Microsoft on Monday announced a preview of IT roles management improvements in the Azure Portal for organizations using the Azure Active Directory identity and access management service.
The preview apparently shows up in the portal when managing other online services, too. Microsoft’s announcement indicated that “roles and administrators is currently in preview for Azure AD and other Microsoft online service roles like Exchange, Intune, CRM, and more.”
The new “Roles and Administrators” preview within the portal shows a list of assigned roles. Users can see the roles assigned to them and the roles that are available. The preview also adds links to detailed descriptions of the built-in roles in the Azure Portal. There appear to be 29 possible Azure AD roles, according to Microsoft’s documentation. The portal also includes descriptions of Microsoft’s new delegated app management roles, which rolled out in preview form last month.
Microsoft’s announcement didn’t explain whether the Roles and Administrators improvements will be available to all Azure AD users or whether it’ll be part of its Azure AD Premium subscription offerings. Update 7/31: A Microsoft spokesperson clarified that Microsoft isn’t charging extra to use the new views and reports and that an Azure AD Privileged Identity Management subscription isn’t required to use them.
The Roles and Administrators preview does have a link to the Azure Active Directory Privileged Identity Management service, which adds additional management controls, although organizations need to have an Azure AD Premium subscription to use it.
Only privileged role administrators or global administrators have the ability to add or remove members under Microsoft’s role-based access control approach for Azure AD. Typically, the person who set up the Azure AD account gets granted these global administrator privileges.
Microsoft’s optimal guidance for account security has four stages and is described in this document. The optimal approach typically requires having Azure AD Premium plans P1 or P2 licensing in place. Microsoft recommends things like restricting administrative access, turning on multifactor authentication for administrators, and using dedicated workstations for administering Azure AD, among other measures.