How to assign Azure AD roles to Azure AD groups

April 12, 2022 Peter Klapwijk Microsoft365, Security 1

Not so long ago I wrote the article Azure role-based access control – BitLocker Recovery Key Reader. As a response to that article, I received a question related to the possibility of assigning these kinds of Azure roles to security groups, and told me he wasn’t aware of the possibility to use groups for role assignment.
So today, a short article to make people aware of the (new) possibility to assign Azure AD roles (built-in and custom) to Azure AD (security) groups.

Restrictions for role-assignable groups

As we can read in the Microsoft docs, there are some restrictions for the AAD groups which can be used for role assignment in Azure AD;

  • You can only set the isAssignableToRole property or the Azure AD roles can be assigned to the group option for new groups.
  • The isAssignableToRole property is immutable. Once a group is created with this property set, it can’t be changed.
  • You can’t make an existing group a role-assignable group.
  • A maximum of 500 role-assignable groups can be created in a single Azure AD organization (tenant).

So if you are trying to assign a group to a role and don’t see your groups listed, that’s because the IsAssignableToRole property isn’t set and you can’t change that for existing groups.

Create an ‘assignable to role’ Azure AD group

Creating such an “assignable to role” group is pretty straightforward, we just don’t need to forget to set that one switch to yes.

  • Sign in to the Azure portal
  • Open Azure Active Directory, open Groups
  • Click New Group
  • Enter a Name
  • Enter a Description (optional)
  • Switch Azure AD roles can be assigned to this group to Yes (Important!)
  • Add members to the group
  • Click Create
  • Click Yes

And our group is ready for assignment on an Azure AD role.

Azure AD role assignment

The assignment of the Azure AD role to a group is no different from assigning the role to a user.

  • Browse to Roles and administrators
  • Search for the role and open it
  • Click Add assignments
  • Click No member selected
  • Select the just created group
  • Click Select
  • Click Next
  • Click Assign

And that’s all!

I hope you can use it to your advantage.

Thanks for reading.

Related posts:

  1. Manage the local administrators group with Microsoft Intune – Azure AD joined Windows 10 devices
  2. Azure AD Conditional Access explained – Android and iOS
  3. Azure role-based access control – BitLocker Recovery Key Reader
  4. Conditional Access in the new Azure portal

1 Comment

  1. Hello Peter, thank you for this one.
    For the sake of completeness it is probably worth mentioning, this feature requires AAD Premium license.

    Reply

Leave a Reply

Your email address will not be published.


*