Not so long ago I wrote the article Azure role-based access control – BitLocker Recovery Key Reader. As a response to that article, I received a question related to the possibility of assigning these kinds of Azure roles to security groups, and told me he wasn’t aware of the possibility to use groups for role assignment.
So today, a short article to make people aware of the (new) possibility to assign Azure AD roles (built-in and custom) to Azure AD (security) groups.
Restrictions for role-assignable groups
As we can read in the Microsoft docs, there are some restrictions for the AAD groups which can be used for role assignment in Azure AD;
- You can only set the
isAssignableToRoleproperty or the Azure AD roles can be assigned to the group option for new groups.
isAssignableToRoleproperty is immutable. Once a group is created with this property set, it can’t be changed.
- You can’t make an existing group a role-assignable group.
- A maximum of 500 role-assignable groups can be created in a single Azure AD organization (tenant).
So if you are trying to assign a group to a role and don’t see your groups listed, that’s because the IsAssignableToRole property isn’t set and you can’t change that for existing groups.
Create an ‘assignable to role’ Azure AD group
Creating such an “assignable to role” group is pretty straightforward, we just don’t need to forget to set that one switch to yes.
- Sign in to the Azure portal
- Open Azure Active Directory, open Groups
- Click New Group
- Enter a Name
- Enter a Description (optional)
- Switch Azure AD roles can be assigned to this group to Yes (Important!)
- Add members to the group
- Click Create
- Click Yes
And our group is ready for assignment on an Azure AD role.
Azure AD role assignment
The assignment of the Azure AD role to a group is no different from assigning the role to a user.
- Browse to Roles and administrators
- Search for the role and open it
- Click Add assignments
- Click No member selected
- Select the just created group
- Click Select
- Click Next
- Click Assign
And that’s all!
I hope you can use it to your advantage.
Thanks for reading.
Hello Peter, thank you for this one.
For the sake of completeness it is probably worth mentioning, this feature requires AAD Premium license.