As you may already know, you can grant administrative access to Azure Active Directory (AAD) and associated resources using built-in administration role.
Well, this is going one step further as an update has been deployed on Azure Active Directory which let you create your own custom administration role.
During the preview, this capability is available to any Azure AD paid plan, but once in generally available (GA) it will requires an Azure AD P1 plan.
You can create (and manage) your custom administration role using the portal, Azure AD PowerShell (preview module) or Graph API.
Using the portal
- Connect to you Azure (https://portal.azure.com) or Azure AD (https://aad.portal.azure.com/) portal and reach out your Azure Active Directory blade
- Then access the Roles and administrators blade and click on Create custom role
- Then just follow the wizard to name your custom administration role and define the permissions associated with
NOTE if you already have create one custom role, you will be able to reuse it using the clone from a custom role option
- Your role is now created and you just have to assign it as you already do with the built-in ones
- If you need you can edit it by accessing the Description blade and hit the Edit button
Using Azure AD PowerShell
At first you need to get the preview module (at least version 2.0.2.31) using the commands
Install-Module azureadpreview
Import-Module azureadpreview
NOTE when executing the install-module command you may be requested to download and install Nuget and/or trust the remote repository PowerShell Gallery
Then you can use the new AzureADMSRoleDefinition command
New-AzureADMSRoleDefinition –RolePermissions <array of permissions assigned to the role> –DisplayName <name of the role> –Description <optional; description of the role> -TemplateId (New-Guid).Guid -IsEnabled $true
The permission(s) are defined using the ‘internal’ format – like microsoft.directory/applications/basic/update