1

I am looking for a way of tailoring custom RBAC (granting access\creating role & assigning permissions) to specific Azure AD blade.
In fact, I want my end user with a custom role to be able to modify only certain settings in Azure AD blade.
Here's the screenshot:

Azure AD blades

For example, I want the permissions to register an app (using App registration blade) and also permissions to manage this newly registered app via Enterprise applications blade.

The reason is that despite the Azure AD option "Users can register applications" (Azure AD – User Settings – App registrations – Users can register applications)

Even if you do allow users to register single-tenant LOB apps, there are limits to what can be registered. For example, developers who are not directory admins.

Users cannot make a single-tenant app a multi-tenant app.
When registering single-tenant LOB apps, users cannot request app-only permissions to other apps.
When registering single-tenant LOB apps, users cannot request delegated permissions to other apps if those permissions require admin consent.
Users cannot make changes to apps that they are not owners of. Source

According to resource provider enumeration, Microsoft.AzureActiveDirectory provider

is not a full ARM provider and does not provide any ARM operations.

so I cannot create a custom JSON template like:

Microsoft.AzureActiveDirectory/*/read

and import it via 

New-AzureRmRoleDefinition

cmdlet.

The only possible actions with Microsoft.AzureActiveDirectory provider I've found are

  • register the resource provider
  • work with B2C directory.

In my case, B2B is used.

Sergey
  • 153
  • 1
  • 7

1 Answers1

0

Unfortunately,you cannot achieve this for now.

First, Custom RBAC is for subscription resources, not for Azure AD features access.

For Azure AD , we can assign Azure AD Directory role to users for differen access management. It's different from the RBAC for subscriptions. For now, There are main three type roles in Azure AD : User, Global administrator ,Limit administrator.

If you want to assign some limit access to a user , you need to select Limit administrator role and choose the right one for the user:

enter image description here

However, those limit admin roles cannot be customize. We can only choose one or some of those roles in the list.

See more details about Assign roles in Azure AD in this document.

Additional, there are many customers who came across issues as yours. They post their ideas in this UserVoice Page and Azure AD Team would review those ideas and give them response. So I also suggest you can post your idea or upvote the similar idea in the page.

Hope this helps!

Wayne Yang
  • 468
  • 3
  • 9
  • Very sad to hear that. Thank you for the explanation. – Sergey Jan 25 '18 at 09:14
  • May I ask you the following - in order to grant permissions for my custom app via App registrations blade which kind of admin permissions should I have? I've tested Conditional Access admin, User Admin, Service Admin - still no luck, error is `{"errorCode":"Authorization_RequestDenied","localizedErrorDetails":{"errorDetail":"This application requires application permissions to another application. Consent for application permissions can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators` – Sergey Jan 25 '18 at 14:21
  • Hi, @Sergey, If you want to use App registration by users, you can enble `Users can register applications` in `user settings` to be Yes. But all users can register application. If you set it to be NO, only admin role can register applications. – Wayne Yang Jan 26 '18 at 02:56
  • Yes, I know, but I'm asking about the permissions granting - in fact when specific API is selected (e.g. Graph API) and specific permissions are checked - the next step is to click on "Grant permissions" button, which shows the error above if the current user is not in Global admin role. – Sergey Jan 26 '18 at 07:05
  • @Sergey. Sorry for my misunderstood. The error massage is right. The Grant permissions needs admin role. So, If you want to Grant permissions to a app, you need to be a `Global admin`. We cannot just assign a limit admin to a user to do that. – Wayne Yang Jan 26 '18 at 07:33
  • @ Wayne Yang - MSFT , I understand. Thank you for your time! – Sergey Jan 26 '18 at 08:07