Can I assign Azure built in roles (RBAC) to security groups when setting up GDAP?

Cooper Yap 20 Reputation points
2023-04-06T22:59:24.8033333+00:00

When setting up granular delegated admin privileges, as the partner, can I assign Azure built-in roles (RBAC) to our security groups, such as contributor roles, to enable my added users to work/manage with an Azure resource? or are we limited to only Azure AD roles?

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
686 questions
Microsoft Partner Center
Microsoft Partner Center
A Microsoft website for partners that provides access to product support, a partner community, and other partner services.
889 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,848 questions
0 comments No comments
{count} votes

Accepted answer
  1. Sandeep G-MSFT 15,086 Reputation points Microsoft Employee
    2023-04-10T08:37:35.2866667+00:00

    @Cooper Yap There are 2 different set of roles in Azure.

    1. Azure roles
    2. Azure AD roles

    If you want users of security group to manage resources in Azure, then you assign an Azure role to a security group. For example, creating resource, managing resources, creating resources groups, managing particular tasks for a resource etc. You can look into below article to get more information about built-in roles in Azure. https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles If you want users of security group to manage anything under Azure AD, then you will have to assigned Azure AD roles to security group. For example, user management, group management, application management, authentication management etc. You can look into below article to get more information about built-in roles in Azure. https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference In both the cases you can create custom roles. Depending on what you want to access or manage, you need to assign that specific role to security group. In your case if you want to assign role to manage resource groups in Azure AD then you can assign Azure roles to the group. Let me know if you have any further questions. Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Aneesh Varghese 35 Reputation points
    2024-04-20T22:52:39.3733333+00:00

    You can assign Azure built-in or custom roles to a security group. However, there are some caveats.

    Both Entra ID and Azure allow for the creation of custom role-based access control (RBAC) roles. To create custom roles in Entra ID, you’ll need either a P1 or P2 license. These custom roles or built-in can only be assigned to role-assignable groups within Entra ID. Please note that there are limits: a single tenant can have a maximum of 100 custom roles and up to 500 role-assignable groups.

    On the other hand, Azure roles provide more flexibility. Each tenant can have up to 5000 custom roles. Furthermore, these custom roles or built-in Azure roles can be assigned to any security groups, not just role-assignable ones. Hope this helps :-)

    0 comments No comments