Share via

Azure AD role permission to block users? - need this to be granular

ASaurdiff 106 Reputation points
2021-01-13T21:18:05.003+00:00

I am looking into granting our Tier I techs access to do minor changes to users so they can help manage them. Currently we just have higher tier techs access to the user Admin role, we of course don't want them to do that. Can anyone tell me what permission I need to set up in a custom role for this to happen?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Accepted answer
  1. Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
    2021-01-13T22:19:35.45+00:00

    If you are looking to block sign ins for user accounts, you are right that you need the User Administrator role. Unfortunately, as you correctly called out, that role will also give extra permissions. Custom roles can be assigned either at the directory-level scope or an app registration resource scope only. The RBAC team is working on adding the ability to use custom roles for user management, but it's not available yet. Feature requests can be created and tracked in User Voice.

    You do have the option to leverage Azure AD PIM so that users can only activate the role as needed and any tasks beyond user blocking are audited.

    You could also create a function or logic app that has the role to block the users.

    Would love to hear any feedback on the admin roles in Azure AD, and happy to answer any questions. I have also forwarded your request along to someone from the RBAC team.

    1 person found this answer helpful.
    0 comments

5 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. ASaurdiff 106 Reputation points
    2021-01-13T22:39:00.027+00:00

    I will be looking further into this feature, but I did notice in the Directory writer permissions, there are actions that allow the Disable and sign-out all users. Would I not be able to create a custom Role with these specific actions only available to the users with this custom role?

    https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#user-administrator
    56363-image.png

    P.S. my current role in the org doesn't allow me to create the role yet. I am looking into this for our Azure Systems to understand what the request is.

    1 person found this answer helpful.
  2. AdminAS 146 Reputation points
    2022-02-09T17:41:23.403+00:00

    Hello @Andrés ,

    This was an old thread and question. To be honest this concern was alleviated by the lack of interest to move forward in my company, unfortunately. That being said my experience with other options may be of help. If i may suggest utilizing a PowerApp. If you are a MSoft 'shop' then you may have this as an option and this type of app may be simple to spool up. The resources needed would be: PowerApps, Sharepoint list, Enterprise application, Runbook (maybe a logic app action not sure on that), and Logic app. It may seem daunting but would alleviate this type of problem. You can manage who can submit to the PowerApp limiting the security exposure. You can set aside and secure the Enterprise application password (which would have the elevated permissions), and if done right, you can have simple users quickly block or lockout suspicious users. Maybe even try and notify users or supervisors involved.

    Here is the "idea" template I would do...

    Create a SPO list for submission details (name, email, User object, date, so on...)
    Create a resource group with Logic App, Azure automation (which can create a RunAs Enterprise application)
    PowerApp with a simple form submission of the SPO list
    Logic app: reacts after form submission to SPO that will send data to runbook in Azure Automation runbook
    Runbook (in Azure automation): will run the PowerShell scripts to disable/block/ or revoke user AS the enterprise app

    I hope this helps guide you into an interesting solution for your dilemma. This type of "tool" is a super useful start for a quick Tier I response to these type of security incidents but may start you down the same road I had. Of course this a very large overview of all that is needed but research & learning is always beneficial :) Enjoy.

    1 person found this answer helpful.
    0 comments
  3. Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
    2021-01-14T17:01:47.493+00:00

    As we suspected, I heard back that this option is not available yet. They are actively working on making it available though!

    Until then PIM or the logic app might be the best option if you don't want to assign the User Admin role long-term.

    0 comments
  4. Andrés 6 Reputation points
    2022-02-09T15:58:58.107+00:00

    Hello all,

    This is an old thread but is exactly what I am looking for and a person with clear knowledge of what is required replied, so I think it is relevant to resume on this thread.

    Question: Has any progress been made on this? A real world example:

    I'm the "everything" administrator on my company but my day-to-day account is not a GA just to be on the safe side. I do have a separate very well protected Global Admin account which I use for administrative tasks.

    Today there was a suspicion authentication attempt and I wanted to very quickly disable the possibly compromised account since I contacted all the actors and it wasn't any of us.

    Quickly went to admin.microsoft.com and of course since my account is not an admin (just a viewer), whenever I would click "block logins" it would just reply that I don't have permission. Took me a few moments to realize that this account was not authorized for that.

    All of this while I am on a crowded bus and with very spotty connectivity.

    So, the next step is to open a new InPrivate browser window on the phone, login with the new account, had to retry more than once because of bad signal, then trying to get the FIDO key work on my cell (NFC didn't work, USB was glitchy).... All in all, took me like 5 minutes to be able to login with this GA account (blushing-emoticon-here) in order to be able to disable the suspicious account while I got to the office to check what was going on (false alarm it was some Microsoft service trying to login after I had invalidated all 2-factor sessions, or something along those lines).

    I would really like to give a permission to just "lock out" someone else to some regular accounts / trusted people. Not change passwords, groups or privileges. Simply block. That way if the admin is not able to notice, or act upon some security situation, someone else can quickly take [preemptive] action before the whole thing escalates.

    A quick reaction during a suspected infiltration is key, before they create secondary accounts, assign privileges or perform some other activities that compromise the whole tenant.

    So, any progress on this? Having it would really improve security across the AAD-verse.

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.