Ability to assign roles to Azure Active Directory groups is now generally available. Assigning roles to groups can simplify the management of role assignments in Azure Active Directory in two ways:
- Instead of multiple roles assignments to individual users, Privileged Role Administrator or Global Administrator can assign the role to a group. Your existing governance workflow can then take care of the approval process and auditing of the group’s membership to ensure that only legitimate users are members of the group.
- An owner can be assigned to a group assigned to role. The owner of the group can then manage group memberships and control who can get the role, allowing you to effectively delegate the administration of Azure Active Directory roles and reduce the dependency on Privileged Role Administrator or Global Administrator.
Note: If you do not have the Azure Active Directory (AAD) Premium P1 or the Azure Active Directory (AAD) Premium P2 license, you can safely ignore this message.
When this will happen
Currently this is generally available for Azure Active Directory groups, and we’ll be extending this in the future to on-premises groups.
- Assigning roles to Azure Active Directory groups requires an Azure Active Directory Premium P1 license.
- Privileged Identity Management requires Azure Active Directory Premium P2 license.
How this will affect your organization
You can now target Azure AD groups for role assignments. Assigning roles to groups can simplify the management of role assignments in Azure AD with minimal effort from Global Administrators and Privileged Role Administrators.
What you need to do to prepare
Message ID: MC274516