There are two different sets of roles in Azure – one reflects permissions defined by different services, while the other is designed to operate on Azure AD directory and give you the possibility to decide who can perform a specific management task (such as access audit logs or register an application).
In this section, you will learn how to use that functionality and assign different users to different directory roles.
To get started, you will have to access your Azure AD tenant in the Azure portal. To do so, search for Azure Active Directory in the search box located at the top of the portal:
Now, you will have to find the Roles and administrators blade:
On the next screen, you should be able to see all the available roles and your current role. From here, you will be able to check who has a particular role assigned and its description.
When browsing the available roles, you will see that there’s plenty of them available to you (including some that, initially, may not be self-explanatory). In fact, they cover Azure and other services (such as Office 365 or Power BI) as well:
A role, which has a little ribbon next to its name, is a recently introduced or updated role that you may want to check out in order to understand it better.
Note that these particular roles reflect your Azure AD directory – you cannot use them for better control over your provisioned resources, but you can use them for easy assignment of permissions when it comes to performing tasks such as application registrations, auditing, or user management. To check what permissions are assigned to the role, click on it and go to the Description blade:
When we know what a specific role grants to a user, we can learn how to assign it to a directory entity.
Let’s assume that we want to assign a user to a role named Application developer so that we can register applications even if a global administrator will turn off that possibility globally. To do so, we need to go to the specific role and click on the + Add member button:
Now, I only need to search for a specific user and click on the Select button to finish the setup process:
Once a user has been added, you should be able to see them on the list of members of this particular role. Once this role is assigned to the user, you will be able to see it when you access the user’s Directory role blade.
Directory roles are one of the most useful features when you want to quickly set up proper roles within your Azure tenant. Thanks to them, you can easily assign different users to different sets of permissions and allow them to perform proper management tasks.
The important thing here is to always make sure that you have implemented proper security policies when it comes to passwords and user credentials. By assigning an important role (such as the global administrator role) to a person, which then loses its account, you may lose access to the whole directory.
Depending on the characteristics of your company, you may or may not need custom roles in your directory. For many scenarios, the extensive list of available roles in Azure is everything an administrator needs, but you still may face a situation where it is not enough. Apart from your case, remember that directory roles cover a separate set of permissions than resource roles and do not affect effective permissions a user has when accessing a resource. The next section will help you understand the actual behavior of users by helping you learn how to monitor their actions.