Need to create an Azure AD custom role with no delete permissions

Rick Angel 36 Reputation points
2020-12-16T21:42:32.967+00:00

We recently had an issue where a helpdesk technician deleted an AD user and caused several major issues. We've since set up custom local AD permissions for the technician and are trying to do something similar in Azure AD. He needs to be able to create and update user information, add and remove users from groups, but not be able to actually delete a user. We tried setting his Azure AD role to Helpdesk Admin, but that does not have enough permissions. User Admin has too many permissions. I think if we could just strip the delete capability from User Admin we would have what we need. I tried creating a custom role inside Azure AD, but could not find the granularity I need. Does anyone have a suggestion? Thanks.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,455 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. 2020-12-17T18:36:54.06+00:00

    Hello, currently Azure AD does not support such fine grained right assigments, however some work on that has been started. Stay tuned for more updates.

    Please let me know if you need more help. If the answer was helpful to you, please accept it and, optionally, provide feedback so that other members in the community can benefit from it.

    2 people found this answer helpful.