Azure Active Directory and Role Delegations

If you are designing access to 0365 resources to your tenant for the supporting teams, you are probably familiar with not using *Default" Access Role groups, instead creating custom RBAC role groups and tailor them according to your needs. To tighten the security you would also think perhaps removing some of the cmdlet's comes with default Role assignments. Such work is always tedious and important in my opinion. Of course you can use default role groups if you are a small shop and not worried about creating a mess on the directory services.

Wanting to create RBAC custom roles becomes valuable and necessary on large enterprises. This way you can manage RBAC Custom AD security group membership on premises  and delegate access you need to your supporting teams. 

Working with Azure Active Directory, you will realize  you cannot add AD Security groups into any of the default Role groups, only option you have available are to add users and service Principals 

I am not sure when MS Azure team would consider fixing this issues, until then stayed tune and start looking workaround for the issue. Using PowerShell and adding individual users fairly simple task however, the mess I have mentioned earlier would come into play doing it that way and additional operational burden to your supporting teams.

Useful links to read more about the Roles

https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles

Casey, Dedeal

Azure Certified Solutions Architect

AWS Certified Cloud Practitioner 

https://simplepowershell.blogspot.com/  (blog)

https://smtp25.blogspot.com/ (blog)

https://telnet25.wordpress.com/ (blog)

https://twitter.com/Message_Talk (Twitter)