Azure Active Directory Custom Roles for Apps Capability Released
Azure Active Directory now permits delegating administrative privileges for particular applications, which can be an IT personnel assignment perk for organizations.
This role-based access control (RBAC) enhancement, called "custom roles for delegated app management," is now commercially released at the "general availability" stage, Microsoft announced this week. It permits IT administrators with certain privileges to assign app management roles for both "single-tenant applications" and "multitenant applications," per this Microsoft document.
The RBAC custom roles assignment capability also applies to "enterprise apps," as described in this Microsoft document. Microsoft's documents don't define what's meant by tenant apps vs. enterprise apps, though.
Microsoft's announcement and linked documents weren't explicit about assigner privileges for the custom roles feature. However, it generally seems that only IT pros with "Privileged Role Administrator or Global Administrator" roles have that capability, per this Azure AD roles scoping document.
Moreover, IT departments wanting to assign app management roles to IT personnel need to have Azure AD Premium P1 subscriptions to use the new custom roles capability. The P1 plan is needed for both tenant app and enterprise app custom role assignments.
IT administrators with the right privileges and P1 subscriptions can make these custom roles assignments using the Azure Portal.
More Azure AD RBAC capabilities will be coming in the near future, Microsoft promised. The team is specifically working on "custom roles and administrative units, plus other least-privileged experiences," explained Alex Simons, corporate vice president of program management for the Microsoft Identity Division, in the announcement.
Microsoft's idea is to enable least-privileged access for IT pros for security purposes, combining "fine-grained authorization" with a simplified management experience. Those perks will be delivered "at scale for RBAC in Azure AD and Microsoft 365," Simons suggested.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.