In Microsoft Entra wurden zwei neue Admin Rollen ergänzt. Beide Rollen können nützlich sein, wenn eine Organisation Custom Security Attributes und HR-Systeme wie SAP nutzen.
Die Dokumentation über Admin Rollen wurde im Oktober 2024 mit den Rollen ergänzt.
Attribute Provisioning Administrator
Template ID ecb2c6bf-0ab6-418e-bd87-7986f8d63bbe
Assign the Attribute Provisioning Administrator role to users who need to do the following tasks:
- Read and write attribute mappings for custom security attributes when provisioning in an application.
- Read and write provisioning and auditing logs for custom security attributes when provisioning in an application.
Users with this role cannot read audit logs for other events. This role must be used in in conjunction with the Cloud Application Administrator or Application Administrator roles (from least to most privileged) to read provisioning configurations. This role is considered privileged because one or more of its permissions are privileged.
Attribute Provisioning Reader
Template ID 422218e4-db15-4ef9-bbe0-8afb41546d79
Assign the Attribute Provisioning Reader role to users who need to do the following tasks:
- Read the attribute mappings for custom security attributes when provisioning in an application.
- Read the provisioning and auditing logs for custom security attributes when provisioning in an application.
Users with this role cannot read audit logs for other events. This role must be used in in conjunction with the Cloud Application Administrator or Application Administrator roles (from least to most privileged) to read provisioning configurations. This role is considered privileged because one or more of its permissions are privileged.
Die Rollen stehen im Zusammenhang mit HR-driven Provisioning und der Public Preview von “Provision custom security attributes from HR sources“.
Custom security attribute provisioning enables customers to set custom security attributes automatically using Microsoft Entra inbound provisioning capabilities. With this public preview, you can source values for custom security attributes from authoritative sources, such as those from HR systems. Custom security attribute provisioning supports the following sources: Workday, SAP SuccessFactors, and other integrated HR systems that use API-driven provisioning. The provisioning target is your Microsoft Entra ID tenant.
In der Dokumentation wird es erwähnt, Konten mit der Rolle Attribute Provisioning Administrator sind nicht befugt selbstständig Azure Applikationen anzulegen oder zu verändern. Es benötigt dazu noch die Rolle Application Administrator.
- Application Administrator is required to create and update the provisioning app.
- Attribute Provisioning Administrator is required to add or remove custom security attributes in the attribute mapping section of the provisioning app.
