Hallo HarshitaSingh, unfortunately, there is no option in the Azure AD Roles?

https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#application-administrator

The Problem is some users are into up to 500 Groups, the requesting app product owner commented, the token size getting to big then.

Hi piaudonn its a set of groups what are related to the application and needed there. not for access control.

Oh thats sad, one question how can i set the scope for this custom role to just one single app? i guess in the

"resourceScopes": [
"/"
],

but idk exacly the notation.

Hello HarshitaSingh, i did not have the time yet to work on this. But its sad that it isnt possible in the easy way like the other roles.

Hello Ian Xue, thank you for the help, one question how could i send a list of groups here in this example like ?

 $group= "CN=group1,OU=testou,DC=contoso,DC=com", "CN=group2,OU=testou,DC=contoso,DC=com"

Is this also getting nested Members in this Group?

Hello tbgangav it worked in help with the document very well. Thank you alot.

Its a little embarrassing but i forgot to publish it, so now the warning works. with write-error i struggle still but warning is enough.

now i will have a look at the Log Analytics workspace and then create alert to notify you via email Option asap.

As you said its not working, i have to go for a group assignment i guess.

@skiumars-msft: thank you for your response i will have a look asap on this and report.

Hello tbgangav at the moment i struggle with the write-error or write-warning in the powershell script i want to run. Works fine in the test run window, at least the warning messages. But on a scheduled Job i just habe the outputstream filled not the warning (error is anyway already in script with errors)?!

Ok Compare-Object i thought about, but the output options for me are not a charm. Thank you very much though.

Hi we tried it now with two CAs but in your second? You exclude the Device states and in Grant you require them or was it a mistake?

Ok got it working i forgot to set acceptMappedClaims to "true" in the manifest.

But i have still some understanding issue. I can also ad optional claims in the manifest, so when i go for this way and when i go for thist option per Policy?