%20a%20way%20to%20perform%20the%20action%20from%20New%20EAC%20-%20Can%20somebody%20guide%3F%3C%2FSTRONG%3E%3C%2FLI%3E%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2098996%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2098996%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F355929%22%20target%3D%22_blank%22%3E%40TechAB%3C%2FA%3E%26nbsp%3B-%20You%20will%20have%20to%20create%20such%20a%20group%20in%20Azure%20AD%20portal.%20Above%20documentation%20means%20that%20once%20someone%20is%20assigned%20a%20role%20via%20a%20group%2C%20it%20will%20be%20honored%20in%20new%20Exchange%20Admin%20Center.%20For%20example%2C%20you%20want%20to%20put%20a%20user%20Alice%20in%20a%20group%20and%20assign%20that%20group%20to%20Exchange%20Admin%20role.%20This%20is%20what%20needs%20to%20be%20done%20-%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%3E%0A%3CUL%3E%0A%3CLI%3EPrivileged%20Role%20Admin%20creates%20a%20role-assignable%20M365%20group%20or%20security%20group%20in%20Azure%20AD%20portal%20--%26gt%3B%20Assign%20it%20to%20Exchange%20Admin%20role%20--%26gt%3B%20Adds%20Bob%20and%20Alice%20to%20this%20group%3C%2FLI%3E%0A%3CLI%3EAlice%20logs%20into%20new%20Exchange%20Admin%20Center%20(admin.exchange.microsoft.com)%20and%20does%20her%20work%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2108410%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2108410%22%20slang%3D%22en-US%22%3E%3CP%3Ehighly%20needed%20feature%20!%20-%20just%20wanted%20to%20ask%20if%20there%20is%20an%20approximate%20timeline%20of%20when%20this%20will%20come%20out%20of%20preview%20and%20become%20a%20mainline%20feature%3F%20Also%20when%20the%20AD%20groups%20and%20custom%20Roles%20integration%20might%20be%20available%3F%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2108418%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2108418%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F646041%22%20target%3D%22_blank%22%3E%40PhilRiceUoS%3C%2FA%3E%26nbsp%3B-%26nbsp%3B%3C%2FP%3E%0A%3CP%3E1.%20Support%20for%20assigning%20cloud%20groups%20to%20custom%20roles%20and%20AU-scoped%20roles%20was%20released%20in%20Dec%202020.%20You%20can%20start%20using%20it.%3C%2FP%3E%0A%3CP%3E2.%20Regarding%20general%20availability%20of%20cloud%20group%20support%20-%20Yes%2C%20we%20are%20working%20on%20it.%20Tentative%20timeline%20is%201st%20half%20of%20CY21.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2108427%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2108427%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F84425%22%20target%3D%22_blank%22%3E%40Abhijeet%20Kumar%20Sinha%3C%2FA%3E%26nbsp%3B%20-%20thanks%20%2C%20I%20must%20have%20missed%20that%20about%20the%20custom%20roles%20when%20trying%20this%20out%20recently.%3C%2FP%3E%3CP%3EBy%20cloud%20group%20support%20%2C%20are%20you%20refering%20to%20AD%20groups%20%2C%20synced%20via%20ad-connect%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2108437%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2108437%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F646041%22%20target%3D%22_blank%22%3E%40PhilRiceUoS%3C%2FA%3E%26nbsp%3B-%20No%2C%20by%20cloud%20groups%20I%20meant%20Azure%20AD%20groups%2C%20the%20ones%20that%20are%20created%20ands%20mastered%20in%20Azure%20AD.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2108491%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2108491%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F84425%22%20target%3D%22_blank%22%3E%40Abhijeet%20Kumar%20Sinha%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B-%20sorry%2C%20I%20understand%2C%20you%20mean%20that%20feature%20will%20be%20out%20of%20preview%20and%20in%20general%20availability.%20Thanks%2C%20good%20to%20know%20as%20we%20are%20planning%20on%20implementing%20it%20but%20there%20was%20some%20questions%20over%20it%20being%20a%20preview%20feature.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2159340%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2159340%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20a%20great%20feature%20and%20we%20plan%20on%20using%20it%20'across%20the%20board'.%20I%20have%20noticed%20something%20odd%20though%20and%20am%20not%20sure%20if%20this%20is%20by%20design%3F%20Here%20is%20the%20scenario%3A%3C%2FP%3E%3CUL%3E%3CLI%3EI%20am%20logged%20in%20as%20a%20GlobalAdmin.%3C%2FLI%3E%3CLI%3EUserJoe%20was%20already%20assigned%20AAD%20Role%20XYX.%3C%2FLI%3E%3CLI%3EWe%20created%20CloudGroup%2C%20made%20it%20Role%20Assignable%2C%20assigned%20it%20AAD%20Role%20XYX.%3C%2FLI%3E%3CLI%3EWe%20added%20UserJoe%20to%20CloudGroup.%3C%2FLI%3E%3CLI%3EUserJoe%20now%20'exists'%20in%20both%20lists%20(AAD%20Role%20XYX%20and%20CloudGroup)%3C%2FLI%3E%3CLI%3E1%20month%20has%20passed%20since%20the%20previous%20steps%20took%20place.%3C%2FLI%3E%3CLI%3EI%20tried%20to%20remove%20UserJoe%20from%26nbsp%3BAAD%20Role%20XYX%20today%20since%20he%20now%20exists%20in%20CloudGroup%20as%20well%2C%20and%20am%20presented%20with%20the%20error%3A%3CBR%20%2F%3E%3CSTRONG%3ETitle%26nbsp%3B%3C%2FSTRONG%3E%3A%26nbsp%3BRemoving%20role%20assignment%20failed%3CBR%20%2F%3E%3CSTRONG%3EMessage%26nbsp%3B%3C%2FSTRONG%3E%3A%26nbsp%3BThe%20Role%20assignment%20does%20not%20exist.%3C%2FLI%3E%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2160341%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2160341%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F910494%22%20target%3D%22_blank%22%3E%40JohnHart%3C%2FA%3E%26nbsp%3B-%20It%20could%20be%20because%20of%20a%20known%20issue%20we%20documented%20here%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Froles%2Fgroups-concept%23known-issues%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Froles%2Fgroups-concept%23known-issues%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20are%20working%20on%20the%20fix.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2241993%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2241993%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Abhijeet.%20When%20I%20get%20into%20Privileged%20Access%20(preview)%20it%20just%20displays%20a%20blank%20page%20and%20does%20not%20give%20me%20an%20option%20to%20Enable%20Privileged%20Access.%26nbsp%3B%3CBR%20%2F%3E-%20Preview%20Features%20are%20turned%20ON%3C%2FP%3E%3CP%3E-%20The%20group%20has%20Azure%20AD%20role%20assignable%20toggle%20ON%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20could%20be%20causing%20this%20issue%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2264691%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2264691%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20can%20we%20expect%20on-premises%20AD%20security%20groups%20to%20be%20supported%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2351356%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2351356%22%20slang%3D%22en-US%22%3E%3CP%3EWhat%20is%20the%20planned%20date%20for%20this%20to%20come%20out%20of%20preview%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2488764%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2488764%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F84425%22%20target%3D%22_blank%22%3E%40Abhijeet%20Kumar%20Sinha%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20dates%20on%20when%20on-premises%20AD%20groups%20will%20be%20supported%20for%20Azure%20AD%20Roles%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2594072%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2594072%22%20slang%3D%22en-US%22%3E%3CP%3EHello%26nbsp%3B%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F53477%22%20target%3D%22_blank%22%3E%40Alex%20Simons%20(AZURE)%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EHello%26nbsp%3B%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F84425%22%20target%3D%22_blank%22%3E%40Abhijeet%20Kumar%20Sinha%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20it%20possible%20to%20have%20an%20update%20regarding%20this%20preview%3F%20have%20you%20process%20on%20your%20roadmap%20and%20started%20to%20work%20on%20the%20possibility%20to%20use%20On-prenises%20AD%20group%20(synchronised%20over%20AD%20Connect)%20to%20an%20azure%20role%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20regards%2C%3C%2FP%3E%3CP%3EJonathan%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2595298%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2595298%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1114693%22%20target%3D%22_blank%22%3E%40Jonathan_BLESZ%3C%2FA%3E%26nbsp%3B%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F354489%22%20target%3D%22_blank%22%3E%40RobW1972%3C%2FA%3E%26nbsp%3B-%20Yes%2C%20support%20for%20assigning%20groups%20to%20on-prem%20groups%20is%20work%20in%20progress.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2595317%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2595317%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F84425%22%20target%3D%22_blank%22%3E%40Abhijeet%20Kumar%20Sinha%3C%2FA%3EIs%20there%20an%20option%20to%20enroll%20to%20private%20preview%20for%20that%20feature%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2596430%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2596430%22%20slang%3D%22en-US%22%3E%3CP%3EFolks%2C%3C%2FP%3E%0A%3CP%3EAssigning%20roles%20to%20Azure%20AD%20groups%20is%20now%20generally%20available!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20are%20working%20on%20bringing%20this%20capability%20to%20on-prem%20synced%20groups%20as%20well.%20Stay%20tuned.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Aug 13 2020 02:00 PM
Updated by:
www.000webhost.com