Assign Azure AD role By AD Security Group

Page content

Using AD security groups to delegate access to Azure AD roles is not supported at the moment (March 2021). This post offers two workarounds.

Permissions to manage Azure AD and Office365 are often assigned via Azure AD Roles. If you have strong access management processes and tooling for on prem Active Directory (access request &approval workflow, joiners & leavers, access reviews & reporting, auditing and alerts) you’ll likely want to reuse these to manage access to Azure AD and Office365.

This would be simple if you could simply assign an AD security group an Azure AD role. For example: <AD_domain>\sec_HelpDeskTeam –> Azure AD Reports Reader role.

Unfortunaley this isn’t possible yet. AD security groups can’t be assigned to Azure AD roles. AAD security can be assigned to Azure AD roles if they’re switched to “role assignable” mode, but in this mode they can’t have nested AD security groups. They’s just no native way yet to delegate an AAD role to an AD security group.

So here’s two options via scripts:

Option 1 - Mirror security group membership to AAD role

Scheduled PowerShell to grab the membership of a security group, including nested groups, and grant the accounts an AAD role. Kick everyone else out of the role.

Users –> Job function AD Security Group –> Nested in AAD security group for role –code–> AAD role

Option 2 - Mirror security group membership to role assignable AAD security group

Scheduled PowerShell to grab the membership of a security group, including nested groups, and copy the members to a role assignable AAD security group. Kick everyone else out of the security group. This second method works well with roles assigned to AAD Administraive units where you want to scope access to certain accounts or groups.

Users –> Job function AD Security Group –code–> role assignable AAD security group–> nested in AAD role

Example code for both options here. We’re using the compare-object command to find the difference between two lists of users and doing a true-up. Suggest create a hashtable of AD security groups and AAD roles/security groups as key value pairs and loop through. As always, test in a non-production environment.


Find more IT Infrastructure tips at blog.alexmags.com