Azure Active Directory Gets New Custom Roles Capability -- Redmondmag.com

Azure Active Directory Gets New Custom Roles Capability

By Kurt Mackie
12/10/2015

Microsoft has added the ability to create and assign custom roles as part of its Azure Active Directory Service.

This new capability gives IT departments greater control over who can access, change or view Azure services within an organization. The custom roles capability today reached the "general availability" milestone, meaning that it's commercially released by Microsoft and is considered ready for use.

Microsoft has had a Role Based Access Control capability that has been in place for its Azure AD service since October. It comes with predefined role templates. IT pros can use the Role Based Access Control feature to assign permissions such as "owner," "contributor" or "reader" for those templated roles. What was lacking back then was the ability for organizations to customize those role templates or create new ones. Now that's possible, using the Azure command line interface tool, as well as PowerShell.

The role templates are JSON (JavaScript Object Notation) files. They can be edited, which lets IT pros specify more precisely what personnel can or cannot do. Microsoft recommends granting the least privileged access to Azure resources per role. Personnel should just have enough rights to carry out a job function.

The approach for modifying an existing template to create a new custom role is described in Microsoft's announcement. It's somewhat straightforward. However, the user has to understand what the Azure AD actions entail. To figure that out, the Get-AzureRmProviderOperation PowerShell commandlet can be used. It will list the operations associated with a particular Azure resource. IT pros can then select what they want and add those privileges into the JSON file to customize the role template.

After the JSON file is created or modified, it becomes available as custom role. It will appear as an icon, showing up in the Users blade of the Azure Portal. IT pros can then assign a user or a group to that custom role.

Microsoft also added a new capability to the Azure Portal. It now permits IT pros to view the resources available per role, according to the company's announcement.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.
What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.