A role-assignable group is a special type of group created from Azure Active Directory that has ‘isAssignableToRole’ property set to True which enables the group role-assignable capability
Role-assignable group is a new feature update rolled out to GA around July 31th 2021
Assigning roles to groups can simplify the management of role assignments in Azure AD with minimal effort from Global Administrators and Privileged Role Administrators.
Instead of multiple roles assignments to individual users, the Administrator can assign the role to a group. When a user is added as a member of this group, the user will indirectly inherit the assigned Admin Roles.
Role-assignable can be created through Azure Portal or via PowerShell
To assign a role to a group, you must create a new security or Microsoft 365 group with the
isAssignableToRoleproperty set totrue.
Azure Portal
- Sign in to the Azure portal or Azure AD admin center.
- Select Azure Active Directory > Groups > All groups > New group.
- Turn on “Azure AD roles can be assigned to the group”.
In my example, I will create a Role-assignable group called Exchange Admins, and Assign Exchange Administrator role to the group
As you can see my new group, it is enabled for role assignments and no Admin role assigned at this time.
Exchange Administrator assigned and added a member “Debra Berger”, now, let’s view her permission
License Requirement
- Azure AD Premium Plan 1 or 2 subscription
Features
- A role-assignable group cannot be Dynamic
- Can only be set at the creation of the group (cannot set on existing groups)
- Assign Azure AD roles to on-premises groups
- A group can’t be added as a member of a role-assignable group.
If you have queries or clarification please use the comment section or ping me olusola@exabyte.com.ng
