azure role assignment name

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Understand Azure role assignments

• 2 contributors

Role assignments enable you to grant a principal (such as a user, a group, a managed identity, or a service principal) access to a specific Azure resource. This article describes the details of role assignments.

Role assignment

Access to Azure resources is granted by creating a role assignment, and access is revoked by removing a role assignment.

A role assignment has several components, including:

• The principal , or who is assigned the role.
• The role that they're assigned.
• The scope at which the role is assigned.
• The name of the role assignment, and a description that helps you to explain why the role has been assigned.

For example, you can use Azure RBAC to assign roles like:

• User Sally has owner access to the storage account contoso123 in the resource group ContosoStorage .
• Everybody in the Cloud Administrators group in Microsoft Entra ID has reader access to all resources in the resource group ContosoStorage .
• The managed identity associated with an application is allowed to restart virtual machines within Contoso's subscription.

The following shows an example of the properties in a role assignment when displayed using Azure PowerShell :

The following shows an example of the properties in a role assignment when displayed using the Azure CLI , or the REST API :

The following table describes what the role assignment properties mean.

When you create a role assignment, you need to specify the scope at which it's applied. The scope represents the resource, or set of resources, that the principal is allowed to access. You can scope a role assignment to a single resource, a resource group, a subscription, or a management group.

Use the smallest scope that you need to meet your requirements.

For example, if you need to grant a managed identity access to a single storage account, it's good security practice to create the role assignment at the scope of the storage account, not at the resource group or subscription scope.

For more information about scope, see Understand scope .

Role to assign

A role assignment is associated with a role definition. The role definition specifies the permissions that the principal should have within the role assignment's scope.

You can assign a built-in role definition or a custom role definition. When you create a role assignment, some tooling requires that you use the role definition ID while other tooling allows you to provide the name of the role.

For more information about role definitions, see Understand role definitions .

Principals include users, security groups, managed identities, workload identities, and service principals. Principals are created and managed in your Microsoft Entra tenant. You can assign a role to any principal. Use the Microsoft Entra ID object ID to identify the principal that you want to assign the role to.

When you create a role assignment by using Azure PowerShell, the Azure CLI, Bicep, or another infrastructure as code (IaC) technology, you specify the principal type . Principal types include User , Group , and ServicePrincipal . It's important to specify the correct principal type. Otherwise, you might get intermittent deployment errors, especially when you work with service principals and managed identities.

A role assignment's resource name must be a globally unique identifier (GUID).

Role assignment resource names must be unique within the Microsoft Entra tenant, even if the scope of the role assignment is narrower.

When you create a role assignment by using the Azure portal, Azure PowerShell, or the Azure CLI, the creation process gives the role assignment a unique name for you automatically.

If you create a role assignment by using Bicep or another infrastructure as code (IaC) technology, you need to carefully plan how you name your role assignments. For more information, see Create Azure RBAC resources by using Bicep .

Resource deletion behavior

When you delete a user, group, service principal, or managed identity from Microsoft Entra ID, it's a good practice to delete any role assignments. They aren't deleted automatically. Any role assignments that refer to a deleted principal ID become invalid.

If you try to reuse a role assignment's name for another role assignment, the deployment will fail. This issue is more likely to occur when you use Bicep or an Azure Resource Manager template (ARM template) to deploy your role assignments, because you have to explicitly set the role assignment name when you use these tools. To work around this behavior, you should either remove the old role assignment before you recreate it, or ensure that you use a unique name when you deploy a new role assignment.

Description

You can add a text description to a role assignment. While descriptions are optional, it's a good practice to add them to your role assignments. Provide a short justification for why the principal needs the assigned role. When somebody audits the role assignments, descriptions can help to understand why they've been created and whether they're still applicable.

Some roles support role assignment conditions based on attributes in the context of specific actions. A role assignment condition is an additional check that you can optionally add to your role assignment to provide more fine-grained access control.

For example, you can add a condition that requires an object to have a specific tag for the user to read the object.

You typically build conditions using a visual condition editor, but here's what an example condition looks like in code:

The preceding condition allows users to read blobs with a blob index tag key of Project and a value of Cascade .

For more information about conditions, see What is Azure attribute-based access control (Azure ABAC)?

• Delegate Azure access management to others
• Steps to assign an Azure role

Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback .

Submit and view feedback for

Additional resources

RBAC in Azure: A Practical Guide

What is azure rbac.

Azure role-based access control (Azure RBAC) enables access management for Azure resources. It’s an authorization system built into the Azure Resource Manager. You can use Azure RBAC to define which specific users should be allowed access to Azure cloud resources and assign a set of privileges for each user group. Let’s learn more about the specifics.

Azure RBAC vs Azure ABAC

As mentioned earlier, Azure RBAC allows you to manage access to Azure resources, defining what users can do with resources and their access areas. It lets you use role definitions and role assignments to control access. However, it does not offer fine-grained access management and can be difficult when managing hundreds of role assignments.

Azure attribute-based access control (ABAC) works differently.

Azure ABAC allows you to add role assignment conditions to achieve fine-grained access control. It builds on Azure RBAC, letting you add attributes for specific actions. Each role assignment condition provides an additional, optional check to a role assignment. Once you set it up, the condition can filter down permissions provisioned as a part of the role definition and assignment. 

Azure RBAC Concepts

Azure rbac roles.

In Azure RBAC, a role definition is a set of permissions (role). It defines users’ actions, such as write, delete, and read. You can define high-level roles, such as an owner, or specific roles, such as a virtual machine (VM) reader.

Azure provides various built-in roles, including a virtual machine contributor role that allows users to create and manage VMs. If the built-in roles do not satisfy your requirements, you can also define Azure custom roles. You can use data actions to grant access to data stored in a specific object. 

The term scope refers to a set of resources with specific access. It enables you to grant the relevant security principal to a certain role. Limiting the scope means limiting the scope of resources at risk if the security principal is compromised.

Azure RBAC lets you specify a scope at four levels, including a management group level, a subscription level, a resource group level, and a resource level. Azure structures scopes in a parent-child relationship, with each hierarchy level making the scope more specific. It lets you assign roles at any of the four levels. However, note that the level you choose determines how the role is applied. 

Azure also lets you use management groups, a level of scope above subscriptions. However, management groups support complex hierarchies. The diagram below illustrates an example of a hierarchy of management groups and subscriptions.

Role Assignments

Role assignments enable you to attach role definitions to specific users, groups, service principals, or managed identities at a certain scope. When creating a role assignment, you grant specific access, and removing the assignment revokes this access.

Here is a diagram that illustrates an example of a role assignment: 

This example assigns a contributor role to the marketing group—only for the pharma-sales resource group. It enables all users in the marketing group to create or manage Azure resources in the pharma-sales resource group. However, it does not provide marketing users with access to resources external to the pharma-sales resource group.

Azure Groups

Role assignments are transitive for groups, allowing users to gain permissions assigned to groups. If user A is a member of group B and group B is a member of group C with its own role assignment, user A gets the permissions in group C’s role assignment.

Azure RBAC uses an additive model to prevent issues when users get several overlapping role assignments. You can see an example of this principle in the image below. A certain user is granted a reader role by a resource group and a contributor role at the subscription level. The sum of the reader and contributor permissions is the contributor role. The reader role assignment has no impact.

Best Practices for Azure RBAC

Only grant the access users need.

With Azure RBAC, you can create isolation between different teams, granting each team only the access they need to get the job done. 

Instead of granting unlimited permissions to everyone with an Azure subscription or resource, you can only allow specific actions within specific scopes. Avoid assigning broad roles, even if they seem more convenient at first. When you create a custom role, include only the permissions your users need. This ensures that there’s less risk if a principal account is compromised.

The following diagram shows the recommended pattern for granting permissions in Azure RBAC.

Use Azure AD Privileged Identity Management

To protect privileged accounts from malicious cyberattacks, Azure Active Directory Privileged Identity Management (PIM) can be used to reduce privilege issuance time and improve visibility through reports and alerts. PIM helps protect privileged accounts by providing temporary privileged access to Azure AD and Azure resources. Access is time-limited, after which privileges are automatically revoked.

Assign Roles Using Unique Role ID Instead of the Role Name

Role names may change over time, but the role ID always stays the same. Some common examples of changes to role names is when you are using your own custom role and decide to change the name, or when you are using a preview role that has (Preview) in the name. When the role is released from preview, it is automatically renamed.

To ensure consistency over time, it is a good idea to always assign users to a role ID when assigning roles using scripting or automation. This way, scripts won’t break if the name changes in the future. 

Assign Roles to Groups and Limit Subscription Owners

To make it easier to manage role assignments, do not assign roles directly to users. Instead, assign roles to groups. Assigning roles to groups instead of users minimizes the number of role assignments. Note that Azure imposes restrictions on the total role assignments allowed per subscription.

Microsoft recommends having a maximum of 3 owners for each Azure subscription, to reduce the likelihood of a breach by a compromised or malicious insider.

Cloud RBAC with Frontegg

Frontegg provides out of the box RBAC model implementation. Customers can now create their own roles and permissions which represent their product models and use cases. Additionally, Frontegg empowers the end users to create custom roles to represent their permissions model, without having to change a single line of code in the product. Sounds too good to be true? Try it out now.  

Looking to take your User Management to the next level?

Rate this post

4.8 / 5. 1355

No reviews yet

Full Solution, Easy Migration

Privacy overview.

• Career Model
• Proactive Mentorship
• Productivity
• Review Model
• Work:Life Balance
• 3D Printing
• Announcements
• Conferences

How to find all the Azure Built-In Roles for Azure RBAC with Azure CLI, PowerShell, Docs, or AzAdvertizer

Here are a bunch of ways you can find which roles are built into Azure. This will come in super handy when you need to assign a role to a service principal or user with Azure CLI commands like this:

• Query the big honking json
• Query all, but only return Name and Id in a nice table
• Filter by name contains:

This one filters for roles with “Map” in the name:

Azure PowerShell

https://docs.microsoft.com/en-us/powershell/module/az.resources/get-azroledefinition?view=azps-3.8.0

This page has all the built in roles: https://docs.microsoft.com/azure/role-based-access-control/built-in-roles

AzAdvertizer

Just found this site today by Julian Hayward. It’s a great way to find roles

https://www.azadvertizer.net/azrolesadvertizer_all.html

Azure RBAC: role assignments and ARM templates

This post is about Azure's role assignments and ARM templates. Role assignments can be thought of as "permissions for Azure".

If you're deploying to Azure, there's a good chance you're using ARM templates to do so. Once you've got past "Hello World", you'll probably find yourself in a situation when you're deploying multiple types of resource to make your solution. For instance, you may be deploying an App Service alongside Key Vault and Storage .

One of the hardest things when it comes to deploying software and having it work, is permissions. Without adequate permissions configured, the most beautiful code can do nothing . Incidentally, this is a good thing. We're deploying to the web; many people are there, not all good. As a different kind of web-head once said:

Azure has great power and suggests you use it wisely .

Access management for cloud resources is critical for any organization that uses the cloud. Azure role-based access control (Azure RBAC) helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to. Designating groups or individual roles responsible for specific functions in Azure helps avoid confusion that can lead to human and automation errors that create security risks. Restricting access based on the need to know and least privilege security principles is imperative for organizations that want to enforce security policies for data access.

This is good advice. With that in mind, how can we ensure that the different resources we're deploying to Azure can talk to one another?

Role (up for your) assignments ​

The answer is roles. There's a number of roles that exist in Azure that can be assigned to users, groups, service principals and managed identities. In our own case we're using managed identity for our resources. What we can do is use "role assignments" to give our managed identity access to given resources. Arturo Lucatero gives a great short explanation of this:

Whilst this explanation is delightfully simple, the actual implementation when it comes to ARM templates is a little more involved. Because now it's time to talk "magic" GUIDs. Consider the following truncated ARM template, which gives our managed identity (and hence our App Service which uses this identity) access to Key Vault and Storage:

Let's take a look at these three variables:

The three variables above contain the subscription resource ids for the roles Storage Blob Data Contributor , Key Vault Secrets Officer and Key Vault Crypto Officer . The first question on your mind is likely: "what is ba92f5b4-2d11-453d-a403-e96b0029c9fe and where does it come from?" Great question! Well, each of these GUIDs represents a built-in role in Azure RBAC. The ba92f5b4-2d11-453d-a403-e96b0029c9fe represents the Storage Blob Data Contributor role.

How can I look these up? Well, there's two ways; there's an article which documents them here or you could crack open the Cloud Shell and look up a role by GUID like so:

Or by name like so:

As you can see, the Actions section of the output above (and in even more detail on the linked article ) provides information about what the different roles can do. So if you're looking to enable one Azure resource to talk to another, you should be able to refer to these to identify a role that you might want to use.

Creating a role assignment ​

So now we understand how you identify the roles in question, let's take the final leap and look at assigning those roles to our managed identity. For each role assignment, you'll need a roleAssignments resource defined that looks like this:

Let's go through the above, significant property by significant property (it's also worth checking the official reference here ):

• type - the type of role assignment we want to create, for a key vault it's "Microsoft.KeyVault/vaults/providers/roleAssignments" , for storage it's "Microsoft.Storage/storageAccounts/providers/roleAssignments" . The pattern is that it's the resource type, followed by "/providers/roleAssignments" .
• dependsOn - before we can create a role assignment, we need the service principal we desire to permission (in our case a managed identity) to exist
• properties.roleDefinitionId - the role that we're assigning, provided as an id. So for this example it's the keyVaultCryptoOfficer variable, which was earlier defined as [subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')] . (Note the use of the GUID)
• properties.principalId - the id of the principal we're adding permissions for. In our case this is a managed identity (a type of service principal).
• properties.scope - we're modifying another resource; our key vault isn't defined in this ARM template and we want to specify the resource we're granting permissions to.
• properties.principalType - the type of principal that we're creating an assignment for; in our this is "ServicePrincipal" - our managed identity.

There is an alternate approach that you can use where the type is "Microsoft.Authorization/roleAssignments" . Whilst this also works, it displayed errors in the Azure tooling for VS Code . As such, we've opted not to use that approach in our ARM templates.

Many thanks to the awesome John McCormick who wrangled permissions with me until we bent Azure RBAC to our will.

• Role (up for your) assignments
• Creating a role assignment

Manage Azure Role Assignments Like a Pro with PowerShell

Today’s blog post is a little bit different. I have a couple of examples of how you can use PowerShell snippets and simple commandlets to get or set role assignmnets in your Azure Subscriptions.

PowerShell examples for managing Azure Role assignments

List all role assignments in a subscription, get all role assignments for a specific resource group, get all role assignments for a specific user, add a role assignment to a user, remove a role assignment for a user, remove all role assignments for a specific user, list all built-in roles, list all custom roles, create a custom role, update a custom role, delete a custom role, list all users or groups assigned to a specific role, list all permissions granted by a specific role, list all resource groups that a user has access to, create a role assignment for a service principal, powershell script to manage azure role assignments.

And now there is a script that combines some of these examples into one usable function:

I hope this was useful. Let me know if you liked the format of this blog and if you want me to include more of these examples.

Vukasin Terzic

Recent Update

• Writing your first Azure Terraform Configuration
• Transition from ARM Templates to Terraform with AI
• Getting started with Terraform for Azure
• Terraform Configuration Essentials: File Types, State Management, and Provider Selection
• Dynamically Managing Azure NSG Rules with PowerShell

Trending Tags

Retrieve azure resource group cost with powershell api.

The Future Of Azure Governance: Trends and Predictions

Further Reading

In my previous blog posts, I wrote about how simple PowerShell scripts can help speed up daily tasks for Azure administrators, and how you can convert them to your own API. One of these tasks is...

Azure Cost Optimization: 30 Ways to Save Money and Increase Efficiency

As organizations continue to migrate their applications and workloads to the cloud, managing and controlling cloud costs has become an increasingly critical issue. While Azure provides a robust s...

Custom PowerShell API for Azure Naming Policy

To continue our PowerShell API series, we have another example of a highly useful API that you can integrate into your environment. Choosing names for Azure resources can be a challenging task. ...

Gain insights into your Azure role assignments on subscription level

List Azure role assignments and custom role definitions recursively with PowerShell and Azure CLI.

Jump to recipe

Azure Role-Based Access Control (RBAC)

Azure role-based access control (Azure RBAC) helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to. Using RBAC in Azure for granular permissions makes it easy to assign permissions to users, groups, service principals, or managed identities. You can assign only the amount of access that users need to perform their jobs, thereby adhering to the principle of least privilege.

You have a ton of builtin roles to choose from, and you can also create your own custom roles if none of the builtin roles fit your use case.

I will not write a thesis on Azure RBAC, as you can find the necessary information on the Azure RBAC documentation page . I will, however, highlight a few shortcomings and how I worked around some of them.

List Azure role definitions

You can list role definitions in the portal , with Azure CLI , or PowerShell .

All these links read List all roles . That is a bit misleading, as they only list the roles in your current scope with any inherited from above (management groups). Any custom roles created in different subscriptions than the current one (or the one provided in scope parameter) will not be listed. A best practice is to create custom roles higher up in management groups so that they are inherited by all subscriptions below. This is not always done, and you might end up with custom roles in different subscriptions.

List Azure role assignments

You can list role assignments in the portal , with PowerShell , or with Azure CLI . There are different ways of listing role assignments, but no way to list all role assignments in your hierarchy recursively. You can list role assignments at a certain scope, with inherited assignments included. You can also find all role assignments for a specific user or group in Azure AD .

Shortcomings

As far as I can see, there are a few shortcomings. These are not critical, and there are other issues with the RBAC model, but I will not go into them here.

• There is no central listing of role assignments for all scopes
• There is no central listing of custom role definitions for all scopes
• Role assignments and role definitions are not linked in any way other than in backend. If you try to delete a custom role definition still in use, you get an error message. You have to find all role assignments using the custom role definition and delete them first.
• Role assignments and role definitions are not listed in Azure AD

Recently I was tasked with cleaning some clickOps’ed custom role definitions and converting them to Terraform. I needed to find all custom role definitions and all role assignments in all subscriptions in all management groups. I also needed to find all role assignments using the custom role definitions I was going to delete. Because of reasons I needed to create new role definitions, and could not import them into Terraform. Because of the shortcomings mentioned above, I had to write a script to list all role definitions and role assignments for all scopes.

I did not want to click through all of the subscriptions and management groups, so I wrote a script to do it for me.

Azure Governance Visualizer

At this point I would be remiss not to mention the Azure Governance Visualizer . It is a great tool created by Julian Hayward for visualizing your total Azure Governance. It lists all custom role definitions and every other detail you would need from your environment regarding RBAC and lot of other useful information. In this case it is too complex, and I wanted to focus on the RBAC part. Anyway, check it out if you need a great tool for visualizing your Azure Governance.

Log in with both Azure CLI and PowerShell

Recursively find all management groups and subscriptions, list all custom roles in all subscriptions, list all role assignments with relevant custom roles in all subscriptions, write everything to json files for documentation or investigation, prerequisites.

• A user with Reader role on the management group level to list all management groups.
• A user with Reader role on the subscription level to list all subscriptions and their assignments/definitions.
• Azure PowerShell installed
• Azure CLI installed

The script can be found in all its glory in GitHub . I will explain the different sections below.

I did not want the script to force a login of both PowerShell and Azure CLI every time I ran it. Therefore I needed some logic to check for login status and login if necessary.

Since there could be several management groups in different levels, I need to recursively find the management groups to list all subscriptions.

This part is a simple loop through all subscriptions and list all custom role definitions. I could have used the PowerShell cmdlet Get-AzRoleDefinition , but I wanted to use the Azure CLI command az role definition list to get some more relevant information. The other actions done for each subscription are also done in the same foreach loop.

This part is a simple loop through all custom roles in the current subscription and list all assignments. Exports them if required with exportAssignments parameter.

This part is a simple conversion from PowerShell objects to json with ConvertTo-Json and dumpt to json file.

• Azure PowerShell

Some parameters are necessary in this script to make it dynamic.

• topLvlMgmtGroup - [String] Id of your top level management group to start recursive listing.
• customRolesOnly - [String] Set to true if exporting only custom roles. Defaults to true .
• excludeRegexPattern - [String] Any exclusion RegEx pattern to use. Remember escape chars!
• rolesFolder - [String] Folder where role definitions will be exported. Defaults to output .
• exportAssignments - [Switch] Whether to export assignments to file or not.
• subscription - [String] Subscription Id or name for when exporting in a single subscription.

Resulting json

Running the script results in some output to json files.

Role Definitions

It makes sense to only export custom role definitions, because the builtin ones are already pretty well documented.

For each custom role definition found, one file will be written. This is an example role and all guids are randomly generated.

Role Assignments

All role assignments will be exported if the relevant parameter is set.

Output to a single assignments.json:

I had some fun with this task, and maybe created an over engineered solution. Also I had the chance to practice my PowerShell-skills, which is a welcomed exercise!

Please let me know if you have a one-liner for this that I can use in the future 🙂

Stefanos Cloud

How to manage Microsoft 365 user role assignments and administrative units

• Role assignments
• Administrative Units

This article provides guidance on how to manage Microsoft 365 user role assignments and administrative units. The article is also available on my podcast and Youtube channel .

View this article as a how-to video on Youtube.

You need to manage existing user roles, create new custom user roles and assign users and groups to existing roles in Microsoft 365 . You need to also manage Microsoft 365 administrative units.

In this how-to article, we will show you how to manage Microsoft 365 user role assignments and administrative units.

Role assignments #

From within the Microsoft 365 Admin Center portal, you can assign ‎ Azure AD‎ built-in roles to users who need access to other admin centers and resources in ‎ Azure Active Directory‎, such as users, groups, and apps which use ‎Microsoft Graph‎ API. The following groups of user role assignments can be made from the Admin Center portal.

• Azure AD role assignments
• Exchange Online role assignments
• Intune role assignments

In the next steps, we will show you how to assign the Global Administrator Azure AD role to a user and group. Follow the steps below to assign the Global Administrator role to a user or group.

• Navigate to https://admin.microsoft.com and authenticate as a global admin user.
• On the left pane, expand the "Roles" section and click on "Role assignments". On the main section click on the "Global Administrator" role. On the popup form on the right, you should be able to review the general properties of the role in question. On the permissions tab, the system lists details of the permissions which are assigned with the role in question.
• On the "Assigned" tab, you can assign users or groups to the role in question. Click on "Add Users" and then "Add Groups" to add a user and group respectively to the specific role.
• To run the Azure portal as a specific Azure AD user role, tick on the checkbox next to the role and click "Run As". This will show you the view of the Azure portal as if you had logged in via a user with the role in question.
• To compare permissions of user roles, tick on two or more roles and then click on "Compare Roles". In the next screen, you should see a tabular comparison of the permissions assigned to each of the compared roles. You can also click on "Export comparison" to export the comparison matrix of the selected roles.

In the next steps, we will show you how to assign the Organization Management Exchange Online role to a user and group, as well as how to create a new custom Exchange Online role. Follow the steps below.

• Navigate to the "Exchange" tab under the "Role Assignments" section.
• Click on the "Organization Management" role. On the popup form on the right, you can review the general settings of the role under the "general" tab. Under the "Permissions" tab, you can review in detail the available permissions of the role in question.
• Under the "Assigned" tab, you can assign a user or group to the role in question. Click "Add" and choose the user or group to assign to the role.
• You can also create a custom Exchange Online role by ticking the checkbox next to the role which will be used as the template for the new role. Then click on "Copy role group". This will take you to a wizard to create your new custom role. On the "Set up the basics" page, fill-in the name, description and write scope of the new role and click Next.
• Select the roles to add to the ‎new custom role group. Roles define the scope of the tasks that the members assigned to this role group have permission to manage.
• Select the users to assign to this role group. They'll have permissions to manage the roles that you assigned in the previous step.
• Review your selections and click Finish.

In the next steps, we will show you how to assign Intune roles. Assign ‎Intune‎ roles to specialists who need to view or manage ‎Intune‎ data, devices, or services. These roles can only be assigned to users who have a license that includes ‎Intune‎. Follow the steps below.

• Under the "Role assignments" section, navigate to the "Intune" tab. If you need to export existing assignments, click on the "Export assignments" button.
• Click on the Intune role you wish to edit assignments of. On the "General tab" you can review the general settings of the role in question. On the "Permissions" tab you can see in detail all permissions of the role in question.
• To assign users to the Intune role, under the "Assigned" tab click on "Add". This will take you to the "Set up the basics" wizard. Fill-in a name and description and click Next.
• Select the security groups that contain the users you want to become admins for the role. Click Next.
• Select a built-in security group like 'All users', or search for and select security groups which contain the users and devices that the ‎Intune role can manage.
• You can optionally add tabs which limit the specific Intune policies, apps and devices that the admins can see. Click "Next".
• Review all your assignment settings and click "Finish".

Administrative Units #

Now we will move on to show you how to create and manage Microsoft 365 Administrative Units. Units let you sub-divide your organization into any unit that you want, and then assign specific administrators that can only manage that unit. For example, you can assign the Helpdesk Administrator role to a regional support specialist, so they can manage users only in that region.

Carry out the following steps:

• Under the "Roles" section, click on "Administrative Units". Click on "Add Unit" to add a new administrative unit.
• Provide a name and Description of the new administrative unit and click "Next". Administrative units let you limit admins to manage users for a specific department, region, or any segment that your organization defines. Start by giving the administrative unit a name and description that will let other admins know its purpose.
• Choose "Add up to 20 users and groups" or "Upload users" if you need to bulk upload a large number of users to be linked to the new administrative unit. If you choose "Add up to 20 users and groups", then click on "Add Users" or "Add Groups" to add the desired users to the administrative unit and click Next. The administrators assigned to this unit will manage the settings for these users and groups. Adding groups doesn't add users to the unit, it lets the assigned admins manage group settings. You can only add up to ‎20‎ members individually or you can bulk upload up to ‎200‎ users. If you need to add more, you can edit this unit to add them.
• Assign admins to scoped roles. The following roles are the only roles that support administrative units. Authentication Administrator Cloud Device Administrator Groups Administrator Helpdesk Administrator License Administrator Password Administrator SharePoint Administrator Teams Administrator Teams Device Administrator User Administrator.

Select a role and then assign admins to it. The admins that you assign to roles in this step will manage the members of this administrative unit.

• Review your selections and click "Finish". The new administrative unit has been created. You can always edit its properties by clicking on the Administrative Unit name. From that page you can edit the administrative unit's members and role assignments.
• You can also edit the name and description of an administrative unit by ticking the checkbox next to the administrative unit name and clicking on "Edit name and description".

What are your Feelings

Share this article :, how can we help.

Powered by BetterDocs

• Using Oracle Autonomous Database Serverless
• Manage Users
• Use Azure Active Directory (Azure AD) with Autonomous Database
• Enable Azure AD Authentication on Autonomous Database

Managing App Roles in Microsoft Azure AD

In Azure AD, you can create and manage app roles that will be assigned to Azure AD users and groups and also be mapped to Oracle Database global schemas and roles.

• Creating a Microsoft Azure AD App Role Azure AD users, groups, and applications that need to connect to the database will be assigned to the database app roles.
• Assigning Users and Groups to the Microsoft Azure AD App Role Before Microsoft Azure AD users can have access to the Oracle database, they must first be assigned to the app roles that will be mapped to Oracle Database schema users or roles.
• Assigning an Application to an App Role An application that must connect to the database using the client credential flow must to be assigned to an app role.

Parent topic: Enable Azure AD Authentication on Autonomous Database

Creating a Microsoft Azure AD App Role

Azure AD users, groups, and applications that need to connect to the database will be assigned to the database app roles.

• Log in to Azure AD as an administrator who has privileges for creating app roles.
• Use the Directory + subscription filter to locate the Azure Active Directory tenant that contains the Oracle Database app registration.
• Select Azure Active Directory .
• Under Manage , select App registrations , and then select the Oracle Database instance that you registered earlier.
• Under Manage , select App roles .
• In the App roles page, select Create app role .
• Display name is the displayed name of the role (for example, HR App Schema ). You can include spaces in this name.
• Value is the actual name of the role (for example, HR_APP ). Ensure that this setting matches exactly the string that is referenced in the database mapping to a schema or role. Do not include spaces in this name.
• Description provides a description of the purpose of this role.
• Do you want to enable this app role? enables you to activate the role.

The app role appears in the App roles pane.

Parent topic: Managing App Roles in Microsoft Azure AD

Assigning Users and Groups to the Microsoft Azure AD App Role

Before Microsoft Azure AD users can have access to the Oracle database, they must first be assigned to the app roles that will be mapped to Oracle Database schema users or roles.

• Log in to Azure AD as an administrator who has privileges for assigning Azure AD users and groups to app roles.
• Use the Directory + subscription filter to locate the Azure Active Directory tenant that contains the Oracle connection.
• Under Manage , select Enterprise applications , and then select the Oracle Database app registration name that you registered earlier.
• Under Getting Started, select Assign users and groups .
• Select Add user/group .
• In the Add assignment window, select Users and groups to display a list of users and security groups.
• From this list, select the users and groups that you want to assign to the app role, and then click Select .
• In the Add assignment window, select Select a role to display a list of the app roles that you have created.
• Select the app role and then select Select .
• Click Assign .

Assigning an Application to an App Role

An application that must connect to the database using the client credential flow must to be assigned to an app role.

• Access the app registration for the application.
• Under Manage, select API permissions .
• In the Configured permissions area, select + Add a permission .
• In the Request API permission pane, select the My APIs tab.
• Select the Oracle Database app that you want to give permission for this application to access. Then select the Application permissions option.

• Select Grant admin consent for tenancy to grant consent for the tenancy users, then select Yes in the confirmation dialog box.

Related Topics

• Configure the admin consent workflow

Analytics , Announcements , Microsoft Purview

Introducing modern data governance for the era of AI 

By Karthik Ravindran General Manager, Data Governance for Microsoft Purview

Posted on March 26, 2024 6 min read

• Tag: Azure Marketplace
• Tag: Microsoft Fabric

The era of generative AI has arrived, offering new possibilities for every person, business, and industry. At the same time, the speed, scale, and sophistication of cyberattacks, increasing regulations, an ever-expanding data estate, and business demand for data insights are all converging. This convergence pressurizes business leaders to adopt a modern data governance and security strategy to confidently ensure AI readiness.    

A modern data governance and security solution unifies data protection and governance capabilities, simplifies actions through business-friendly profiles and terminology with AI-powered business efficiency, and enables federated governance across a disparate multi-cloud data estate.  

Microsoft Purview

Realize comprehensive data governance solutions for your business

Microsoft Purview is a comprehensive set of solutions that can help your organization govern, protect, and manage data, wherever it lives. Microsoft Purview provides integrated coverage and helps address the fragmentation of data across organizations, the lack of visibility that hampers data protection and governance, and the blurring of traditional IT management roles. 

Today, we are excited to announce a reimagined data governance experience within Microsoft Purview, available in preview April 8, 2024. This new software-as-a-service (SaaS) experience offers sophisticated yet simple business-friendly interaction, integration across data sources, AI-enabled business efficiency, and actions and insights to help you put the ‘practice’ into your data governance practice.   

“We are thrilled to leverage Microsoft Purview’s new innovative approach to activate the practice of federated data governance. These new capabilities enable us to responsibly scale our data strategy to drive business value, while enhancing our sophisticated data governance practice that meets the demands of our business and puts data insights at the core of our decision making.”  Tony Bishop, Group Head of Data & Analytics, Aspen

Modern data governance with Microsoft Purview 

I led Microsoft through our own modern data governance journey the past several years and this experience exposed the realities, challenges, and key ingredients of the modern data governance journey.  

Our new Microsoft Purview data governance solution is grounded in years of applied learning and proven practices from navigating this data transformation journey along with the transformation journeys of our enterprise customers. To that end, our vision for a modern data governance solution is based on the following design principles: 

Anchored on durable business concepts  

The practice of data governance should enable an organization to accelerate the creation of responsible value from their data. By anchoring data governance investments to measurable business objectives and key results (OKRs), organizations can align their data governance practice to business priorities and demonstrate business value outcomes.  

A unified, integrated, and extensible experience 

A modern data governance solution should offer a single-pane-of-glass experience that integrates across multi-cloud data estate sources for data curation, management, health controls, discovery, and understanding, backed with compliant, self-serve data access. The unified experience reduces the need for laborious and costly custom-built or multiple-point solutions. This enables a focus on accelerating data governance practices, activating federated data governance across business units, and ensuring leaders have real-time insights into governance health. 

Scale success with AI-enabled experiences  

An ever-growing and changing data estate demands simplicity in how it is governed and to ensure business adoption and implementation efficiencies. Natural language interactions and machine learning (ML)-based recommendations across governance capabilities are critical to this simplification and accelerating data governance adoption.  

A culture of data governance and protection  

Data governance solutions must be built for the practice of federated data governance, unique to each organization. Just as adopting cloud solutions requires one to become a cloud company, adopting data governance requires one to become a data governance company. Modern data governance success requires C-Suite alignment and support, and must be simple, efficient, customizable, and flexible to activate your unique practice. 

Introducing data governance for the business, by the business 

We are thrilled to introduce the new Microsoft Purview data governance experience. Our new data governance capabilities will help any organization of any size to accelerate business value creation in the era of AI.  

A business-friendly approach to govern multi-cloud data estates  

Designed with the business in mind, the new governance experience supports different functions across the business with clear role definitions for governance administrators, business domain creators, data health owners, and data health readers.  

Within Data Management, customers can easily define and assign business-friendly terminology (such as Finance and Claims). Business-friendly language follows the data governance experience through Data Products (a collection of data assets used for a business function), Business Domains (ownership of Data Products), Data Quality (assessment of quality), Data Access, Actions, and Data Estate Health (reports and insights). 

This new data governance experience allows you to scan and search data across your data estate assets .

Built-in data quality capabilities and rules which follow the data  

The new data quality model enables your organization to set rules top down with business domains, data products, and the data assets themselves. Policies can be set on a term or rule which flows through and helps save data stewards hours to days of manual work depending on the scale of your estate. Once rules and policies are applied, the data quality model will generate data quality scores at the asset, data product, or business domain level giving you snapshot insights into your data quality relative to your business rules. 

Within the data quality model, there are two metadata analysis capabilities: 1) profiling—quick sample set insights 2) data quality scans—in-depth scans of full data sets. These profiling capabilities use your defined rules or built-in templates to reason over your metadata and give you data quality insights and recommendations . 

Apply industry standard controls in data estate health management

In partnership with EDM Council, new data health controls include a set of 14 standards for cloud data management controls. These standards govern how data is to be managed while controls create fidelity of how data assets are used/accessed . Examples are metadata completeness, cataloging, classification, access entitlement, and data quality. A data office can configure rules which determine the score and define what constitutes a red/yellow/green indicator score , ensuring your rules and indicators reflect the unique standards of your organization. 

Summarized insights help activate and sustain your practice  

Data governance is a practice which is nurtured over time. Aggregated insights help you put the “practice” into your data governance practice by showcasing the overall health of your governed data estate . Built-in reports surface deep insight across a variety of dimensions: assets, catalog adoption, classifications, data governance, data stewardship, glossary, and sensitivity labels.  

The image below is the Data Governance report which can be filtered by business domain, data product, and status for deeper insights.  

Stay on top of data governance health with aggregated actions   

The new Actions center aggregates and summarizes governance-related actions by role, data product, or business domain . Actions stem from usage or implementation being out of alignment from defined controls. This interactive summary makes it easy for teams to manage and track actions—simply click on the action to make the change required. Cleaning up outstanding actions helps improve the overall posture of your data governance practice—key to making governance a team sport. 

Announcing technology partnerships for even greater customer value  

We are excited to announce a solution initiative with Ernst & Young LLP (EY US), who will bring their extensive experience in data solutions within financial services, to collaborate with Microsoft on producing data governance reports and playbooks purpose-built for US-oriented financial services customers. These reports and playbooks aim to accelerate the customer time to value for activating a governance practice that adheres to the unique regulation needs of the financial sector. These assets will be made available in Azure Marketplace over the course of preview and the learnings from this will also help inform future product roadmap.

Additionally, a modern data governance solution integrates and extends across your technology estate. With this new data governance experience, we are also excited to announce technology partnerships that will help seamlessly extend the value of Microsoft Purview to customers through pre-built integration. Integrations will light up over the course of preview and be available in Azure Marketplace.  

Master Data Management   

• CluedIn brings native Master Data Management and Data Quality functionality to Microsoft Fabric, Microsoft Purview, and the Azure stack. Learn more about CluedIn . 
• Profisee Master Data Management is a complimentary and necessary piece of your data governance strategy. Learn more about Profisee . 
• Semarchy combines master data management, data intelligence, and data integration into a singular application in any environment. Learn more about Semarchy .  

Data Lineage   

• Solidatus empowers data-rich enterprises to visualize, understand, and govern data like never before. Learn more about Solidatus .  

Try the new experience

Available starting April 8, 2024, please log on to the Microsoft Purview portal and give the reimagined data governance experience within the “Data Catalog” tile a try. We’d love to hear your feedback!  

Let us know what you think of Azure and what you would like to see in the future.

Provide feedback

Build your cloud computing and Azure skills with free courses by Microsoft Learn.

Explore Azure learning

Related posts

AI + Machine Learning , Analyst Reports , Azure AI , Azure Machine Learning , Azure Service Fabric , Microsoft Purview , Partners

Microsoft is a leader in the 2023 IDC MarketScape for AI Governance Platforms   chevron_right

AI + Machine Learning , Analytics , Azure AI , Azure Machine Learning , Azure OpenAI Service , Best practices , Management and Governance , Microsoft Purview , Thought leadership

Building for the future: The enterprise generative AI application lifecycle with Azure AI   chevron_right

AI + Machine Learning , Azure Cognitive Search , Azure Cosmos DB , Azure Machine Learning , Azure OpenAI Service , Events , Microsoft Purview , Text Analytics

What’s new in Azure Data & AI: Helping organizations manage the data deluge   chevron_right

AI + Machine Learning , Automation , Azure OpenAI Service , Events , Management and Governance , Microsoft Purview

How Microsoft Azure helps drive agility and optimization for your business   chevron_right