I would like to create a custom Azure AD role. I would like to create a new role similar to Authentication administrator but with less permissions. The Authentication administrator role permissions start with "microsoft.directory/users/authenticationMethods/create". This is not available in the New custom role (https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RolesAndAdministrators) page in the permissions tab. Okay, I do it wit Powershell. I was following the https://docs.microsoft.com/en-us/powershell/module/azuread/new-azureadmsroledefinition?view=azureadps-2.0 documentation and added only one Allowed resource action (microsoft.directory/users/authenticationMethods/create) to test if it is working.
Error says:
New-AzureADMSRoleDefinition : Error occurred while executing NewAzureADMSRoleDefinition
Code: Request_BadRequest
Message: Action 'microsoft.directory/users/authenticationMethods/create' is not supported for Custom Role creation. -->But why?!
InnerError:
RequestId: some-id
DateTimeStamp: Thu, 31 Mar 2022 06:51:34 GMT
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed
At line:20 char:16
+ ... stomAdmin = New-AzureADMSRoleDefinition -RolePermissions $rolePermiss ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-AzureADMSRoleDefinition], ApiException
+ FullyQualifiedErrorId : Microsoft.Open.MSGraphV10.Client.ApiException,Microsoft.Open.MSGraphV10.PowerShell.NewAzureADMSRoleDef
inition
The user who ran the powershell script has global admin access and the tenant has AAD P1 licence. What am I missing, or doing wrong?
I can work with other solutions, like copy the existing built in role, and set the not actions to deny the granted built in permissions.