Share via

Difficulty creating a custom role with specific permissions

Hari Sheth 0 Reputation points
2023-09-04T22:21:58.8266667+00:00

Hello,

I am trying to create a custom role on the Azure portal that includes a number of permissions from the existing Auth Admin role. However, I cannot find certain permissions such as microsoft.directory/users/authenticationMethods/create, microsoft.directory/users/authenticationMethods/delete, and microsoft.directory/users/authenticationMethods/basic/update.

Is this a limitation of the GUI or the custom role ability as a whole?

Any advice is appreciated.

Regards, Hari

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
701 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Givary-MSFT 29,351 Reputation points Microsoft Employee
    2023-09-06T07:48:44.72+00:00

    @Hari Sheth Thank you for reaching out to us, As I understand you are trying to create a custom Azure AD role with the following permissions

    microsoft.directory/users/authenticationMethods/create

    microsoft.directory/users/authenticationMethods/delete

    microsoft.directory/users/authenticationMethods/basic/update

    Above permissions are defined in the Built in roles itself, these permissions are not available for the custom role.

    As per this https://learn.microsoft.com/en-us/azure/active-directory/roles/custom-user-permissions only these user permissions are available for custom role.

    You can share your feedback on https://feedback.azure.com/d365community to have more user specific permissions for custom role with business justification, as this feedback is closely reviewed by our product team.

    Let me know if you have any further questions, feel free to post back.

    Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.

  2. Hari Sheth 0 Reputation points
    2023-09-07T02:04:05.27+00:00

    Hello Givary,

    Thanks for getting back to me.

    I did manage to create custom role using powershell. Only permission I could not add is

    "microsoft.directory/users/invalidateAllRefreshTokens" (here is screenshot)

    Custom Role

    But even when this role is assigned to a user, they can't edit anything on Auth Admin blade (see screenshot below)

    role testing

    Any assistance or clarification will be appreciated.

    Kind Regards,

    Hari

  3. StephanG 811 Reputation points
    2023-09-07T08:39:51.4333333+00:00

    I have the same issue. The least priv role for MFA reset has just too much rights.

    We recently "lost" some cloud users because of the excessive rights of Auth Admin.

    So +1 for a MFA Reset & Signin Role

    Vote for it

    https://feedback.azure.com/d365community/idea/118966ca-5c4d-ee11-a81c-000d3a040137

    0 comments