I am looking for a way of tailoring custom RBAC (granting access\creating role & assigning permissions) to specific Azure AD blade.
In fact, I want my end user with a custom role to be able to modify only certain settings in Azure AD blade.
Here's the screenshot:
For example, I want the permissions to register an app (using App registration blade) and also permissions to manage this newly registered app via Enterprise applications blade.
The reason is that despite the Azure AD option "Users can register applications" (Azure AD – User Settings – App registrations – Users can register applications)
Even if you do allow users to register single-tenant LOB apps, there
are limits to what can be registered. For example, developers who are
not directory admins.Users cannot make a single-tenant app a multi-tenant app.
When registering single-tenant LOB apps, users cannot request app-only
permissions to other apps.
When registering single-tenant LOB apps, users cannot request delegated permissions to other apps if those permissions require admin consent.
Users cannot make changes to apps that they are not owners of. Source
According to resource provider enumeration, Microsoft.AzureActiveDirectory provider
is not a full ARM provider and does not provide any ARM operations.
so I cannot create a custom JSON template like:
Microsoft.AzureActiveDirectory/*/read
and import it via
New-AzureRmRoleDefinition
cmdlet.
The only possible actions with Microsoft.AzureActiveDirectory provider I've found are
- register the resource provider
- work with B2C directory.
In my case, B2B is used.
Best Answer
Unfortunately,you cannot achieve this for now.
First, Custom RBAC is for subscription resources, not for Azure AD features access.
For Azure AD , we can assign Azure AD Directory role to users for differen access management. It's different from the RBAC for subscriptions. For now, There are main three type roles in Azure AD : User, Global administrator ,Limit administrator.
If you want to assign some limit access to a user , you need to select Limit administrator role and choose the right one for the user:
However, those limit admin roles cannot be customize. We can only choose one or some of those roles in the list.
See more details about Assign roles in Azure AD in this document.
Additional, there are many customers who came across issues as yours. They post their ideas in this UserVoice Page and Azure AD Team would review those ideas and give them response. So I also suggest you can post your idea or upvote the similar idea in the page.
Hope this helps!