Active Directory & Office 365 Reporting Tool

Azure AD Roles and Permissions: Assign & Manage Roles for Users & Groups. Are you an IT admin who wants to learn about Azure AD roles and their significance in assigning and managing permissions for users and groups? 

It is crucial to learn each concept to understand the relationship between Azure AD roles, users, groups, and permissions. 

Next, we explain Azure AD roles, representing the next level in the “role user group permission” relationship.

To bring all the concepts together, the article discusses how users and groups inherit permissions when roles are assigned to them.

Finally, it provides detailed instructions on how to assign Azure AD roles to users or groups using different methods.

Azure AD Users, Groups and Group Memberships

The basic level of permission in Azure AD is called “Identity,” which includes anything that is authenticated. Examples of identities are: users with usernames , passwords and applications or servers that require authentication.

This article focuses on Identity as a user that is authenticated.

Once a user authenticates, they receive access to resources through authorization. Therefore, users need permission to be authorized to access resources.

When creating a user, Azure AD automatically grants default permissions to them.

However, an administrator assigns additional permissions to the user utilizing an Azure AD role. Alternatively, permissions are assigned to users by adding them to a group.

It is considered best practice to assign permissions to users through a group rather than directly to the user.

This is where groups in Azure Active Directory come into play. In Azure AD, groups manage users who require access to the same resources.

Once you create a group, all users added to it inherit the permissions assigned to it via Azure AD roles. 

It is essential to note that there are 2 types of groups for managing permissions in Azure AD: security groups and Microsoft 365 groups.

You use a security group to assign permissions and roles to its members. However, during the group creation process, you need to set the security group as role-assignable to assign roles to it.

Once you create a group, you cannot modify this setting.

In contrast, Microsoft 365 groups are designed for collaboration purposes. Members of a Microsoft 365 group accesses shared mailboxes, teams, files, and other collaboration-enabled resources.

Roles and Permissions in Azure Active Directory

Role Based Access Control (RBAC) constitutes the foundation of Azure AD security. Approx. 60 built-in roles are used to assign and manage permissions

To find a comprehensive list of these roles and their respective permissions, refer to “All roles” section on the Azure AD built-in roles page.

Moreover, each role has a predefined set of permissions. To assign permissions associated with an Azure AD role to an object, such as a user or a group, you must assign the role to the object.

Perform this assignment either on the “Role and admins” page within the Azure Active Directory portal or through an Azure AD object’s “Assigned roles” node.

Roles can be directly assigned to users or groups. However, dynamic groups allow automatically assigning of roles based on defined conditions.

Relationships Between Azure AD Roles and Group Permissions

Groups manage multiple users who require access to the same Azure AD resources.  However, groups have functionalities that extend beyond that.

For instance, groups are used to assign licenses and deploy apps to their members. Moreover, these groups delegate admin roles, except for Azure AD Global Administrator.

Find a list of administrator roles you delegate using groups.

Furthermore, use groups to assign permissions to SharePoint sites or external SaaS apps.

Remember that assigning roles to groups requires an Azure AD Premium P1 license. Additionally, performing the task also requires the “Privileged Role Administrator” role.

Also, Azure provides dynamic groups which are used for role assignments.

Dynamic groups automatically assign group memberships to users who meet the dynamic group query criteria defined for the group. This automated process saves significant administrative time for large organizations compared to manual group assignments.

How to Assign Azure AD Roles to Users and Groups

Follow one of the methods below to assign Azure AD roles to users or groups.

First of all, sign in to the Azure portal via portal.azure.com. Search for and open “Azure Active Directory.”

Method 1 of 3: Assign Roles to Users or Groups from "Roles and administrators" Interface

The most convenient way to assign Azure AD roles is via the “Roles and administrators” interface in the Azure Active Directory portal.  

Follow these steps:

1. On the Azure Active Directory menu, click “Roles and administrators.”

2. Next, once the “Roles and administrators” page opens, click the Azure AD role you want to assign and grant permissions to Active Directory and groups. To make finding a role faster, search for it. 

3. Click “Add assignments” on the assignments page of the role. This page also lists all users and groups currently assigned this role. 

4. Once the “Add assignments” page opens, click the “No members selected” link. Finally, on the “Select a member”, choose all the users and groups you want to assign the role and click Select

Note that the flyout displays only groups that are eligible for role assignment.

Use the search functionality to find users and groups and avoid scrolling through. 

Try our Active Directory & Office 365 Reporting & Auditing Tools

Try us out for Free.  100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.

Method 2 of 3: Assign Azure AD Roles from the Users Interface

Another method to assign Azure AD roles to users is by opening the user’s Azure Active Directory portal page. Here are the steps:

1. Click the “Users” menu on the Azure Active Directory Portal. Then, select a user by clicking it. 

2. Once the user opens, click “Assigned roles.” Then, click “+ Add assignment.”

3. Next, select the Azure AD role you want the user to inherit its permissions from the “Select role” drop-down. After selecting the role, click Next. 

4. Finally, if you have the Privileged Identity Management (PIM) license, the final page displays the “Assignment type” option. The “Maximum allowed eligible duration” option is also available for PIM. 

Select your settings and click Assign.

Method 2 of 3: Assign Azure AD Roles from the Group Interface

To assign Azure AD roles to role-assignable groups, follow the steps below:

1. Clicking “Groups” on the Azure Active Directory portal. 

2. Azure AD lists all the groups. However, you only assign roles to groups that this feature has been enabled. 

Therefore, to see groups enabled for role assignment, click “Manage view” and select “Edit columns.” 

3. Check the “Role assignments allowed” checkbox on the Columns flyout and click Save. You may also uncheck “Object Id,” “Membership type,” “Email,” and “Source” to reduce the number of columns.

These columns are checked by default. However, the “Role assignments allowed” column is unchecked by default.

4. After enabling the page to display whether a group is role-assignable, select the right group. 

Remember that if you open a group that this feature was not enabled during its creation, it won’t display Azure AD roles. 

5. Once the group opens, click “Assigned roles” on the menu, then click “Add assignments.”

6. Choose a role from the “Select role” drop-down and click Next. Finally, select role assignment options and click Assign.

Assign Azure AD Roles via Dynamic Groups

Also, Azure AD allows the use of dynamic groups to assign Azure AD roles automatically to users. 

Here are the steps to create a dynamic Azure AD group that automatically assigns roles to its members. 

1. On the Groups page of the Azure Active Directory portal, click “New group.” 

2. When the “New Group” page opens, name the group, and select the dynamic assignment type from the “Membership type” drop-down. Selecting “Dynamic User” or “Dynamic Device” displays the “Add dynamic query” link.

Ensure to switch the “Azure AD roles can be assigned” switch on. 

3. Click the “Add dynamic query” link to build a dynamic query that adds users automatically to the group.

4. Once the “Dynamic membership rules” page opens, click “edit,” then build your query. Learn how to build dynamic queries for group memberships. 

5. On the “Edit rule syntax.” flyout, enter your rule and click OK. Then, on the dynamic membership query page, click Save. 

I built a simple rule that adds users to my group by user’s department. 

6. Finally, review the settings on the ‘New Group’ page and click Create.

To check that your dynamic rule works, open the group and click the ‘Members’ menu. If your rule is correct and some users meet the criteria, they should be dynamically added as group members.

After creating the dynamic group, assign Azure AD roles to the group. After these steps, all users dynamically added to the group automatically inherit the permissions of the roles assigned to the group. 

Azure AD Roles and Permissions: Assign & Manage Roles for Users & Groups Conclusion

In conclusion, this article explored the essential aspects of Azure AD roles and permissions. Specifically, it focuses on how to effectively assign and manage roles for users and groups.

We explained the concepts of Azure AD users, groups, and group memberships, highlighting their significance in role assignments. We also examined the roles and permissions framework in Azure Active Directory.

The article emphasizes the relationships between Azure AD roles and group permissions.

Furthermore, it presented 3 methods for assigning Azure AD roles to users and groups. Method 1 involved utilizing the “Roles and admins” interface, while Method 2 covered assigning roles from users and group interfaces.

We also considered using dynamic group membership as the 3 method to assign Azure AD roles to users.

By understanding these methods and leveraging the power of Azure AD, admins efficiently assign and manage roles to ensure proper access and permissions for users and groups within their organizations.


Try InfraSOS for FREE

Try InfraSOS Active Directory, Azure AD & Office 365 Reporting & Auditing Tool

Victor Ashiedu

Victor Ashiedu

Victor is an IT pro based in Manchester, UK. With over 22 years of experience managing Windows Server, Active Directory, and Powershell, and 7 years of expertise in Azure AD and Office 365, he's a seasoned expert in his field. When he's not working, he loves spending time with his family - a wife and a 5-year-old. Victor is passionate about helping businesses succeed in today's fast-changing tech landscape.

Leave a comment

Your email address will not be published. Required fields are marked *