Scope permissions to large number of azure AD groups. Group level RBAC permissions.

bdy 20 Reputation points
2023-05-22T08:53:22.35+00:00

Is there a solution available to do RBAC on group level? I want a azure AD group of users to manage the membership of 150 azure AD groups.

Currently default/custom roles are scoped to the whole directory or can be scoped to only 1 group. Currently PIM doesn't allow multi value scope options?

Group owner field, doesn't accept groups only single users.

Fine-Grained Access Control doesn't seem to be possible on allot of groups.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Entra | Other
{count} votes

Accepted answer
  1. Konstantinos Passadis 19,586 Reputation points MVP
    2023-05-22T09:01:54.41+00:00

    Hello

    I understand you need Group Level RBAC assignment

    Have you been through this

    A role assignment is the process of attaching a role definition to a user, group, service principal, or managed identity at a particular scope for the purpose of granting access. Access is granted by creating a role assignment, and access is revoked by removing a role assignment.

    The following diagram shows an example of a role assignment. In this example, the Marketing group has been assigned the Contributor role for the pharma-sales resource group. This means that users in the Marketing group can create or manage any Azure resource in the pharma-sales resource group. Marketing users do not have access to resources outside the pharma-sales resource group, unless they are part of another role assignment.

    Diagram showing how security principal, role definition, and scope create a role assignment.

    A role assignment is the process of attaching a role definition to a user, group, service principal, or managed identity at a particular scope for the purpose of granting access. Access is granted by creating a role assignment, and access is revoked by removing a role assignment.

    The following diagram shows an example of a role assignment. In this example, the Marketing group has been assigned the Contributor role for the pharma-sales resource group. This means that users in the Marketing group can create or manage any Azure resource in the pharma-sales resource group. Marketing users do not have access to resources outside the pharma-sales resource group, unless they are part of another role assignment.

    Diagram showing how security principal, role definition, and scope create a role assignment.

    https://learn.microsoft.com/en-us/azure/role-based-access-control/overview

    You may also consider administrative units.

    https://learn.microsoft.com/en-us/azure/active-directory/roles/administrative-units

    You can assign multiple users on a Unit :

    User's image

    I hope this helps!

    Kindly mark the answer as Accepted and Upvote in case it helped!

    Regards

    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Tech-Hyd-1989 5,816 Reputation points
    2023-05-22T09:00:24.7666667+00:00

    Hello bdy

    Azure AD allows you to implement RBAC on group level by using Azure AD groups. You can assign roles to Azure AD groups and manage the membership of these groups. When an organization uses Azure AD groups, a groups claim is included in the token that specifies the identifiers of all of the groups to which the user is assigned within the current Azure AD tenant.

    However, it is important to note that the default/custom roles are scoped to the whole directory or can be scoped to only 1 group. Currently, PIM doesn't allow multi-value scope options. The group owner field doesn't accept groups, only single users. Fine-Grained Access Control doesn't seem to be possible on a lot of groups.

    To manage the membership of 150 Azure AD groups, you can create an Azure AD group and add the users who need to manage the membership of these groups to this group. Then, you can assign the appropriate roles to this Azure AD group

    For more information on how to implement RBAC on group level, please refer to the following link: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-groups-manage-access-azure-portal.

    Please let me know if you have any further questions.

    Please accept answer and upvote if the above information is helpful for the benefit of the community.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.