Microsoft Broadens Azure Active Directory Role-Based Controls for IT Pros

Microsoft has added greater flexibility to its role-based access controls for IT pros using the Azure Active Directory service.

The added flexibility is for the Azure AD Identity Protection service, which was released as a preview in March, and for the Azure AD Privileged Identity Management service, which was first released as a preview in May of 2015 but updated three months later. Azure AD Identity Protection uses Microsoft machine learning technology to check for potentially compromised user accounts. Azure AD Privileged Identity Management, on the other hand, is a tool for global administrators to set access permissions among IT staff and also check for improper security configurations.

Both tools are getting three new roles via an Azure AD service update. The new roles are "Privileged Role Administrator," "Security Administrator" and "Security Reader," according to Microsoft's announcement this week.

These new roles can be used to better address organizational needs, especially when there's a requirement to provide viewing access to security reports but the IT department doesn't want to create more "highly-privileged global administrators" to do so, according to Alex Simons, director of program management for the Microsoft Identity Division, in Microsoft's announcement.

For instance, IT pros previously needed to be a global administrator to have access to the Azure AD Identity Protection service, but "these new roles eliminate that requirement," Simons explained. Being a global administrator is still a requirement, though, to have control over the Azure AD Privileged Identity Management service, he added.

Here's how the new roles work for Azure AD Identity Protection, per Microsoft's announcement:

  • A Security Reader can "view reports and settings," but can't take actions
  • A Security Administrator can "view reports and manage settings," but can't reset user passwords

For those using Azure AD Privileged Identity Management, here's how the new roles work:

  • A Privileged Role Administrator can "manage settings and role assignments" and view the audit history
  • A Security Administrator or Security Reader can "view settings, role assignments," and the audit history

The new roles can be assigned using the Azure AD Privileged Identity Management service. The roles can be set for a specified time period or the assignments can be made permanent. Alternatively, PowerShell scripts can be used to check role status and assign users, as illustrated in Microsoft's announcement.

These new roles will be coming to other Microsoft products, too, according to Simons. They will "soon light up in other features and applications," he promised.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.


  • Azure Backup for SQL Server Now Commercially Available

    Microsoft on Monday announced that Azure Backup for SQL Server had reached "general availability" status, meaning it's deemed ready for production-environment use.

  • Insights for MyAnalytics Getting Switched On for Office 365 Users This Month

    Microsoft is planning to activate "Insights for MyAnalytics" sometime late this month for most Office 365 users, but the ability of organizations to manage this feature won't be available until possibly mid-May.

  • SharePoint Framework 1.8 Now Generally Available

    Microsoft this week announced that SharePoint Framework 1.8 had reached "general availability" status, although some features are still at the preview stage.

  • How To Create Office 365 User Accounts in Bulk

    Manual account creation can be tedious, time-consuming and prone to human error, especially if you have more than a handful of Office 365 users to set up. Brien shows you a better way.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.