Azure AD – You can now create your own custom administration roles

As you may already know, you can grant administrative access to Azure Active Directory (AAD) and associated resources using built-in administration role.

Well, this is going one step further as an update has been deployed on Azure Active Directory which let you create your own custom administration role.

During the preview, this capability is available to any Azure AD paid plan, but once in generally available (GA) it will requires an Azure AD P1 plan.

You can create (and manage) your custom administration role using the portal, Azure AD PowerShell (preview module) or Graph API.

Using the portal

image

  • Then access the Roles and administrators blade and click on Create custom role

image

  • Then just follow the wizard to name your custom administration role and define the permissions associated with

NOTE if you already have create one custom role, you will be able to reuse it using the clone from a custom role option

image

  • Your role is now created and you just have to assign it as you already do with the built-in ones
  • If you need you can edit it by accessing the Description blade and hit the Edit button

image

 

Using Azure AD PowerShell

At first you need to get the preview module (at least version 2.0.2.31) using the commands

Install-Module azureadpreview
Import-Module azureadpreview

NOTE when executing the install-module command you may be requested to download and install Nuget and/or trust the remote repository PowerShell Gallery

Then you can use the new AzureADMSRoleDefinition command

New-AzureADMSRoleDefinition –RolePermissions <array of permissions assigned to the role> –DisplayName <name of the role> –Description <optional; description of the role> -TemplateId (New-Guid).Guid -IsEnabled $true

The permission(s) are defined using the ‘internal’ format – like microsoft.directory/applications/basic/update

Leave a Comment

Your email address will not be published.