Reputation: 325
Assign AAD administrative roles to AAD group
AAD administrative roles have been only directly assignable to users. They could not be assigned via AAD groups.
Now there is a "Privileged access groups (Preview)" pane in PIM, but I can't find any way to enable a role assignable group in the Azure AD group management. Consequently the list of available AAD groups in PIM is empty. Where can I find this AAD group configuration?
I do find isAssignableToRole as a group property on GET in the Graph API, but PATCH does not work. It looks like an existing AAD group cannot have this flag raised.
The property isAssignableToRole is not available in the Graph API doc.
I am able to create a new AAD security enabled group with the isAssignableToRole flag raised using the Graph API, but the group is still not available in PIM "Privileged access groups (Preview)"
POST https://graph.microsoft.com/v1.0/groups
{
"description": "A test for role assignable groups",
"displayName": "Test role assignable groups",
"securityEnabled": true,
"isAssignableToRole": true,
"mailEnabled": false,
"mailNickname": "test-role-assignment2"
}
Has Microsoft released a partially implemented feature here? If so, do anyone have an ETA on when it will be ready? I found this feature request flagged by Microsoft as started: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/20227804-enable-pim-role-assignment-by-group-membership#{toggle_previous_statuses}
The option to enable assigned AAD roles is not available when creating new group in the portal:
Upvotes: 0
Views: 1478
Answers (2)
Reputation: 16438
It seems that Privileged access groups (Preview) is still in progress. I can see that the data on the page won't be shown because the backend throws an error "error":{"code":"UnauthorizedAccessException","message":"The tenant has not onboarded to PIM.", which is not true.
But another related function in Group has been available.
When you create a group with the isAssignableToRole flag raised using Microsoft Graph or create a group on Azure Portal like this:
You will find you could assign Azure AD role to this group.
Upvotes: 1
Reputation: 2746
I believe this uservoice is also relevant: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/12938997-azuread-role-delegation-to-groups
they are apparently working on it, but they ran into what appears to be a security design problem, because this means that indirectly anyone who can manage groups would be able to add anyone else to potentially global privileged roles. but it seems like they are working through it hopefully.
Upvotes: 1
Related Questions
- Graph API permission for non-admin
- Adding Users to the AAD Group via MS Graph
- how to set User administrator role to azure active directory application through graph API
- Azure AAD and Graph API: Insufficient privileges to complete the operation
- Azure AD-Linking Roles to Groups
- Assign AD Group to Azure AD Application Role using Graph API
- Managing Azure AAD Applications with Microsoft Graph
- [Azure AD]: User Group Assign Owner
- Insufficient Privileges When Creating AAD App via Graph
- AAD graph API - add Microsoft accounts