Need to create an Azure AD custom role with no delete permissions

Question

Need to create an Azure AD custom role with no delete permissions

Rick Angel 26

We recently had an issue where a helpdesk technician deleted an AD user and caused several major issues. We've since set up custom local AD permissions for the technician and are trying to do something similar in Azure AD. He needs to be able to create and update user information, add and remove users from groups, but not be able to actually delete a user. We tried setting his Azure AD role to Helpdesk Admin, but that does not have enough permissions. User Admin has too many permissions. I think if we could just strip the delete capability from User Admin we would have what we need. I tried creating a custom role inside Azure AD, but could not find the granularity I need. Does anyone have a suggestion? Thanks.

Answer 1

Alfredo Revilla (MSFT) 16,686 Microsoft Employee

Hello, currently Azure AD does not support such fine grained right assigments, however some work on that has been started. Stay tuned for more updates.

Please let me know if you need more help. If the answer was helpful to you, please accept it and, optionally, provide feedback so that other members in the community can benefit from it.

EL ANCB 1 Reputation point

2022-12-21T11:19:15.197+00:00

Hello,
Our company has the same need for Azure AD "user admin" custom role, able to create and modify accounts, but not to delete them.
Azure support told me there is still no solution.
Since then, is there something new about this?
Thanks,

Need to create an Azure AD custom role with no delete permissions

1 answer

Activity