Azure-docs: Role for Identity Governance

Created on 15 Aug 2019 · 5Comments · Source: MicrosoftDocs/azure-docs

Hello,
What AzureAD roles should be assigned to assure the least privilege for an Identity Governance administrator?

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

ID: a68d2671-8e5e-63b2-b5d2-5f58c5b9aa2f
Version Independent ID: 7dd0b7fd-042a-c68f-8979-d5828f1ce2e8
Content: Identity Governance - Azure Active Directory
Content Source: articles/active-directory/governance/identity-governance-overview.md
Service: active-directory
Sub-service: compliance
GitHub Login: @msaburnley
Microsoft Alias: ajburnle

Pri2 active-directorsvc compliancsubsvc cxp product-question triaged

Source

ivangotti

All 5 comments

@ivangotti Thanks for your feedback! We will investigate and update as appropriate.

FrankHu-MSFT on 15 Aug 2019

The least privileged directory role for updating configuration in an Azure AD Identity Governance feature are:

Entitlement Management - User Admin (with the exception of adding SharePoint Online sites to catalogs, which requires GA)
Terms of Use - Security Admin or Conditional Access Admin
Access Reviews - User Administrator (with the exception of Access Reviews of Azure or Azure AD roles, which requires Privileged Role Admin)
Privileged Identity Management - Privileged Role Admin

We recommend customers use Azure AD Privileged Identity Management to activate a role as needed to perform tasks in those features.

In addition, an admin can configure in Entitlement Management one or more users as catalog creators, and those users do not need to be in a directory role to be able to create catalogs and access packages with groups, site collections and apps they own.

markwahl-msft on 19 Aug 2019

👍1

Hey @ivangotti please let us know if you have anymore questions in regards to this per the last response from Markwahl

FrankHu-MSFT on 19 Aug 2019

@ivangotti Please let us know if there are anymore questions within the scope of this git issue. If not, I will be closing out this git issue by end of day tomorrow. Please reopen this git issue if you have anymore concerns. Thanks

FrankHu-MSFT on 20 Aug 2019

Hello,

Thank you! That is exactly what I needed to know.
You can close the ticket.

Regards,
Ivan

On Tue, 20 Aug 2019 at 01:21, Frank Hu notifications@github.com wrote:

@ivangotti https://github.com/ivangotti Please let us know if there are
anymore questions within the scope of this git issue. If not, I will be
closing out this git issue by end of day tomorrow. Please reopen this git
issue if you have anymore concerns. Thanks

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/MicrosoftDocs/azure-docs/issues/37145?email_source=notifications&email_token=ALRAIDFA5MZMYEKZMWTR5LTQFMTGNA5CNFSM4IL5QW5KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD4USNBI#issuecomment-522790533,
or mute the thread
https://github.com/notifications/unsubscribe-auth/ALRAIDHJUGDNMYSPGQU7KU3QFMTGNANCNFSM4IL5QW5A
.

>