Skip to content

Commit 34e8767

Browse files
authored
Update roles-custom-overview.md
1 parent 700cf93 commit 34e8767

File tree

1 file changed

+4
-3
lines changed

1 file changed

+4
-3
lines changed

articles/active-directory/users-groups-roles/roles-custom-overview.md

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -20,15 +20,16 @@ ms.collection: M365-identity-device-management
2020

2121
This article describes how to understand the new custom roles-based access control (RBAC) and resource scopes in Azure Active Directory (Azure AD). Custom RBAC roles surfaces the underlying permissions of the [built-in roles](directory-assign-admin-roles.md) , so you can create and organize your own custom roles. This allows you to grant access in a more granular way than built-in roles, when needed. This first release of custom RBAC roles includes the ability to create a role to assign permissions for managing app registrations. Over time, additional permissions for organization resources like enterprise applications, users, and devices will be added.
2222

23-
2423
Additionally, custom RBAC roles support assignments on a per-resource basis, in addition to the more traditional organization-wide assignments. This gives you the ability to grant access to manage some resources (e.g. one app registration) without giving access to all resources (all app registrations).
2524

2625
Azure AD role-based access control is a public preview feature of Azure AD and is available with any paid Azure AD license plan. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
2726

2827
## Understand Azure AD role-based access control
2928

30-
Granting permission using custom RBAC roles is a two-step process that involves creating a custom role definition and then assigning it using a role assignment. A custom role definition is a collection of permissions that you add from a preset list. These are the same permissions used in the built-in roles.
31-
Once you’ve created your role definition, you can assign it to someone by creating a role assignment. A role assignment grants someone the permissions in a role definition at a specific scope. This two-step process allows you to create one role definition and assign it many times at different scopes. A scope defines the set of resources the role member has access to. The most common scope is organization-wide (org wide) scope. A custom role can be assigned at org wide scope, meaning the role member has the role permissions over all resources in the organization. A custom role can also be assigned at an object scope. An example of an object scope would be a single application. This way the same role can be assigned to Sally over all applications in the organization and then Naveen over just the Contoso Expense Reports app.
29+
Granting permission using custom RBAC roles is a two-step process that involves creating a custom role definition and then assigning it using a role assignment. A custom role definition is a collection of permissions that you add from a preset list. These are the same permissions used in the built-in roles.
30+
31+
Once you’ve created your role definition, you can assign it to someone by creating a role assignment. A role assignment grants someone the permissions in a role definition at a specific scope. This two-step process allows you to create one role definition and assign it many times at different scopes. A scope defines the set of resources the role member has access to. The most common scope is organization-wide (org wide) scope. A custom role can be assigned at org wide scope, meaning the role member has the role permissions over all resources in the organization. A custom role can also be assigned at an object scope. An example of an object scope would be a single application. This way the same role can be assigned to Sally over all applications in the organization and then Naveen over just the Contoso Expense Reports app.
32+
3233
Azure AD RBAC operates on concepts similar to [Azure role-based access control](../../role-based-access-control/overview.md). The difference being Azure RBAC controls access to Azure resources such as virtual machines and websites, and Azure AD RBAC controls access to Azure AD. Both systems leverage the concept of role definitions and role assignments.
3334

3435
### Role assignments

0 commit comments

Comments
 (0)