Custom Azure AD role for full access to Microsoft Cloud App Security

Question

As per below link, we can assign Global Administrator or Security Administrator role in Azure AD to an user and that provides full access to Microsoft Cloud App Security portal. https://learn.microsoft.com/en-us/cloud-app-security/manage-admins#office-365-and-azure-ad-roles-with-access-to-cloud-app-security However, with these roles users get privileged admin access to other features of Azure AD as well. We want restrict the role to provide full access in Microsoft Cloud App Security portal only. Is it possible to create a custom role with permissions only for Microsoft Cloud App Security?

Answer 1

Unfortunately it's not supported to create a custom AAD role with the full access permission of Microsoft Cloud App Security portal.

Currently, permissions for Application registrations and Enterprise applications are supported in custom roles. See the details here.

The full access permission of Microsoft Cloud App Security portal should be microsoft.directory/cloudAppSecurity/allProperties/allTasks. You can see that it's not listed in the page when I try to look for it in Azure portal.

You can query microsoft.directory/cloudAppSecurity/allProperties/allTasks in this page and choose the one with the least permissions to assign to users who need to be assigned the Cloud App Security portal administrator role.

Answer 2

Recently Microsoft has came up with a new role named "Cloud App Security Administrator". This role provides full admin access to MCAS without providing any privileged access other Azure AD configurations. Didn't find any documentation, but it is visible in Azure AD portal.