25,255 questions
You cannot scope this permission to specific AUs only. If you don't want to expose the full set of logs in your app, you'll have to filter them based on the AU membership yourself.
Custom Roles in Azure don't meet my requirements
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 65%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3END%3C/text%3E%3C/svg%3E)
Nandan Desai
20
Reputation points
Hi!
I have a scenario where I want to add a few users to an Administrative Unit and make one user amongst them a 'Security Admin'. This user needs to be able to read sign-in logs of only the users in that Administrative Unit.
I tried creating a Custom Role and added microsoft.directory/signInReports/allProperties/read permission along with other Group-related permissions and scoped it to that Administrative Unit. It didn't work.
So far, no matter what I try, I'm either able to read the sign-in logs of all the users in the Directory, or, not able to read the logs of any user at all.
My question is, is it possible to make microsoft.directory/signInReports/allProperties/read permission scoped to the Administrative Unit? If not, is there a workaround to solve this problem and achieve the same goal?
Thanks!
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Accepted answer
-
Vasil Michev 119.9K Reputation points MVP Volunteer Moderator2023-06-08T07:41:44.03+00:00