Listen to this Post
Learn how to create a custom role in Microsoft 365 in under 5 minutes using Microsoft Entra ID. This step-by-step tutorial for beginners demonstrates the immense security value of custom roles while practicing the principle of least privilege within your Entra ID/M365 environment.
🔗 Reference: https://m365blog.com/unlock-rbac-in-minutes-how-to-create-a-custom-role-in-microsoft-365/
You Should Know:
1. Understanding RBAC in Microsoft Entra ID
Role-Based Access Control (RBAC) ensures users have only the permissions they need. Custom roles enhance security by minimizing excessive privileges.
2. Prerequisites
- A Microsoft 365 admin account
- Access to the Microsoft Entra ID (Azure AD) portal
3. Step-by-Step Guide to Creating a Custom Role
Step 1: Access the Microsoft Entra ID Admin Center
Connect-AzureAD -TenantId "Your-Tenant-ID" -Credential (Get-Credential)
Step 2: Navigate to Roles and Administrators
Get-AzureADDirectoryRole | Select DisplayName, RoleTemplateId
Step 3: Create a New Custom Role
New-AzureADMSRoleDefinition -DisplayName "Limited Admin" -Description "Custom role with restricted permissions" -TemplateId (Get-AzureADMSRoleTemplate | Where-Object {$_.DisplayName -eq "User Administrator"}).Id
Step 4: Assign Permissions
$role = Get-AzureADMSRoleDefinition -Filter "displayName eq 'Limited Admin'"
$role.RolePermissions = @{
"AllowedResourceActions" = @(
"microsoft.directory/users/read",
"microsoft.directory/users/basic/update"
)
}
Set-AzureADMSRoleDefinition -Id $role.Id -RoleDefinition $role
Step 5: Assign the Role to a User
New-AzureADMSRoleAssignment -PrincipalId "User-Object-ID" -RoleDefinitionId $role.Id -DirectoryScopeId "/"
4. Verify the Role Assignment
Get-AzureADMSRoleAssignment -Filter "principalId eq 'User-Object-ID'"
5. Best Practices for Custom Roles
- Least Privilege Principle: Only grant necessary permissions.
- Audit Regularly: Review role assignments periodically.
- Use Descriptive Names: Clearly define role purposes.
6. Troubleshooting Common Issues
🔹 Error: Insufficient Permissions
Ensure you have Global Admin or Privileged Role Administrator rights.
🔹 Role Not Appearing
Refresh the portal or re-run PowerShell commands with elevated privileges.
🔹 Permission Conflicts
Check for overlapping roles using:
Get-AzureADMSRoleAssignment | Where-Object {$_.PrincipalId -eq "User-Object-ID"}
What Undercode Say:
Custom roles in Microsoft 365/Entra ID are a powerful way to enforce least privilege access. By following structured PowerShell commands and best practices, organizations can minimize security risks while maintaining operational efficiency.
🔹 Additional Useful Commands:
- List All Role Templates:
Get-AzureADMSRoleTemplate | Select DisplayName, Id
- Remove a Custom Role:
Remove-AzureADMSRoleDefinition -Id "Role-Definition-ID"
- Check User Permissions:
(Get-AzureADUser -ObjectId "User-Object-ID").AssignedPlans
🔹 Linux Equivalent (for RBAC in Linux Systems):
sudo useradd -m limitedadmin sudo usermod -aG customrole limitedadmin sudo visudo Add: limitedadmin ALL=(ALL) /usr/bin/apt-get update
🔹 Windows Security Audit Command:
whoami /priv
🔹 Check Active Directory Permissions:
Get-ADUser -Identity "Username" -Properties MemberOf
Custom roles are essential for modern cybersecurity strategies. Automate role management with scripts and enforce strict access controls to protect sensitive data.
Expected Output:
A structured, secure custom role in Microsoft 365 with restricted permissions, verified through PowerShell commands and best practices.
References:
Reported By: Beingageek Entraid – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
