While we still haven’t got any traction on the custom roles for Azure AD/Office 365 front, a bunch of new admin roles was introduced recently. The actual number seems to be 12, as listed below:
- B2C User Flow Administrator – Can create and manage all aspects of user flows. That is Azure AD B2C lifecycle flows, not related to Microsoft Flow 🙂
- B2C User Flow Attribute Administrator – Can create and manage the attribute schema available to all user flows.
- B2C IEF Keyset Administrator – Can manage secrets for federation and encryption in the Identity Experience Framework (IEF).
- B2C IEF Policy Administrator – Can create and manage trust framework policies in the Identity Experience Framework (IEF).
- External Identity Provider Administrator – Can configure identity providers for use in direct federation.
- Compliance Data Administrator – Creates and manages compliance content.
- Security Operator – Creates and manages security events.
- Kaizala Administrator – Has full access to all Kaizala management features and data, and manages service requests.
- Search Administrator – Can create and manage all aspects of Microsoft Search settings.
- Search Editor – Can create and manage the editorial content such as bookmarks, Q and As, locations, floorplan.
- Printer Administrator – Can manage all aspects of printers and printer connectors.
- Printer Technician – Can manage all aspects of printers and printer connectors.
The two roles on the bottom have the same description, that’s not a copy/paste error on my end 🙂
As you can see, we now have roles dedicated to managing Microsoft Search, as well as Kaizala. We also have scoped down roles for parts of the functionalities exposed in the new Security and Compliance centers. And yes, printer connector related roles, whatever that might be.
The four B2C roles are already available in the Azure AD blade, where you can get more detailed description on them, as well as granular list of role permissions. The same is true for the External Identity Provider Administrator role, which is probably the most interesting one. It has the following description:
This administrator manages federation between Azure Active Directory tenants and external identity providers. With this role, users can add new identity providers and configure all available settings (e.g. authentication path, service id, assigned key containers). This user can enable the tenant to trust authentications from external identity providers. The resulting impact on end user experiences depends on the type of tenant: (1) Azure Active Directory tenants for employees and partners: The addition of a federation (e.g. with Gmail) will immediately impact all guest invitations not yet redeemed. (2) Azure Active Directory B2C tenants: The addition of a federation (e.g. with Facebook, or with another Azure Active Directory) does not immediately impact end user flows until the identity provider is added as an option in a user flow (aka built-in policy). To change user flows, the limited role of “B2C User Flow Administrator” is required.
In addition, there is now a default Guest User role, which all guest users in the tenant are assigned to. This ensures that such object have access to only a limited subset of the information stored within the directory.