Azure Identity And Access Management Part 3 – Azure Active Directory – Create Custom Directory Role & Assign Role using Power-Shell

Hello Friends,

I hope you all are doing good . In our last article we have discussed about the Azure Active Directory – Enterprise Users. In this article, we will continue with Azure AD and today we will see how to create a custom directory role and how to assign it to a test user. We will use power-shell script to achieve our requirement. At the end we’ll attach the complete script in this article.

If you have missed our previous articles on Azure Identity And Access Management (IAM), please check it in following links.

Part 1 – Azure Active Directory – Overview

Part 2 – Azure Active Directory – Enterprise Users

Next Article : Part 4 – Azure Active Directory – Create Azure AD Extension Attribute Using Power-Shell

Azure Role in Azure AD:

Microsoft gives us several built-in roles for Azure AD as well as for Azure resources, but we can define custom roles if we need more customize one than what the built-in roles provide. The list of built-in roles for  Azure directory roles can be found here. which are always evolving. So new roles are coming and old are deprecating. A role definition objects contain the definition of the built-in or custom role, along with the permissions that are granted by that role assignment

Azure Role Assignment in Azure AD:

Role assignments are the way we control access to Azure resources. It defines how one can access resources in Azure. A role assignment consists of following three elements.

• Security Principals : A security principal represents the user that is to be assigned access to Azure AD resources. It can be user, group, service principal or managed identity.
• Role Definition : A role definition lists the operations that can be performed on Azure AD resources.
• Scope : When we assign a role, we can specify a scope that limits the administrator’s access to a specific resource. .

Custom Role Definition In Azure AD:

Sometimes built-in role does not fulfill our requirement . In that case we are allowed to create and assign Custom Role. We can create custom role through portal . In this article I am using power-shell to create and assign the new custom role.

Create Custom Role :

The New-AzureADMSRoleDefinition cmdlet creates an Azure Active Directory (Azure AD) role definition. As shown in the following figure, I am going to create “Knowledge Junction Administrator” custom role.

After create the custom role, let’s verify that, if the role has been crated successfully or not. Following figure sows the details of the newly created role also we can see there is no assignment yet.

Assign Role To User :

we are ready with our custom role. Before we assign the role to user, let’s check the permission of the user. For that open another browser tab (preferably using Incognito, InPrivate, or whatever your browser calls a private session) and log into Azure portal as the test user. Once logged in, open Azure AD and browse to the App Register and select the app (Knowledge Junction )where, our test user should add new owners.

As we can see in the above figure, our test user does not have sufficient rights to add new Owners for Knowledge Junction application. Now let’s assign our custom Role ( Knowledge Junction Administrator) to our test user using power-shell as shown in the following figure.

As we can see in the following figure, the Knowledge Junction Administrator role has assigned to our test user Uday .

Testing Role Assignment:

Test the role assignment by browsing to the App registrations blade, selecting a cloud app (Knowledge Junction), and selecting the Owners setting. As shown in following Figure,now the custom role holder is able to add new owner.

Essential Power-Shell Commands :

Following are few more power-Shell commands to manage Directory Roles and assignments.

• Get-AzureADMSRoleAssignment : Gets information about role assignments in Azure AD
• Get-AzureADMSRoleDefinition : Gets information about role definitions in Azure AD.
• Remove-AzureADMSRoleAssignment : Removes a role assignment.
• Remove-AzureADMSRoleDefinition : Removes a role definition.
• Set-AzureADMSRoleDefinition : Update a role definition.

Please find the complete script here to download.

Next Article : Part 4 – Azure Active Directory – Create Azure AD Extension Attribute Using Power-Shell

Keep reading, share your thoughts, experiences. Feel free to contact us to discuss more.

If you have any suggestion / feedback / doubt, you are most welcome. Stay tuned on Knowledge-Junction, will come up with more such articles.

Thanks for reading 🙂 .