How to Assign Admin Roles to Azure AD Groups with Access Reviews and Just in Time Access?

As of July 31 2021, this feature in Generally Available and was notified in the M365 Admin Center with the message MC274516

This approach is how you assign roles to Azure AD Groups along with the Privileged Identity Management features Just in Time access and Access Reviews options.

Previous setup

If you need to assign Azure AD Admin roles to users, previously it needs to be done from the user level and add the roles individually. Example, if you need to assign a set of roles to a set of users (Classic example – IT Service Desk) according to the services they are administrating, roles needs to be assigned per user per role basis.

New setup

You can create the Azure AD groups, add the targeted users and then assign the roles to the group level. Each time there is a new user added to the group, they will acquire the roles.

This has the ability to setup an group owner so they can add/ remove users accordingly

Requirement to use roles assigned to Azure AD groups

Azure AD P1 needs to be assigned for the user. If you need to Privileged Access Management (Access reviews, Just in time access), Azure AD P2 needs to be assigned

Screenshot of the Roles and administrators page

How to setup the groups?

  • Login to the Azure AD Portal
  • Go to Azure Active Directory
  • Go to Groups
  • Create the new group as below. Make sure the “Azure AD roles can be assigned to the group” option is switched ON.
  • Specify the Owners
  • Click on “No roles selected” link
  • Select the necessary roles
  • Press Create
  • Press Yes for the below message
  • If you later go back to the group and go to “Assigned Roles” you will see the assigned roles to the group
  • Add more roles if required

Use Access Reviews

You have the option of providing the group owners or any other user who has the Azure AD P2 assigned to perform Access Reviews. Azure AD P2 required for the reviewer.

Why Access Reviews?

Because the users in the group are accessing sensitive parts of the Azure AD and the services with the necessary admin privileges, it is sensible to perform Access Reviews periodically to make sure the group members are up to date and need to be there in the group.

How to setup Access Reviews?

  • Open the group from the Azure AD
  • Go to Access Reviews under Activity
  • Go to New Access Review
  • Select “Teams + Groups” and select “Groups” from Step 2
  • Select “Next: Reviews”
  • Set the settings accordingly
  • Select “Next: Settings”
  • Settings basically asking what actions you need to take when performing access reviews
  • Tip – hover over the “i” to get info on all the settings
  • Once all done Review and Create the Access Review rule

Use Privileged Identity Management

With this feature, you can now provide Just in time (JIT) access to the Security or to the M365 Group

You can add the users to the group with the Member or Owner access for a period of time along with a justification

Required license: Azure AD P2 for the PIM user.

Why using PIM?

This is to manage the members in the group with the added Identity Management Security feature as it can perform temporary assignments in the group.

How to set Just In Time access?

Go to the created Azure AD group and navigate to Privileged Access. (This is in Preview state at the moment)

If you add members, from the members tab, it will be a permanent assignment.

  • So to add JIT access, click on “Add Assignments”
  • Select the role you need to add to the new assignment Member or Owner

This will be the role that the person would get when adding to the group

  • Select the person or the group from the “Select member(s)” link and it will open the Azure AD users
  • Next set the how you want to set the assignment
  • Select the Assignment type
  • Eligible assignments require the member of the role to perform an action to use the role. Actions might include performing a multi-factor authentication (MFA) check, providing a business justification, or requesting approval from designated approvers
  • Active assignments don’t require the member to perform any action to use the role. Members assigned as active have the privileges assigned to the role at all times
  • Press Assign and the user will be added to the group with the specified settings

Final thoughts

I think this is a much needed Azure AD feature which is a systematic approach to manage users who has multiple Azure AD roles and to get the best out of the Azure AD groups by combining Privileged Identity Management features.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.