Implement role groups in Microsoft 365

Completed

Previous training examined how to assign roles to user accounts as a means of assigning permissions to users. Microsoft 365 provides an alternative method of assigning roles to users, which is through a feature known as role groups. Role groups simplify role management, ensures consistent access, and makes auditing permissions more straightforward. Role groups enable organizations to assign roles to a group instead of directly to individuals. This method allows for easy addition or removal of users from a role. It also creates consistent permissions for all members of the group. Role groups can include Microsoft 365's built-in roles and an organization's custom roles.

Why assign roles to role groups?

Role groups are a convenient and efficient way of managing and delegating the administration of Microsoft 365. Role groups allow administrators to assign multiple roles to one or more users, granting them the permissions assigned to all the roles in the group.

For example, let's consider our favorite fictitious organization known as Contoso. It hired people across geographies to manage and reset passwords for employees in its Microsoft Entra organization. Instead of asking a Privileged Role Administrator or Global Administrator to assign the Helpdesk Administrator role to each person individually, they can create a Contoso Helpdesk Administrators group and assign the role to the group. When people join the group, they're assigned the role indirectly. Your existing governance workflow can then take care of the approval process and auditing of the group's membership. Doing so ensures that only legitimate users are assigned the Helpdesk Administrator role.

Role groups also allow administrators to create and manage custom role groups, which they can tailor to the specific needs and requirements of their organization. Role groups have several benefits, such as:

  • Simplifying the role assignment process. Role groups reduce the complexity and effort of assigning roles to users. Administrators only need to assign one role group instead of multiple roles. Role groups also ensure that users have the right and consistent set of permissions, as administrators only need to update one role group instead of multiple roles.
  • Improving the security and compliance posture. Role groups enhance the security and compliance of the Microsoft 365 environment. Administrators can apply the principle of least privilege, which means granting users only the minimum permissions they need to do their tasks. Role groups also enable the separation of duties, which means preventing users from having conflicting or overlapping permissions that could compromise the integrity or confidentiality of the Microsoft 365 environment.
  • Increasing productivity and collaboration. Role groups boost the productivity and collaboration of the Microsoft 365 users. Administrators can provide them with the appropriate and sufficient permissions to access and use the Microsoft 365 services and features they need to work efficiently and effectively. Role groups also foster teamwork and communication among the Microsoft 365 users. Administrators can group user according to their roles and responsibilities, allowing them to share and exchange information and resources.

To maximize the benefits of using role groups, administrators should follow some best practices, such as:

  • Using the built-in role groups. Microsoft 365 provides several built-in role groups, which are predefined and ready to use. These role groups are based on the common and typical scenarios and tasks that administrators and users do in the Microsoft 365 environment. For example, Helpdesk Administrator, Service Support Administrator, or Reports Reader. Administrators should use the built-in role groups whenever possible. Microsoft designed and tested these built-in role groups to provide optimal and secure permissions and access rights.
  • Creating custom role groups. If the built-in role groups don't meet the specific needs and requirements of the organization, administrators can create custom role groups. Administrators can create custom role groups by selecting the roles they want to include in the group. Administrators should create custom role groups only when necessary. They should also follow the principle of least privilege and the separation of duties when selecting the roles for the group.
  • Reviewing and updating role groups. Administrators should regularly review and update the role groups. Doing so helps ensure they remain aligned with their organization's current and changing requirements. As Microsoft introduces or deprecates services in the Microsoft 365 environment, administrators might need to add or remove roles from their role groups to reflect those changes. Administrators should also add or remove users from the role groups, as users join or leave the organization, or change their roles and responsibilities.

Creating custom role groups

To assign a role to a group, you must create a security or Microsoft 365 group that’s role assignable. For a group to be role assignable, its isAssignableToRole property must be set to true. There are multiple ways to accomplish this depending on where the role group is created.

Create role groups in the Microsoft 365 admin center

You should perform the following steps to create a role group and assign it to a user in the Microsoft 365 admin center:

  1. When you create a new Security group, you must select the Azure AD roles can be assigned to the group check box. This option sets the group's isAssignableToRole property to true, which makes the group role-assignable.
  2. When you create a new Microsoft 365 group, you must set the Privacy setting to Private and then select the Allow admin roles to be assigned to this group check box. This option sets the group's isAssignableToRole property to true, which makes the group role-assignable.
  3. After creating the group, you must reopen the group and assign the selected roles to the group.
  4. Once the roles are assigned to the group, you must assign the user as a group member. To do so, you can either open the group and assign the user as a member of the group or open the user account and assign the group to the user's account.

Create role groups in the Microsoft Entra admin center

You should perform the following steps to create a role group and assign it to a user in the Microsoft Entra admin center:

  1. When you create a new security or Microsoft 365 group, you must set the Microsoft Entra roles can be assigned to the group option to Yes. This option sets the group's isAssignableToRole property to true, which makes the group role-assignable.
  2. When you're creating the group, you can assign one or more Microsoft Entra roles to the group. You don't have to reopen the group to assign roles like you do in the Microsoft 365 admin center.
  3. After creating the group, you must assign the user as a group member. To do so, you can either reopen the group and assign the user as a member of the group or open the user account and assign the group to the user's account.

Diagram showing a screenshot of the New Group window in Microsoft Entra with the role assignable setting.

Create role groups in Windows PowerShell

You should perform the following steps in Microsoft Graph PowerShell to create a role group and assign roles to it:

  1. Use the New-MgGroup command to create a role group.

    Connect-MgGraph -Scopes "Group.ReadWrite.All"
    
    $group = New-MgGroup -DisplayName "Contoso_Helpdesk_Administrators" -Description "Helpdesk Administrator role assigned to group" -MailEnabled:$false -SecurityEnabled -MailNickName "contosohelpdeskadministrators" -IsAssignableToRole:$true
    
  2. Use the Get-MgRoleManagementDirectoryRoleDefinition command to get a role definition.

    $roleDefinition = Get-MgRoleManagementDirectoryRoleDefinition -Filter "displayName eq 'Helpdesk Administrator'"
    
  3. Use the New-MgRoleManagementDirectoryRoleAssignment command to assign the role.

    $roleAssignment = New-MgRoleManagementDirectoryRoleAssignment -DirectoryScopeId '/' -RoleDefinitionId $roleDefinition.Id -PrincipalId $group.Id
    

How are role groups protected?

If a group is assigned a role, any IT administrator who can manage group membership could indirectly manage the membership of that role. Let's consider the following scenario. At Contoso, the User Administrator role is assigned to a group named Contoso User Administrators. An Exchange administrator who can modify group membership could add themselves to the Contoso User Administrators group. In doing so, they would become a User Administrator. As you can see, an administrator could potentially elevate their privilege in a way that wasn't intended.

So how would role groups prevent this scenario from happening? To begin with, a role group's membership type is Assigned, which means only authorized administrators (such as Global Administrators) can manage it. As such, unauthorized administrators (like the Exchange administrator in this example) can't directly modify the group’s membership. This feature would restrict the Exchange administrator from elevating their privilege by adding themselves to the group and gaining the User Administrator role.

Role groups have the following restrictions:

  • The isAssignableToRole property is immutable. Once a group is created with this property set, it can't be changed.
  • You can't make an existing group a role group.
  • A maximum of 500 role groups can be created in a single Microsoft Entra organization (tenant).

Role groups are designed to help prevent potential breaches by having the following restrictions:

  • Only Global Administrators and Privileged Role Administrators can create a role group. However, you can delegate the management of role groups by adding group owners.
  • The membership type for role groups must be Assigned and can't be a Microsoft Entra dynamic group. Automated population of dynamic groups could lead to an unwanted account being added to the group and thus assigned to the role.
  • For Microsoft Graph, the RoleManagement.ReadWrite.Directory permission is required for managing the membership of role groups. The Group.ReadWrite.All permission doesn't work.
  • To prevent elevation of privilege, only a Privileged Authentication Administrator or a Global Administrator can change the credentials or reset MFA or modify sensitive attributes for members and owners of a role group.
  • Group nesting isn't supported. A group can't be added as a member of a role group.

Use PIM to make a group eligible for a role assignment

If you don't want members of the group to have standing access to a role, you can use Microsoft Entra Privileged Identity Management (PIM) to make a group eligible for a role assignment (PIM is introduced later in this module). Each member of the group is then eligible to activate the role assignment for a fixed time duration.

For groups used for elevating into Microsoft Entra roles, Microsoft recommends that you require an approval process for eligible member assignments. Assignments that can be activated without approval can leave you vulnerable to a security risk from less privileged administrators. For example, the Helpdesk Administrator has permission to reset eligible users’ passwords.

License requirements

Organizations that plan to use role groups must have a Microsoft Entra ID P1 license. If you plan to use Privileged Identity Management for just-in-time role activation, then you must have a Microsoft Entra ID P2 license.