Active Directory & Office 365 Reporting Tool

Azure AD Custom Roles: How to Create and Manage Custom Roles for Your Azure AD Environment. Do you need to create and manage Custom Roles in your Azure AD environment? This article guides you through the process.

To ensure your Azure AD subscription meets the prerequisites for creating custom roles, we start by discussing the licensing requirements. Additionally, we cover the required permissions for the admin creating the role.

Next, the article explains the reasons for creating custom roles. Then, we move on to the main purpose of this article.

This section explains creating custom roles in the Azure Active Directory portal. It also covers assigning permissions to custom roles and assigning users and groups to those roles.

Prerequisites to Create & Manage Custom Roles in Azure Active Directory

An organization must have an Azure AD Premium P1 or P2 license to create custom roles. Furthermore, the individual responsible for role creation must hold either the “Privileged Role Admin” or “Global Admin” roles.

In addition, if you use PowerShell to create and manage custom Azure Active Directory roles, it is necessary to install the AzureADPreview module.

Microsoft 365 E3 includes an Azure AD P1 license, while Microsoft 365 E5 includes Azure AD Premium P2. View Azure AD licensing options for more information.

Why You Need Custom Roles in Azure AD?

Companies and organizations using Azure AD often create custom roles to avoid granting unwanted permissions to specific users or groups. It is due to permissions beyond their specific tasks.

However, you must examine all the built in roles before creating custom ones. Regarding built in roles, Azure Active Directory currently offers a wide selection of over 120 roles as of May 2023.

Each role comes with pre assigned permissions that are allocated to users or groups.

To better understand the built in roles and their permissions, navigate to the Azure Active Directory portal and access the “Roles and administrators” menu. For further assistance, please refer to the screenshot provided below.

Furthermore, to learn more about a specific built in role, click on Description tab, that displays comprehensive information about the role’s permissions.

The “Role permissions” section provides a comprehensive list of permissions granted to users or group members assigned to the role. 

After completing the role review exercise and finding that none of the existing roles meet your requirements, move on to the following steps. They assist you in creating and managing custom roles in Azure Active Directory.

How to Create Custom Roles for Your Azure Active Directory Environment

1. On the Azure Active Portal, click “Roles and administrators.” 

2. Next, on the “All roles” page, click “+ New custom role.”

3. After that, Azure AD displays the “New custom role.” Enter Name and Description (optional) on the 1 page of the workflow.

Additionally, select either “Start from scratch” (default) or “Clone from a custom role.” The “Clone from a custom role” option allows you to create a custom role by copying an existing one.

However, please note that the drop down is empty, if you do not have any custom roles.

Once you have entered the necessary details, click Next.

4. In the Permissions section of the workflow, you need to grant permissions to the new custom role. Then, click Next.

Finally review your selections and click Create to create the new custom role successfully.

Try our Active Directory & Office 365 Reporting & Auditing Tools

Try us out for Free.  100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.

Grant Permissions to Users and Groups By Assigning Them Custom Roles

After creating custom Azure AD roles, use them to assign permissions to Microsoft 365 resources. Assign the role to users and groups.

Follow the steps below:

1. Click on “Roles and administrators” in the Azure Active Portal.

2. To modify the assignment for a custom role, first, click on the role you want to modify.

3. Next, click “+ Add assignments.” 

4. Click on the security objects (users or groups) in the “Add assignments” to assign roles to them. In order to locate specific objects, make use of the search field.

After you have included the desired users and groups, click on “Add”.

When you reload the “Assignments” page, it displays the objects that have been assigned to the custom Azure AD role.

Managing Custom Roles in Azure Active Directory

Once a custom role is created, admins are required to perform routine tasks. For example, modify the permissions and scope of existing custom roles.

Similarly, that includes revoking permissions granted to them. Additionally, they may need to add or remove users and groups from the custom role.

Furthermore, Azure AD admins might also need to delete custom roles that are no longer necessary or conduct auditing of those roles.

In this section, we explore managing Azure custom roles and discuss the steps involved in carrying out these tasks.

Modify Permissions or Delete Custom Roles

1. In the Azure Active Directory portal, click on “Roles and administrators.”

2. Then, open the custom role. 

3. Go to the Description tab and click on the Edit button.

If you are editing the custom role, proceed to step 4.

Alternatively, if you want to delete the role, click the Delete button. The Azure AD portal prompts you to confirm the delete request.

4. On the ‘Basic’ tab of the role edit page, change the name of the description. However, to modify the permissions, click the Permissions tab.

5. Finally, add or remove permissions as required, click ‘Next’ and complete the process.

Modify User Assignments for Custom Roles

In addition to modifying permissions, add or remove users assigned to a custom role in Azure Active Directory. To accomplish this, access the custom role and proceed with the following steps:

Firstly, open the custom role in Azure Active Directory. Next, navigate to the “Assignments” tab and identify the user or group you wish to remove.

Click “Remove assignments” and confirm your request.

Another common custom role admin task is adding new users or groups.

To perform this task, click “+ Add assignments.” after opening the custom role. Select the users or groups you want to add and click “Add”. 

Azure AD Custom Roles: Create & Manage Custom Roles for Azure AD Conclusion

In order to meet business needs, the creation of custom roles in Azure AD is necessary despite the presence of built in roles. The primary reason for creating these custom roles, as identified in this article, is to prevent users from being granted excessive permissions.

Moreover, we discussed the steps involved in creating custom roles and assigning permissions to them. Additionally, we explored how to grant permission to groups and users by assigning them to a custom role.

Finally, the article concluded by examining the steps for editing or deleting a custom role, as well as modifying user assignments.


Try InfraSOS for FREE

Invite your team and explore InfraSOS features for free

Victor Ashiedu

Victor Ashiedu

Victor is an IT pro based in Manchester, UK. With over 22 years of experience managing Windows Server, Active Directory, and Powershell, and 7 years of expertise in Azure AD and Office 365, he's a seasoned expert in his field. When he's not working, he loves spending time with his family - a wife and a 5-year-old. Victor is passionate about helping businesses succeed in today's fast-changing tech landscape.

Leave a comment

Your email address will not be published. Required fields are marked *