This article describes how to understand the new custom roles-based access control (RBAC) and resource scopes in Azure Active Directory (Azure AD). Custom RBAC roles surfaces the underlying permissions of the [built-in roles](directory-assign-admin-roles.md) , so you can create and organize your own custom roles. This allows you to grant access in a more granular way than built-in roles, when needed. This first release of custom RBAC roles includes the ability to create a role to assign permissions for managing app registrations. Over time, additional permissions for organization resources like enterprise applications, users, and devices will be added.

Granting permission using custom RBAC roles is a two-step process that involves creating a custom role definition and then assigning it using a role assignment. <b>A custom role definition is a collection of permissions that you add from a preset list</b>. These are the same permissions used in the built-in roles.

Once you’ve created your role definition, you can assign it to someone by creating a role assignment. <b>A role assignment grants someone the permissions in a role definition at a specific scope</b>. This two-step process allows you to create one role definition and assign it many times at different scopes. <b>A scope defines the set of resources the role member has access to</b>. The most common scope is organization-wide (org wide) scope. A custom role can be assigned at org wide scope, meaning the role member has the role permissions over all resources in the organization. A custom role can also be assigned at an object scope. An example of an object scope would be a single application. This way the same role can be assigned to Sally over all applications in the organization and then Naveen over just the Contoso Expense Reports app.