Wednesday, March 2, 2022

Azure AD RBAC: Custom roles for app management now available

Howdy folks, 


I’m very excited to kick off a series of announcements on capabilities related to Azure Active Directory (Azure AD) role-based access control (RBAC). These capabilities will support the enablement of fine-grained authorization and simplify management at scale for RBAC in Azure AD and Microsoft 365.


I’d like to start this series by sharing the general availability of custom roles for delegated app management.


Together, custom roles for app registration and enterprise apps provide fine-grained control over what access your admins have for app management. As a reminder, Azure AD custom roles require an Azure AD Premium P1 subscription.


Let’s see how Alice, a centralized IT admin at the fictitious company Contoso, can effectively and securely delegate app management.


Contoso uses custom roles for app management for secure app management delegation

Contoso, a geographically distributed organization, has a small, centralized IT team that manages the delegation of Azure AD roles. Senior IT admin Alice is responsible for delegating Azure AD roles by exercising least privilege to keep the IT system secure.


Charlie is the owner of Contoso Sales application, one of the many line of business (LOB) applications in Contoso. Alice wants to delegate the access management of the LOB applications to their owners. Specifically, she wants to grant a role to Charlie so he can manage access to the Contoso Sales application.


Let’s see how Alice can build a new custom role for this scenario and assign it to Charlie.  

Create and assign a custom role

In the following example, Alice will create a custom role with just the permissions to manage user and group assignments for applications. Once the custom role is created, Alice can assign this role to Charlie with the scope of the Contoso Sales application. This will grant Charlie the ability to manage user and group assignments for the Contoso Sales application. 


Create a custom role 

  1. On the Roles and administrators tab, select New custom role.



  1. Provide a name and description for the role and selectNext.



  1. Assign the permissions for the role. Search forcredentialsto select permission.



  1. Review the new role. If everything looks good, selectCreateto create the new role.



Assign the custom role 

Like built-in roles, custom roles can be assigned at the directory level to grant access over all Enterprise applications. Additionally, you can assign custom roles over just one application, as shown in our example. This allows you to give the assignee the permission to manage user and group assignments for a single application without having to create a second custom role.


  1. Select theEnterprise applications taband pick an application that you want to give someone access to manage user and group assignments.



  1. Navigate to the newRoles and administratorstab. You’ll see the custom role created above.



  1. Select the role to open the assignment blade, select Add assignment, and then select a person to add to the role.



  1. The assignee can now navigate to the application’s users and groups blade to verify the Add user option is enabled.


That’s it. Charlie can now manage access to MyApp. You can refer here for additional documentation on the other roles you can create.


What’s next

We're working on more great features for Azure AD RBAC, including additional capabilities around custom roles and administrative units, plus other least-privileged experiences that we think you’ll love. Stay tuned for coming announcements.


As always, we'd love to hear your feedback, thoughts, and suggestions. Feel free to share with us on theAzure AD administrative roles forumor leave comments below. We look forward to hearing from you. 


Best regards, 

Alex Simons (@Alex_A_Simons

Corporate VP of Program Management 

Microsoft Identity Division 



Learn more about Microsoft identity:

Posted at