Reputation: 8019
Restrict Azure Active Directory access by cloning built-in roles and using Roles and administrators
I have created one App Registration, called Report, under AAD and its app under Enterprise Application.
I want to restrict the people access (full CRUD) to the Report app in both App Registration and Enterprise Application, and no access to other apps in AAD.
Below is my idea?
1 Clone Cloud application administrator to create a new role
2 Add people to the new role,
3 Add the new role to Roles and administrators of Report under both App Registration and Enterprise Application
Does it work? Does anyone have a better idea?
Upvotes: 0
Views: 1005
Answers (1)
Reputation: 474
For user to be granted any permissions over only the selected app registration.
- Create a new role using the following PowerShell script
- Assign the role using the PowerShell script
- Create a role with the Microsoft Graph API 3.a. Create the role definition. 3.b. Create the role assignment.
- Assign a custom role scoped to a resource
Reference: https://learn.microsoft.com/en-us/azure/active-directory/roles/custom-create
Additional Reference: https://learn.microsoft.com/en-us/azure/active-directory/roles/custom-create#create-a-new-custom-role-to-grant-access-to-manage-app-registrations
Assign Azure roles using Azure Resource Manager templates : https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-template
Upvotes: 1
Related Questions
- Permission Based instead of Role Based
- How to block access to group of users with directory roles
- Restricting Member permissions on azure active directory
- Azure Active Directory Group - controlling user access
- Active Directory groups and roles
- Azure Active Directory Custom Roles and Possible Scopes
- limiting view of the Azure AD Administrator roles groups membership to Administrators only
- Restrict which Users are accessible with Azure AD Permissions
- Bypassing role based AAD access in Azure?
- Implementing Azure Active Directory Access Control