RBAC Admin assignment can see all possible Role Definitions

[dani3lheidemann]

Hello Azure Docs,

we are currently testing the new role "Role based access control Administrator". We have noticed that

• in a role assignment of a user who has been assigned the Role based access control Administrator role, the possible role definitions for assignments are limited to those specified by the condition.

• in a role assignment of a group with the Role based access control Administrator role, the possible role definitions are NOT restricted to those specified by the condition. Instead, all role definitions are displayed by the "Add Role Assignment" Wizard if the user wants to make a new role assignment. Although they can only assign the roles that are specified in the condition, all Azure Built-in and custom roles are displayed, which is very confusing as it is not clear to them which roles they can actually assign.

Both assignments, the user and group assigned to Role based access control Administrator role, have the same condition (but they actually see different definitions to choose from):

(
 (
  !(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})
 )
 OR 
 (
  @Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {c2f4ef07-c644-48eb-af81-4b1b4947fb11, 7f951dda-4ed3-4680-a7ca-43fe172d538d, 8311e382-0749-4cb8-b61a-304f252e45ec}
  AND
  @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'ServicePrincipal'}
 )
)
AND
(
 (
  !(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})
 )
 OR 
 (
  @Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {c2f4ef07-c644-48eb-af81-4b1b4947fb11, 7f951dda-4ed3-4680-a7ca-43fe172d538d, 8311e382-0749-4cb8-b61a-304f252e45ec}
  AND
  @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'ServicePrincipal'}
 )
)

Can you reproduce the problem and, if so, fix it? Thank you very much!

---

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: b662783a-f4e7-197c-7d21-e90a7bab41a4
• Version Independent ID: 434c48b5-93e4-1e66-e7e9-4417032d0460
• Content: Examples to delegate Azure role assignments with conditions (preview) - Azure ABAC
• Content Source: articles/role-based-access-control/delegate-role-assignments-examples.md
• Service: role-based-access-control
• Sub-service: conditions
• GitHub Login: @rolyon
• Microsoft Alias: rolyon

[Naveenommi-MSFT]

@dani3lheidemann Thanks for your feedback! We will investigate and update as appropriate.

[AjayBathini-MSFT]

Hi @dani3lheidemann

Thank you for your feedback! I'd recommend working closer with our support team via an [Azure support request] (https://docs.microsoft.com/en-us/azure/azure-portal/supportability/how-to-create-azure-support-request). Or you can leverage our Q&A forum by posting your issue there so our community, and MVPs can further assist you in troubleshooting this issue or finding potential workarounds. [Teams Q&A forum] (https://docs.microsoft.com/en-us/answers/topics/46488/office-teams-windows-itpro.html) for technical questions about the configuration and administration of Microsoft Teams on Windows. [Microsoft Teams Community forum] (https://answers.microsoft.com/en-us/msteams/forum?sort=LastReplyDate&dir=Desc&tab=All&status=all&mod=&modAge=&advFil=&postedAfter=&postedBefore=&threadType=All&isFilterExpanded=false&page=1) Thank you for your time and patience throughout this issue.

[dani3lheidemann]

Hi @AjayBathini-MSFT, thank you! Will do so!