Azure Active Directory Role Management
Azure Active Directory roles allows you to grant granular permissions to your admins, abiding by the principle of least privilege. Azure Active Directory roles control access to Azure Active Directory resources such as users, groups, and applications.
Azure Active Directory supports two types of roles definitions:
-
Built-in roles - Built-in roles are out of box roles that have a fixed set of permissions. These role definitions cannot be modified.
-
Custom roles - To round off the edges and meet your sophisticated requirements, Azure Active Directory also supports custom roles.
Azure Active Directory roles object type supports the following operations:
-
Aggregation of built-in and custom roles as separate group object
-
Aggregation of user membership to roles during account aggregation
-
Add / Remove built-in and custom roles to Azure Active Directory users
Administrator Permissions
Permission |
Permission Type |
Purpose |
---|---|---|
RoleManagement.ReadWrite.Directory |
Application |
Add/Remove Roles for Accounts |
RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.ReadWrite.Directory, Directory.ReadWrite.All |
Application |
Aggregate Roles |
RoleManagement.ReadWrite.Directory |
Application |
Provisioning |
RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.ReadWrite.Directory, Directory.ReadWrite.All |
Application |
Read Roles entitlement for Accounts |
Supported Schema Attributes
To manage the Azure Active Directory role objects, ensure that the attributes present in Roles Attributes are present in the group schema.