Posted by: kurtsh | September 8, 2021

RELEASE: Use Azure AD “groups” to manage Azure AD “role” assignments

Assigning Azure AD roles to cloud groups is generally available now. isAssignableToRole attribute on group object is in Graph v1.0 and latest version of AzureAD PowerShell.

imageAzure Active Directory (Azure AD) lets you target Azure AD groups for role assignments. Assigning roles to groups can simplify the management of role assignments in Azure AD with minimal effort from your Global Administrators and Privileged Role Administrators.

Why assign roles to groups?

Consider the example where the Contoso company has hired people across geographies to manage and reset passwords for employees in its Azure AD organization. Instead of asking a Privileged Role Administrator or Global Administrator to assign the Helpdesk Administrator role to each person individually, they can create a Contoso_Helpdesk_Administrators group and assign the role to the group. When people join the group, they are assigned the role indirectly. Your existing governance workflow can then take care of the approval process and auditing of the group’s membership to ensure that only legitimate users are members of the group and are thus assigned the Helpdesk Administrator role.


Read how to implement this here:


%d bloggers like this: