Scope permissions to large number of azure AD groups. Group level RBAC permissions.

Question

Is there a solution available to do RBAC on group level? I want a azure AD group of users to manage the membership of 150 azure AD groups.

Currently default/custom roles are scoped to the whole directory or can be scoped to only 1 group. Currently PIM doesn't allow multi value scope options?

Group owner field, doesn't accept groups only single users.

Fine-Grained Access Control doesn't seem to be possible on allot of groups.

Answer 1

Hello

I understand you need Group Level RBAC assignment

Have you been through this

A role assignment is the process of attaching a role definition to a user, group, service principal, or managed identity at a particular scope for the purpose of granting access. Access is granted by creating a role assignment, and access is revoked by removing a role assignment.

The following diagram shows an example of a role assignment. In this example, the Marketing group has been assigned the Contributor role for the pharma-sales resource group. This means that users in the Marketing group can create or manage any Azure resource in the pharma-sales resource group. Marketing users do not have access to resources outside the pharma-sales resource group, unless they are part of another role assignment.

A role assignment is the process of attaching a role definition to a user, group, service principal, or managed identity at a particular scope for the purpose of granting access. Access is granted by creating a role assignment, and access is revoked by removing a role assignment.

The following diagram shows an example of a role assignment. In this example, the Marketing group has been assigned the Contributor role for the pharma-sales resource group. This means that users in the Marketing group can create or manage any Azure resource in the pharma-sales resource group. Marketing users do not have access to resources outside the pharma-sales resource group, unless they are part of another role assignment.

https://learn.microsoft.com/en-us/azure/role-based-access-control/overview

You may also consider administrative units.

https://learn.microsoft.com/en-us/azure/active-directory/roles/administrative-units

You can assign multiple users on a Unit :

I hope this helps!

Kindly mark the answer as Accepted and Upvote in case it helped!

Regards

Answer 2

Hello bdy

Azure AD allows you to implement RBAC on group level by using Azure AD groups. You can assign roles to Azure AD groups and manage the membership of these groups. When an organization uses Azure AD groups, a groups claim is included in the token that specifies the identifiers of all of the groups to which the user is assigned within the current Azure AD tenant.

However, it is important to note that the default/custom roles are scoped to the whole directory or can be scoped to only 1 group. Currently, PIM doesn't allow multi-value scope options. The group owner field doesn't accept groups, only single users. Fine-Grained Access Control doesn't seem to be possible on a lot of groups.

To manage the membership of 150 Azure AD groups, you can create an Azure AD group and add the users who need to manage the membership of these groups to this group. Then, you can assign the appropriate roles to this Azure AD group

For more information on how to implement RBAC on group level, please refer to the following link: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-groups-manage-access-azure-portal.

Please let me know if you have any further questions.

Please accept answer and upvote if the above information is helpful for the benefit of the community.