question

petersonal-8794 avatar image
0 Votes"
petersonal-8794 asked petersonal-8794 answered

custom azure AD role creation problem

I would like to create a custom Azure AD role. I would like to create a new role similar to Authentication administrator but with less permissions. The Authentication administrator role permissions start with "microsoft.directory/users/authenticationMethods/create". This is not available in the New custom role (https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RolesAndAdministrators) page in the permissions tab. Okay, I do it wit Powershell. I was following the https://docs.microsoft.com/en-us/powershell/module/azuread/new-azureadmsroledefinition?view=azureadps-2.0 documentation and added only one Allowed resource action (microsoft.directory/users/authenticationMethods/create) to test if it is working.
Error says:
New-AzureADMSRoleDefinition : Error occurred while executing NewAzureADMSRoleDefinition
Code: Request_BadRequest
Message: Action 'microsoft.directory/users/authenticationMethods/create' is not supported for Custom Role creation. -->But why?!
InnerError:
RequestId: some-id
DateTimeStamp: Thu, 31 Mar 2022 06:51:34 GMT
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed
At line:20 char:16
+ ... stomAdmin = New-AzureADMSRoleDefinition -RolePermissions $rolePermiss ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-AzureADMSRoleDefinition], ApiException
+ FullyQualifiedErrorId : Microsoft.Open.MSGraphV10.Client.ApiException,Microsoft.Open.MSGraphV10.PowerShell.NewAzureADMSRoleDef
inition

The user who ran the powershell script has global admin access and the tenant has AAD P1 licence. What am I missing, or doing wrong?
I can work with other solutions, like copy the existing built in role, and set the not actions to deny the granted built in permissions.

azure-active-directoryazure-rbac
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

michev avatar image
1 Vote"
michev answered michev commented

Custom roles do not support all actions, in fact they support almost no action currently. What's supported is application management/registration, management of service principals, and management of Groups. Not much else. Basically, if it's not in the list exposed in the Azure AD blade, you cannot use it.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Well this sound quite badly. Then why is the option available full public, if I cannot use it with full settings? - never mind.
If I understand right I cannot achieve what I am looking for right?

0 Votes 0 ·
michev avatar image michev petersonal-8794 ·

It's a work in progress. Just yesterday, they announced support for device actions, but it will likely take at least an year to have support across all of the operations you can perform within Azure AD. For the time being, what you are asking for is not possible unfortunately.

0 Votes 0 ·
petersonal-8794 avatar image
0 Votes"
petersonal-8794 answered

Okay, thanks.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.