azure-active-directoryazure-rbac

Custom Azure AD role for full access to Microsoft Cloud App Security


As per below link, we can assign Global Administrator or Security Administrator role in Azure AD to an user and that provides full access to Microsoft Cloud App Security portal. https://learn.microsoft.com/en-us/cloud-app-security/manage-admins#office-365-and-azure-ad-roles-with-access-to-cloud-app-security However, with these roles users get privileged admin access to other features of Azure AD as well. We want restrict the role to provide full access in Microsoft Cloud App Security portal only. Is it possible to create a custom role with permissions only for Microsoft Cloud App Security?


Solution

  • Unfortunately it's not supported to create a custom AAD role with the full access permission of Microsoft Cloud App Security portal.

    Currently, permissions for Application registrations and Enterprise applications are supported in custom roles. See the details here.

    The full access permission of Microsoft Cloud App Security portal should be microsoft.directory/cloudAppSecurity/allProperties/allTasks. You can see that it's not listed in the page when I try to look for it in Azure portal.

    enter image description here

    You can query microsoft.directory/cloudAppSecurity/allProperties/allTasks in this page and choose the one with the least permissions to assign to users who need to be assigned the Cloud App Security portal administrator role.