What is a Microsoft Entra group?

Microsoft Entra groups are used to manage users that all need the same access and permissions to resources, such as potentially restricted apps and services .

How do I assign an Azure role assignment to a group?

On the Members tab, select User, group, or service principal to assign the selected role to one or more Microsoft Entra users, groups, or service principals (applications) . Click Select members. Find and select the users, groups, or service principals.

What Microsoft Entra role should you add to Admin1?

Since Admin1 needs to perform both tasks (assign licenses and reset passwords), the role that encompasses both capabilities must be identified. The User Administrator role allows for both assigning licenses (to a limited extent) and resetting passwords, making it a suitable choice for Admin1's requirements.

How do you assign a role to a group?

Roles can be assigned randomly through a variety of strategies, from who has the next birthday to color-coded post-it notes, or a place card that points out roles based on where everyone is sitting.

What is Microsoft Entra used for?

What is Microsoft Entra ID? Azure Active Directory (Azure AD), now known as Microsoft Entra ID, is an identity and access management solution from Microsoft that helps organizations secure and manage identities for hybrid and multicloud environments .

What is Microsoft Entra ID in Azure?

Microsoft Entra ID is a cloud-based identity and access management solution . It's a directory and identity management service that operates in the cloud and offers authentication and authorization services to various Microsoft services, such as Microsoft 365, Dynamics 365, and Microsoft Azure.

What is Microsoft Entra verified ID?

Microsoft Entra Verified ID Service. An issuance and verification service in Azure and a REST API for W3C Verifiable Credentials that are signed with the did:web method . They enable identity owners to generate, present, and verify claims.

Can Azure AD roles be assigned to a group?

You can only assign a role to a group created with Azure AD roles can be assigned to the group turned on or created with the 'isAssignableToRole' property set to True . This group attribute makes the group one that can be assigned to a role in Azure Active Directory.

Can Azure AD roles be assigned to the group on premise?

It is not possible to assign an Azure role to an on-prem AD group directly . You can create a security group in Azure AD and add the on-prem AD group as a member of the Azure AD security group. Then, you can assign the Azure role to the Azure AD security group.

How do I assign an application role to a group in Azure AD?

In the Add assignment window, select Users and groups to display a list of users and security groups. From this list, select the users and groups that you want to assign to the app role, and then click Select. In the Add assignment window, select Select a role to display a list of the app roles that you have created.

How do you assign roles in Intune?

You can assign both custom and built-in roles to your users. To be assigned an Intune role, the user must have an Intune license. To see a role assignment, choose Intune > Tenant administration > Roles > All roles > choose a role > Assignments > choose an assignment .

Use Microsoft Entra groups to manage role assignments

Article
10/23/2023

With Microsoft Entra ID P1 or P2, you can create role-assignable groups and assign Microsoft Entra roles to these groups. This feature simplifies role management, ensures consistent access, and makes auditing permissions more straightforward. Assigning roles to a group instead of individuals allows for easy addition or removal of users from a role and creates consistent permissions for all members of the group. You can also create custom roles with specific permissions and assign them to groups.

Why assign roles to groups?

Consider the example where the Contoso company has hired people across geographies to manage and reset passwords for employees in its Microsoft Entra organization. Instead of asking a Privileged Role Administrator or Global Administrator to assign the Helpdesk Administrator role to each person individually, they can create a Contoso_Helpdesk_Administrators group and assign the role to the group. When people join the group, they're assigned the role indirectly. Your existing governance workflow can then take care of the approval process and auditing of the group's membership to ensure that only legitimate users are members of the group and are thus assigned the Helpdesk Administrator role.

How role assignments to groups work

To assign a role to a group, you must create a new security or Microsoft 365 group with the isAssignableToRole property set to true. In the Microsoft Entra admin center, you set the Microsoft Entra roles can be assigned to the group option to Yes. Either way, you can then assign one or more Microsoft Entra roles to the group in the same way as you assign roles to users.

Restrictions for role-assignable groups

Role-assignable groups have the following restrictions:

You can only set the isAssignableToRole property or the Microsoft Entra roles can be assigned to the group option for new groups.
The isAssignableToRole property is immutable. Once a group is created with this property set, it can't be changed.
You can't make an existing group a role-assignable group.
A maximum of 500 role-assignable groups can be created in a single Microsoft Entra organization (tenant).

How are role-assignable groups protected?

If a group is assigned a role, any IT administrator who can manage group membership could also indirectly manage the membership of that role. For example, assume that a group named Contoso_User_Administrators is assigned the User Administrator role. An Exchange administrator who can modify group membership could add themselves to the Contoso_User_Administrators group and in that way become a User Administrator. As you can see, an administrator could elevate their privilege in a way you didn't intend.

Use PIM to make a group eligible for a role assignment

If you don't want members of the group to have standing access to a role, you can use Microsoft Entra Privileged Identity Management (PIM) to make a group eligible for a role assignment. Each member of the group is then eligible to activate the role assignment for a fixed time duration.

Note

For groups used for elevating into Microsoft Entra roles, we recommend that you require an approval process for eligible member assignments. Assignments that can be activated without approval can leave you vulnerable to a security risk from less-privileged administrators. For example, the Helpdesk Administrator has permission to reset an eligible user's passwords.

Scenarios not supported

The following scenarios aren't supported:

Assign Microsoft Entra roles (built-in or custom) to on-premises groups.

Known issues

The following are known issues with role-assignable groups:

Microsoft Entra ID P2 licensed customers only: Even after deleting the group, it is still shown an eligible member of the role in PIM UI. Functionally there's no problem; it's just a cache issue in the Microsoft Entra admin center.
Use the new Exchange admin center for role assignments via group membership. The old Exchange admin center doesn't support this feature. If accessing the old Exchange admin center is required, assign the eligible role directly to the user (not via role-assignable groups). Exchange PowerShell cmdlets work as expected.
If an administrator role is assigned to a role-assignable group instead of individual users, members of the group will not be able to access Rules, Organization, or Public Folders in the new Exchange admin center. The workaround is to assign the role directly to users instead of the group.
Azure Information Protection Portal (the classic portal) doesn't recognize role membership via group yet. You can migrate to the unified sensitivity labeling platform and then use the Microsoft Purview compliance portal to use group assignments to manage roles.

License requirements

Using this feature requires a Microsoft Entra ID P1 license. The Privileged Identity Management for just-in-time role activation requires a Microsoft Entra ID P2 license. To find the right license for your requirements, see Comparing generally available features of the Free and Premium editions.

Next steps

Create a role-assignable group
Assign Microsoft Entra roles to groups

Use Microsoft Entra groups to manage role assignments - Microsoft Entra ID (2024)