Share via

custom azure AD role creation problem

petersonal 96 Reputation points
2022-03-31T09:00:36.79+00:00

I would like to create a custom Azure AD role. I would like to create a new role similar to Authentication administrator but with less permissions. The Authentication administrator role permissions start with "microsoft.directory/users/authenticationMethods/create". This is not available in the New custom role (https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RolesAndAdministrators) page in the permissions tab. Okay, I do it wit Powershell. I was following the https://learn.microsoft.com/en-us/powershell/module/azuread/new-azureadmsroledefinition?view=azureadps-2.0 documentation and added only one Allowed resource action (microsoft.directory/users/authenticationMethods/create) to test if it is working.
Error says:
New-AzureADMSRoleDefinition : Error occurred while executing NewAzureADMSRoleDefinition
Code: Request_BadRequest
Message: Action 'microsoft.directory/users/authenticationMethods/create' is not supported for Custom Role creation. -->But why?!
InnerError:
RequestId: some-id
DateTimeStamp: Thu, 31 Mar 2022 06:51:34 GMT
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed
At line:20 char:16

  • ... stomAdmin = New-AzureADMSRoleDefinition -RolePermissions $rolePermiss ...
  • ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  • CategoryInfo : NotSpecified: (:) [New-AzureADMSRoleDefinition], ApiException
  • FullyQualifiedErrorId : Microsoft.Open.MSGraphV10.Client.ApiException,Microsoft.Open.MSGraphV10.PowerShell.NewAzureADMSRoleDef
    inition

The user who ran the powershell script has global admin access and the tenant has AAD P1 licence. What am I missing, or doing wrong?
I can work with other solutions, like copy the existing built in role, and set the not actions to deny the granted built in permissions.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,234 questions
Accepted answer
  1. Vasil Michev 108.6K Reputation points MVP
    2022-03-31T09:38:59.143+00:00

    Custom roles do not support all actions, in fact they support almost no action currently. What's supported is application management/registration, management of service principals, and management of Groups. Not much else. Basically, if it's not in the list exposed in the Azure AD blade, you cannot use it.

    3 people found this answer helpful.

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. SathishKumar Patchaiappan 16 Reputation points
    2022-11-10T12:12:43.84+00:00

    Im facing the same issue as mentioned by @petersonal . Hoping that MS will release this functionality sooner

    2 people found this answer helpful.
    0 comments
  2. petersonal 96 Reputation points
    2022-04-05T05:57:49.463+00:00

    Okay, thanks.

    0 comments
  3. StephanG 826 Reputation points
    2023-09-07T08:59:40.3966667+00:00

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.