One of the most frequent pieces of feedback we receive from customers is they love how Azure AD helps them gain visibility into risks impacting their organization’s identities and assets. But to do that effectively, they need additional RBAC roles so they can provide access to their administrators and security analysts while maintaining separation of duties. This way they can ensure appropriate control over configuration and security policies.
So I’m excited to share that we’re adding three new administrative roles to Azure AD that enable finer-grained administration.
These three new roles “Privileged Role Administrator”, “Security Administrator” and “Security Reader” simplify managing and accessing reports in Azure AD Identity Protection and Azure AD Privileged Identity Management (PIM). Using these new roles, organizations can take advantage of these new security capabilities without having to add additional highly-privileged global administrators.
Security roles in Azure AD Identity Protection
Azure AD Identity Protection, currently in preview, provides a consolidated view into risk events and potential vulnerabilities affecting your organization’s identities.
Previously, to access Azure AD Identity Protection, a user needed to be a global administrator. These new roles eliminate that requirement.
- A user in the new role Security Reader can view reports and settings in Azure AD Identity Protection. This role is ideal for a security analyst who investigates issues but doesn’t necessarily take any action themselves.
- A user in the new role Security Administrator can view reports and manage settings in Azure AD Identity Protection. Unlike global administrators, a security administrator can’t reset users’ passwords in Azure AD Identity Protection.
Security roles in Privileged Identity Management
Azure AD Privileged Identity Management, also in preview, lets you manage, control, and monitor your privileged identities and access to resources in Azure AD as well as other Microsoft online services, including Office 365 or Microsoft Intune.
A user still needs to be in the global administrator role to enable Azure AD PIM in a directory. When they enable Azure AD PIM, they are automatically added to the Security Administrator and Privileged Role Administrator roles as well.
- A user in the new role Privileged Role Administrator can manage settings and role assignments in Azure AD PIM, and view the Azure AD PIM audit history.
- A user in the any of the Global Administrator, Security Administrator or Security Reader roles can view settings, role assignments, and the Azure AD PIM audit history.
Assigning users to these new roles
The best way to add someone to the Privileged Role Administrator, Security Administrator, or Security Reader roles is through Azure AD PIM. Select the role, click Add, select a user, and click OK. That user will be made eligible to activate the role. The user can then activate the role for a predefined time period, when they need to use Azure AD Identity Protection or Azure AD PIM.
You can also click the “Make perm” button on the user’s role assignment so that they have permanent membership of the role.
Alternatively, if you’re not using Azure AD PIM, you can assign users to these roles from the command line with the Azure Active Directory Module for PowerShell.
First, connect and authenticate as a global administrator in your directory. Type the following command, and enter your administrator credentials when prompted.
To see who (if anyone) is already permanently assigned to these three new roles in your directory, type:
$pra = Get-MsolRole -RoleName “Privileged Role Administrator”
Write-Output “Privileged Role Administrator permanent members”
Get-MsolRoleMember -RoleObjectId $pra.ObjectID | ft EmailAddress,DisplayName
$sa = Get-MsolRole -RoleName “Security Administrator”
Write-Output “Security Administrator permanent members”
Get-MsolRoleMember -RoleObjectId $sa.ObjectID | ft EmailAddress,DisplayName
$sr = Get-MsolRole -RoleName “Security Reader”
Write-Output “Security Reader permanent members”
Get-MsolRoleMember -RoleObjectId $sr.ObjectID | ft EmailAddress,DisplayName
Then, to add a user to a role with a permanent assignment, use the Add-MsolRoleMember command. For instance, to make a user a security administrator, type:
Add-MsolRoleMember -RoleName “Security Administrator” -RoleMemberEmailAddress “email@example.com”
And more good news – these roles will soon light up in other features and applications as well. I’ll blog about them when they do.
And as always, we’d love to get any feedback suggestions you have. Just head on over to the Azure AD Identity Protection and Azure AD Privileged Identity Management forums and let us know what you think.
Alex Simons (Twitter: @Alex_A_Simons)
Director of Program Management
Microsoft Identity Division