Microsoft Broadens Azure Active Directory Role-Based Controls for IT Pros

Microsoft has added greater flexibility to its role-based access controls for IT pros using the Azure Active Directory service.

The added flexibility is for the Azure AD Identity Protection service, which was released as a preview in March, and for the Azure AD Privileged Identity Management service, which was first released as a preview in May of 2015 but updated three months later. Azure AD Identity Protection uses Microsoft machine learning technology to check for potentially compromised user accounts. Azure AD Privileged Identity Management, on the other hand, is a tool for global administrators to set access permissions among IT staff and also check for improper security configurations.

Both tools are getting three new roles via an Azure AD service update. The new roles are "Privileged Role Administrator," "Security Administrator" and "Security Reader," according to Microsoft's announcement this week.

These new roles can be used to better address organizational needs, especially when there's a requirement to provide viewing access to security reports but the IT department doesn't want to create more "highly-privileged global administrators" to do so, according to Alex Simons, director of program management for the Microsoft Identity Division, in Microsoft's announcement.

For instance, IT pros previously needed to be a global administrator to have access to the Azure AD Identity Protection service, but "these new roles eliminate that requirement," Simons explained. Being a global administrator is still a requirement, though, to have control over the Azure AD Privileged Identity Management service, he added.

Here's how the new roles work for Azure AD Identity Protection, per Microsoft's announcement:

  • A Security Reader can "view reports and settings," but can't take actions
  • A Security Administrator can "view reports and manage settings," but can't reset user passwords

For those using Azure AD Privileged Identity Management, here's how the new roles work:

  • A Privileged Role Administrator can "manage settings and role assignments" and view the audit history
  • A Security Administrator or Security Reader can "view settings, role assignments," and the audit history

The new roles can be assigned using the Azure AD Privileged Identity Management service. The roles can be set for a specified time period or the assignments can be made permanent. Alternatively, PowerShell scripts can be used to check role status and assign users, as illustrated in Microsoft's announcement.

These new roles will be coming to other Microsoft products, too, according to Simons. They will "soon light up in other features and applications," he promised.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.


  • Secured-Core PCs Promise To Stop Malware at the Firmware Level

    Microsoft and its hardware partners recently described new "Secured-core" PCs, which add protections against firmware-based attacks.

  • How To Ransomware-Proof Your Backups: 4 Key Best Practices

    Backups are the only guaranteed way to save your data after a ransomware attack. Here's how to make sure your backup strategy has ransomware mitigation built right in.

  • Microsoft Buys Mover To Aid Microsoft 365 Shifts

    Microsoft announced on Monday that it bought Mover to help organizations migrate data and shift to using Microsoft 365 services.

  • Mark Hurd, Oracle Co-CEO, Dies at 62

    Oracle co-CEO and former Hewlett-Packard chief executive Mark Hurd died last Friday at the age of 62 from unspecified causes.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.