Azure AD – New administration role available to delegate administration of Microsoft Cloud App Security (MCAS)
As you know, Azure AD comes with administration roles to allow you delegate administration tasks with the least privilege.
1 min read
As you know, all administrative permissions to manage any service or capability should be granted by assigning Azure AD administration roles.
Well, until now, it was not possible to grant such administration role to a group of users.
Good news, this capability is now available in preview.
To start using group to grant administration role, logon to your Azure AD portal (https://aad.portal.azure.com/) and reach the Azure Active DirectoryGroups blade to create a new group
The new group can be either a security or Office 365 one and even use dynamic membership.
You will see the new option Azure AD roles can be assigned to the group
NOTE 1 once you made the decision to enable (or not) this setting, this becomes permanent. You can not change your mind after
NOTE 2 if using dynamic membership you can not change the membership rule after
![image_thumb[1]](https://20001872.fs1.hubspotusercontent-na1.net/hubfs/20001872/Imported_Blog_Media/image_thumb1-227.png "image_thumb[1]")
Once you have turn on the setting to assign Azure AD role to the group, you will have a new setting appearing below the Members section to select the Azure AD role(s) you want to assign to the group
![image_thumb[2]](https://20001872.fs1.hubspotusercontent-na1.net/hubfs/20001872/Imported_Blog_Media/image_thumb2-179.png "image_thumb[2]")
Do not use this capability if you are already using Privileged Identity Management.
Few limitations
There are few limitations, maybe because of the preview stage:
You can not assign:
- Cloud groups to Azure AD custom roles
- Cloud groups to Azure AD roles (built-in or custom) over an administrative unit
- On-premises groups to Azure AD roles (built-in or custom)