Azure Active Directory role management offers you a range of role management features. The scope of these features depends on the level of the Azure Active Directory license selected by the user, which is provided by the corresponding tenants.
Azure AD "Free"
This license includes basic role management functionality. Integrated roles can be used without restrictions. These roles have predefined role definitions. With this license, it is possible to add individual users to integrated roles and remove them. You can create groups.
IMPORTANT: Not included in the basic functionality are maintenance of directory roles in One Identity Manager and use of custom roles. This feature requires the Azure AD P1 license or P2 license.
IMPORTANT: Directory roles must be maintained via the Microsoft Azure Portal.
IMPORTANT: This license enables role assignment to individual users. Assigning roles to groups is only possible with the Azure AD P1 license and P2 licenses.
Azure AD Premium P1 - Role Based Access Control (RBAC)
Role-based access control is provided by the Azure Active Directory Premium P1 license. In addition to the basic features, it includes access to role definitions and role assignments. Roles can be assigned to an entire group. This allows consistent role eligibilities within a group. You can create groups.
There are two different types of partial scopes to which role-based access control can be applied.
-
Directory object limitation: Role assignments can be limited to specific objects, such as a registered application or a user, within the Azure Active Directory directory. Restricting elements of a defined administrative unit is also possible.
IMPORTANT: This license does not include the functionality of Azure Active Directory Privileged Identity Management.
Azure AD Premium P2 - Privileged Identity Management (PIM)
In addition to the existing limitations of role-based access control, this license provides the additional functionality to restrict and control role assignments. Privileged Identity Management distinguishes between active role assignments and assignment eligibilities.
Role assignment: A principal is assigned a role.
Role eligibility: A principal has no active role assignment, but can enable a temporary role assignment if required.
Configuration of role policies, such as time limits, is possible for both assignment types. Furthermore, it is possible to create attestations for roles.
NOTE: It is not possible to create role assignments for which multi-factor authentication is mandatory.
NOTE: Due to the constraints of Microsoft GraphAPI, the role management feature in One Identity Manager in "PIM" mode only supports global directory scope for active role assignments.
Detailed information about this topic
Related topics
The introduction of the Microsoft 365 role management makes extended features available for managing roles and their members and for limiting role assignments in Azure Active Directory parts of One Identity Manager.
New and existing synchronization projects automatically obtain the basic mode (equivalent to the Azure AD Free license of Microsoft 365) with the introduction of Azure Active Directory role management. The basic mode includes all the current features of One Identity Manager. The new role management features can be accessed by activating RBAC mode (Azure AD P1 license) and PIM mode (Azure AD P2 license). This activation is necessary for existing synchronization projects, and also when creating a new synchronization project.
NOTE: All existing Azure Active Directory features remain available in basic mode. It is only necessary to activate RBAC mode or PIM mode if you want to use extended role management features.
To enable extended role management features for RBAC
- In the Synchronization Editor, select the synchronization project.
- Select Workflows.
- Select the Initial Synchronization workflow and click the Enable/disable synchronization step button.
- Disable the DirectoryRole synchronization step.
- Enable the following synchronization steps.
- RBAC DirectoryRole
- RBAC DirectoryRole Assignments
- Save the changes.
- Select the Provisioning workflow and click the Enable/disable synchronization step button.
- Disable the DirectoryRole synchronization step.
- Enable the RBAC DirectoryRole Assignments synchronization step.
- Save the changes.
- In the Object Browser, select the AADOrganization table.
- Set the RoleBehavior value to RBAC.
- Save the changes.
To enable extended role management features for PIM
- In the Synchronization Editor, select the synchronization project.
- Select Workflows.
- Select the Initial Synchronization workflow and click the Enable/disable synchronization step button.
- Disable the DirectoryRole synchronization step.
- Enable the following synchronization steps.
- RBAC DirectoryRole
- PIM DirectoryRole Assignments
- PIM DirectoryRole Eligibility
- PIM DirectoryRole Policies
- Save the changes.
- Select the Provisioning workflow and click the Enable/disable synchronization step button.
- Disable the DirectoryRole synchronization step.
- Enable the following synchronization steps.
- PIM DirectoryRole Assignments
- PIM DirectoryRole Eligibility
- Save the changes.
- In the Object Browser, select the AADOrganization table.
- Set the RoleBehavior value to PIM.
- Save the changes.
Detailed information about this topic
Related topics
You are provided with the following general main data of a role.
Table 23: General main data
Display name |
Name for displaying the role in the user interface of One Identity Manager tools. |
Tenant |
The tenant's name. |
Owner (application role) |
Application role whose members can approve IT Shop requests for this administrative unit. |
Provider |
Provider that manages roles in Azure Active Directory. |
Version |
Specifies the version of the role definition. |
Description |
Text field for explanations. |
Built-in |
Specifies whether the role definition is part of the Azure Active Directory basic settings or a customized definition. |
Enabled |
Specifies whether the role is available for assignment. |
Related topics
Scoped role assignments for an Azure Active Directory role are displayed on the role's overview form.
To obtain an overview of a scoped role assignment for a role
-
In the Manager, select the Azure Active Directory > Roles category.
-
Select the role in the result list.
-
Select the Azure Active Directory role overview task.
The Azure Active Directory role assignments form element shows the role assignments of the role.
Related topics