0

I have a requirement to add users to an Azure Active Directory group with certain privileges.

For example, specific user added to adgroup1 gets edit access on application specific data, while the same user could be part of adgroup2 with read only access for different set of application data.

What would be the best practice to implement this? Appreciate the feedback.

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Faizal
  • 353
  • 3
  • 16
  • I think the data granularity is too small, it is difficult to control, how about write/read all the applications in the tenant? – Joy Wang May 13 '21 at 01:56
  • It’s single application access but different sets of data ...is there any attributes available while adding a user to an ad group so we can set it as read or write? – Faizal May 13 '21 at 02:01
  • Well, any sample for `different sets of data`? And just concern if the `application` in your question is the `App registration` in AAD? – Joy Wang May 13 '21 at 02:09
  • Yes, application is app registered in AAD. User1 -> adGroup1 -> Data1 -> edit access , User2 -> adGroup2 -> Data1 -> view access.. I am looking for a user specific attribute that can be set when adding the user to an ad group that is applicable only from that ad group context. thanks! – Faizal May 13 '21 at 20:23
  • Any other concerns about this issue? – Joy Wang May 17 '21 at 02:18
  • Fine grained entitlements are implemented as data driven instead of AD roles – Faizal Jun 27 '21 at 22:48

1 Answers1

1

I am afraid this could not be implemented, in Azure AD, a normal user (i.e. User type is member) has the default permissions to view all the AD Apps in the tenant, source here.

enter image description here

This could not be restricted, default permissions for member users can be restricted list here, even if you set Restrict access to Azure AD administration portal, the user can also get the information from other clients e.g. powershell.

For the edit permission, the user needs to be added as an Owner to the AD App, but the AAD group is not supported to be added as an Owner to the AD App.

Joy Wang
  • 39,905
  • 3
  • 30
  • 54