I’m very excited to kick off a series of announcements on capabilities related to Azure Active Directory (Azure AD) role-based access control (RBAC). These capabilities will support the enablement of fine-grained authorization and simplify management at scale for RBAC in Azure AD and Microsoft 365.
I’d like to start this series by sharing the general availability of custom roles for delegated app management.
Together, custom roles for app registration andenterprise apps provide fine-grained control over what access your admins have for app management. As a reminder, Azure AD custom roles require an Azure AD Premium P1 subscription.
Let’s see how Alice, a centralized IT admin at the fictitious company Woodgrove, can effectively and securely delegate app management.
Woodgrove uses custom roles for app management for secure app management delegation
Woodgrove, a geographically distributed organization, has a small, centralized IT team that manages the delegation of Azure AD roles. Senior IT admin Alice is responsible for delegating Azure AD roles by exercising least privilege to keep the IT system secure.
Charlie is the owner of Woodgrove Portal app, one of the many line of business (LOB) applications in Woodgrove. Alice wants to delegate the access management of the LOB applications to their owners. Specifically, she wants to grant a role to Charlie so he can manage access to the Woodgrove Portal app.
Let’s see how Alice can build a new custom role for this scenario and assign it to Charlie.
Create and assign a custom role
In the following example, Alice will create a custom role with just the permissions to manage user and group assignments for applications. Once the custom role is created, Alice can assign this role to Charlie with the scope of the Woodgrove Portal app. This will grant Charlie the abilityto manage user and group assignments for the Woodgrove Portal app.
Create a custom role
On the Roles and administrators tab, select New custom role.
Provide a name and description for the role and selectNext.
Assign the permissions for the role. Search forservicePrincipalto select themicrosoft.directory/servicePrincipals/appRoleAssignedTo/update permission.
Review the new role. If everything looks good, selectCreateto create the new role.
Assign the custom role
Like built-in roles, custom roles can be assigned at the directory level to grant access over all Enterprise applications. Additionally, you can assign custom roles over just one application, as shown in our example. This allows you to give the assignee the permission to manage user and group assignments for a single application without having to create a second custom role.
Select theEnterprise applications taband pick an application that you want to give someone access to manage user and group assignments.
Navigate to the newRoles and administratorstab. You’ll see the custom role created above.
Select the role to open the assignment blade, select Add assignment, and then select a person to add to the role.
The assignee can now navigate to the application’s users and groups blade to verify the Add user option is enabled.
That’s it. Charlie can now manage access to the Woodgrove Portal app. You can refer here for additional documentation on the other roles you can create.
We're working on more great features for Azure AD RBAC, including additional capabilities around custom roles and administrative units, plus other least-privileged experiences that we think you’ll love. Stay tuned for coming announcements.
As always, we'd love to hear your feedback, thoughts, and suggestions. Feel free to share with us on theAzure AD administrative roles forumor leave comments below. We look forward to hearing from you.