{"id":1831,"date":"2020-08-28T01:00:00","date_gmt":"2020-08-28T01:00:00","guid":{"rendered":"http:\/\/inswwdev.azurewebsites.net\/au\/insights\/uncategorized\/azure-ad-roles-group-assignment-preview\/"},"modified":"2020-08-28T01:00:00","modified_gmt":"2020-08-28T01:00:00","slug":"azure-ad-roles-group-assignment-preview","status":"publish","type":"post","link":"https:\/\/www.insentragroup.com\/us\/insights\/geek-speak\/cloud-and-modern-data-center\/azure-ad-roles-group-assignment-preview\/","title":{"rendered":"Azure Ad Roles – Group Assignment Preview"},"content":{"rendered":"

A long-awaited Azure Active Directory feature has finally made it into public preview, giving you the ability assign Azure AD Roles to Azure AD Groups<\/a><\/span>. Quite a few organizations I have worked with over the past few years have been asking when this will finally happen\u2026 well the time is upon us!<\/p>\n

Generally, IT organizations prefer to assign rights and permissions via groups and not to individual user accounts. This practice is supported across most Microsoft 365 and Azure services with one major exception, Azure AD roles<\/a><\/span>, which are how various limited administrative rights are delegated to select users.<\/p>\n

In order to assign Azure AD roles before this preview, a manual entry must be made to add the role, such as Exchange Administrator, to an individual user account. Even if you are using Microsoft Privileged Identity Management (PIM), which is Microsoft\u2019s premium Just-in-Time (JIT) identity platform, you were still limited to assigning the eligible roles to users and not groups.<\/p>\n

There are some limitations in the preview, such as the group must be a newly created cloud-based group and you must select the option to allow for this type of assignment as shown here:<\/p>\n

\"\"<\/p>\n

Notice that the Membership type gets grayed out if you choose \u2018yes\u2019 to this preview option, so these cannot be dynamic groups. When you click \u2018Create\u2019 you are met with this warning confirmation:<\/p>\n

\"\"<\/p>\n

Once you create the group with this option enabled, you will be able to add it to an Azure AD role either from the \u2018Group properties\u2019 or from the \u2018Azure AD Roles and administrators\u2019 blade:<\/p>\n

\"\"<\/p>\n

Or, from the PIM console to assign an eligible role to the group:<\/p>\n

\"\"<\/p>\n

It should be known that one of the reasons why Microsoft has waited this long to enable this feature (I\u2019ve been told by members of the Azure AD Product Group) is the risk which it poses. Microsoft has been cautious to allow this functionality due to the potential for organizations to inadvertently grant elevated permissions to inappropriate individuals. So, please do be careful with this feature. I would recommend using a special naming convention so these groups are easy to identify, such as adm-ExchangeAdmins or adm-GlobalAdmins.<\/p>\n

Another limitation is these groups cannot be synced from on-premises Active Directory when Azure AD Connect is in use. This will be disappointing to some organizations who have been waiting specifically for the ability to delegate permissions in Azure AD based on AD group memberships. To those in which boat, hang tight, the announcement does state that this addition is on the roadmap. In the meantime, if you are really interested in bridging the gap in the short term, you may be able to get creative with some scripting to replicate group memberships, but I would only recommend this in an extreme case. Otherwise, I would just wait until the functionality has been added to the service.<\/p>\n

As always, feel free to reach out if you have any questions or would like assistance planning out your Azure AD implementation.<\/p>\n","protected":false},"excerpt":{"rendered":"

A long-awaited Azure Active Directory feature has finally made it into public preview, giving you the ability assign Azure AD Roles to Azure AD Groups. Quite a few organizations I have worked with over the past few years have been asking when this will finally happen\u2026 well the time is upon us! Generally, IT organizations… Continue reading Azure Ad Roles – Group Assignment Preview<\/span><\/a><\/p>\n","protected":false},"author":91,"featured_media":1832,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[21],"tags":[],"class_list":["post-1831","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cloud-and-modern-data-center","entry"],"_links":{"self":[{"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/posts\/1831","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/users\/91"}],"replies":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/comments?post=1831"}],"version-history":[{"count":0,"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/posts\/1831\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/media\/1832"}],"wp:attachment":[{"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/media?parent=1831"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/categories?post=1831"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/tags?post=1831"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}