Azure AD – You can now enable cloud groups for administration role assignment (preview)

As you know, all administrative permissions to manage any service or capability should be granted by assigning Azure AD administration roles.

Well, until now, it was not possible to grant such administration role to a group of users.

Good news, this capability is now available in preview.

To start using group to grant administration role, logon to your Azure AD portal ( and reach the Azure Active DirectoryGroups blade to create a new group


The new group can be either a security or Office 365 one and even use dynamic membership.

You will see the new option Azure AD roles can be assigned to the group

NOTE 1 once you made the decision to enable (or not) this setting, this becomes permanent. You can not change your mind after

NOTE 2 if using dynamic membership you can not change the membership rule after


Once you have turn on the setting to assign Azure AD role to the group, you will have a new setting appearing below the Members section to select the Azure AD role(s) you want to assign to the group


Do not use this capability if you are already using Privileged Identity Management.

Few limitations

There are few limitations, maybe because of the preview stage:

You can not assign:

  • Cloud groups to Azure AD custom roles
  • Cloud groups to Azure AD roles (built-in or custom) over an administrative unit
  • On-premises groups to Azure AD roles (built-in or custom)