How to create custom roles in Microsoft Entra ID

Microsoft Entra ID plays a crucial role in managing user access and permissions within organizations. It offers a range of built-in roles designed to streamline user administration, each with a fixed set of permissions tailored for specific tasks. However, as organizations grow in size and complexity, these predefined roles often fall short of meeting diverse operational needs. Large enterprises may require more granular and customized control over user permissions to delegate specific administrative tasks effectively.

This is where custom roles come into play, allowing organizations to create tailored role definitions to help achieve use cases like targeted access to a select set of objects, such as specific applications or service principals. Custom roles can also provide the ability to view only the audit logs, which enables specific users to monitor activities without granting any additional administrative privileges. For example, you can create a role that gives some of your IT admins access to audit logs to check license usage, enabling them to modify the license assignments, while only limiting this to the devices in your environment.

Let's see how to create and assign custom roles in Microsoft Entra ID, and discover how to streamline the process using ManageEngine M365 Manager Plus, a comprehensive tool for reporting, managing, monitoring, auditing. M365 Manager Plus is an all-inclusive solution that empowers you to create alerts for crucial activities in your Microsoft 365 environments, assign administrative roles to users without elevating their Microsoft 365 privileges, and more.

How to create custom admin roles in Microsoft Entra ID and M365 Manager Plus

 Microsoft Entra ID

  1. Log in to the Microsoft Entra admin center with a user account that has at least the Privileged Role Administrator role assigned to it.
  2. Navigate to Identity > Roles & Admins > Roles & Admins and click New Custom Role.
    Microsoft Entra ID's Roles and Administrators page with options to create a new custom role and view existing role assignments.
  3. Type in a Name and Description for your custom role and choose from the Baseline permissions field if you want to Start from scratch or Clone from a custom role. If you choose the latter, select the role you want to use as a template from the Role to clone dropdown. After filling in the fields, click Next to proceed.
    The New Custom Role page showing fields for role name, description, and baseline permissions options
  4. Select the permissions that you would like to assign to the role by clicking on the check box next to it. You can also confirm if a certain permission is considered privileged by checking the Privileged tag next to it in the Privileged column. For this example, we will select the applications.aIIProperties/update and auditLogs/allProperties/read permissions. When done, click Next.
    The New Custom Role page with the options for selecting permissions in a new custom role, showing various permissions related to application policies with checkboxes for selection.
  5. Review your custom role's name, description, and selected permissions. Then, click Create.

 M365 Manager Plus

  1. Log in to M365 Manager Plus, navigate to Delegation > Help Desk Roles, and click Create New Role.
    The Help Desk Roles page in M365 Manager Plus, displaying a list of roles and the options for creating new roles and editing or deleting existing roles.
  2. Enter the Role Name and Description in the respective text boxes.
  3. Select the tasks you want to delegate. You can select any number of reports and tasks that you want to delegate.
  4. Click Save.
    The Create New Role page in M365 Manager Plus showing the options to customize access to reports and tasks for a newly created role.

How to assign administrative roles in Microsoft Entra ID

This table compares how to assign the custom roles you created in Microsoft Entra ID and M365 Manager Plus.

 Microsoft Entra ID

  1. In the Roles and Administrators page, search for the custom role you created and click it.
    The All Roles page displaying the search result for a newly created custom role in the Roles and Administrators section, with details like role name, description, privilege level, and type.
  2. Click Add Assignments.
    The Assignments page with the Add Assignments option to assign the custom role to users.
  3. Select the members you want to assign the role to, under the Select Members field, and click Next.
    The Add Assignments page with the option to select the users you want to assign the role to.
  4. You can select any of the two assignment types; Eligible for when you want the user to activate the role or perform another action to use it, such as requesting an approval, and Active when you want to assign the role directly.
  5. You can configure how long the role can be assigned to the user using the Assignment starts and Assignment ends field. If you wish to assign the role without any time limit, click on the Permanently assigned check box.
    The Add Assignments page showing settings for role assignment duration, including options for assignment type (Eligible or Active), permanent assignment, start and end dates, and justification field.

 M365 Manager Plus

  1. Navigate to Delegation > Help Desk Technicians and click Add New Technician.
    The Configured Technicians page in M365 Manager Plus with the option to add a new technician highlighted.
  2. Select the Authentication Type from the drop-down menu as Microsoft 365 Authentication or Active Directory Authentication.
    • For Microsoft 365 Authentication, select the Microsoft 365 Tenant, and you can add users from the selected tenant.
    • For Active Directory Authentication, select the AD Domain and enter the Domain User Name in the User Principal Name format. You can also add multiple usernames separated by commas.
  3. Add the users you wish to assign the role to in the Select Microsoft 365 Users field.
  4. Choose the role you created from the Help Desk Roles drop-down.
  5. From the Delegate Microsoft 365 Tenants drop-down, select the Microsoft 365 tenants which you wish to delegate the selected help desk roles.
  6. Click Add to finish creating new Help Desk Technicians.
    The Add New Technician page in M365 Manager Plus with the fields to select the users, the tenant from which they will be selected, the technician role that will be assigned to them, and the tenant that will be delegated to them.

How M365 Manager Plus' custom role creation is safer and intuitive than Microsoft Entra ID

Custom roles in Microsoft Entra ID provide organizations with the ability to tailor user permissions for enhanced security and compliance, allowing for precise access to resources like audit logs or specific applications. However, these roles can pose risks if misconfigured, potentially leading to over-permissioning and security vulnerabilities.

In contrast, ManageEngine M365 Manager Plus's admin role delegation mitigates these risks by enabling administrators to assign tasks without elevating user privileges across the broader Microsoft 365 environment. You can also delegate granular access permissions, individual tasks, and reports to technicians without elevating their Microsoft 365 privileges.

Here are the benefits M365 Manager Plus provides compared to those in Microsoft Entra ID's role administration process.

  • By limiting access strictly to the M365 Manager Plus admin cente r, users can perform necessary functions—such as password resets and account unlocks—without needing full administrative rights to Microsoft 365. This controlled approach simplifies delegation while maintaining tighter security since even if you get a hold of the user's credentials, you will still need access to the M365 Manager Plus admin center to make any changes to the environment.
  • With the Technician Audit Log feature of M365 Manager Plus, track what a technician did with their delegated rights. For example, discover what audit reports were generated, which alerts were created, and more.
  • You can create virtual tenants to house user objects that satisfy certain conditions under a single point of control, just like an administrative unit. Consolidate all your privileged accounts in one location for easy report generation, task execution, and frequent auditing—without the need to process other accounts.

Benefits of using M365 Manager Plus for Microsoft 365 administration

Effortlessly schedule and export reports on your Microsoft 365 environment.

Try now for free
 

Streamline your Microsoft 365 governance and administration with M365 Manager Plus

Get Your Free Trial

Related Resources

 
x
A holistic Microsoft 365 administration and security solution
 
x