question

VNJoe avatar image
0 Votes"
VNJoe asked sikumars commented

Why can't an existing group be assigned 'role assignable' in this new platform?

Why can't an existing group be assigned 'role assignable'? Why do we have to remove and recreate all our groups to be able to assign them a role?

azure-ad-group-management
· 3
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

sikumars avatar image sikumars ·

@VNJoe,
I would like to check in and see if you had any other questions. Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

0 Votes 0 ·
VNJoe avatar image VNJoe sikumars ·

Yes. Your answer doesn't answer 'Why'. It only says 'This is how it's set up now.'

Why did the software design team decide that hundreds of thousands of groups shouldn't be taken into consideration in the security model? That it's fine to proceed thinking these groups can be deleted and recreated by thousands of companies globally?

So, again, why is it this way?

And I'm not going to some feedback portal. I don't have enough hours in my day to keep up with all the places we get redirected to give this team or that team feedback. It's Microsoft's job to consider all the platforms they offer for feedback and file the details where they need to be, not mine.

Thanks for the explanation, but still want to know why this was overlooked.

1 Vote 1 ·
sikumars avatar image sikumars VNJoe ·

@VNJoe

Sorry for the inconvenience, and I agree it would have been great if existing groups could be made 'role assignable,' these groups, by nature of being 'roleAssignable,' have special properties that prevent them from using existing groups.

Having these extra characteristics will most likely be the reason of the restriction we have, from an architectural standpoint.

However, I have already shared your feedback with our product team in order to enhance our product; I will keep you posted as soon as I further update.

Thank you for your time and patience throughout this issue.

0 Votes 0 ·

1 Answer

sikumars avatar image
0 Votes"
sikumars answered

@VNJoe,

Thanks for reaching out.

Existing groups cannot be converted to role assignable, and groups created as role assignable can't be converted to non-assignable, because the isAssignableToRole property is immutable. Once a group is created with this property set, it can't be changed as of today due to product restrcitions.

Reference: https://docs.microsoft.com/en-us/azure/active-directory/roles/groups-concept#restrictions-for-role-assignable-groups

However, I would encourage that you share your thoughts on this through the Azure Feedback Portal, as our product team regularly monitors feedback there and may consider it for future releases. Link: .

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.