Need to create an Azure AD custom role with no delete permissions

Rick Angel 26 Reputation points
2020-12-16T21:42:32.967+00:00

We recently had an issue where a helpdesk technician deleted an AD user and caused several major issues. We've since set up custom local AD permissions for the technician and are trying to do something similar in Azure AD. He needs to be able to create and update user information, add and remove users from groups, but not be able to actually delete a user. We tried setting his Azure AD role to Helpdesk Admin, but that does not have enough permissions. User Admin has too many permissions. I think if we could just strip the delete capability from User Admin we would have what we need. I tried creating a custom role inside Azure AD, but could not find the granularity I need. Does anyone have a suggestion? Thanks.

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
13,498 questions
No comments
1 vote

1 answer

Sort by: Most helpful
  1. Alfredo Revilla (MSFT) 16,686 Reputation points Microsoft Employee
    2020-12-17T18:36:54.06+00:00

    Hello, currently Azure AD does not support such fine grained right assigments, however some work on that has been started. Stay tuned for more updates.

    Please let me know if you need more help. If the answer was helpful to you, please accept it and, optionally, provide feedback so that other members in the community can benefit from it.

    1 person found this answer helpful.