Reputation: 10960
Azure AD Custom Role for Application Admin Role Assignment
My requirement is I need to add users/applications to Application Administrator Role.
As per the ms design, only Global Admin has permission to add assignments to this role. But I don't want to give the Global Admin to many members rather, I'm trying to create a custom role that grants them to add users/applications into the Application Admin Role.
When I tried to research more on the exact permissions. I found the below permission
in Global Admin which I believe is needed for my requirement(custom role)
microsoft.directory/roleAssignments/allProperties/allTasks =>
Create and delete roleAssignments, and read and update all properties in Azure Active Directory.
However, the above permission is not able to use for any custom role
Is there any way to add the above permission to my custom role ?
Upvotes: 1
Views: 612
Answers (1)
Reputation: 10960
So reached out to Microsoft support and they confirms right now the custom role is supported for the permissions including app reg and enterprise application. For role assignments, those permission aren't supported by custom roles.
My Workaround:
I created a group (security group) with role assignable and add that group to Application Administration Role. With this now I can manage the members (add/remove) from the group which inherited all the permissions from Application Administrator role
Upvotes: 0
Related Questions
- How to create custom RBAC/ABAC role in Azure?
- Not able to assign user to new role in Azure App Registration
- Azure role assignments to a AD group for a subscription
- Azure Managed Application role assignment
- Azure RBAC Custom Roles
- How to assign roles to the users in Azure Active Directory
- Azure AD Enterprise Application - Application Role mapping
- How to create Azure Role Assignment scoped to a certain resource type
- Assigning custom roles on user creation in Azure AD
- Create custom role for subscription in azure