Azure AD Connect Health now supports RBAC for delegated access!
This is a short post. A key ask from our customers using Connect Health is to NOT require Azure AD global administrator access for Connect Health. This prevents them from having to add more people than needed to this role. Fear not anymore!
We just added RBAC support to Azure AD Connect Health. It's pretty simple and looks just like you would assign access for other Azure resources within the portal. All you have to do is to select the role and add users/groups to a specific role.
A few concepts to understand:
- There are 3 types of roles supported in Connect Health. Owners (can do everything), Contributor (can view and make management changes) and Reader (can just view). These roles can be assigned to users or groups
- Scope of Access: You can do this across all your service instances or assign at a per service instance. Typically you would do only manage access across all service instances. However, as we expand to supporting sync and AD DS, we wanted to support isolation based on customer input.
- By default (even though you cannot see it), all Azure AD Global Administrators in your tenant are owners across all service instances. This is the base policy for Connect Health and cannot be changed.
You can find more information on RBAC here.
Note: There's one glitch in the RBAC blade that you may see. When assigning access for the first time, you will see a 'Loading' message on the blade even though it's loaded. Just continue on to manage access. We are investigating this issue.
Feedback always welcome!