.png?sv=2022-11-02&ss=b&srt=o&spr=https&st=2024-04-27T20%3A22%3A54Z&se=2024-04-27T20%3A32%3A54Z&sp=r&sig=UhG4yLH9QbVob%2B7PKebPwk51aBbe9Hn1JW6QNH6VDI4%3D){kind=logo}
Microsoft Entra ID (Azure AD) - Role Assignment Actions
- 13 Feb 2024
- 2 Minutes to read
- Print
- DarkLight
- PDF
Microsoft Entra ID (Azure AD) - Role Assignment Actions
- Updated on 13 Feb 2024
- 2 Minutes to read
- Print
- DarkLight
- PDF
Article Summary
Share feedback
Thanks for sharing your feedback!
Microsoft Entra ID (formerly Azure AD) - Role Assignments Actions adds or deletes role assignments in Entra ID.
See Creating Enforcement Sets to learn more about adding Enforcement Actions to Enforcement Sets.
General Settings
- Enforcement Set name (required) - The name of the Enforcement Set. A default value is added by Axonius. You can change the name according to your needs.
- Add description - Click to add a description of the Enforcement Set. It is recommended to describe what the Enforcement Set does.
- Run action on assets matching following query (required) - Select an asset category and a query. The Enforcement Action will be run on the assets that match the query parameters.
- A query only returns results for the asset type it was created for.
- Not all asset categories are supported for all Enforcement Actions.
- See Actions supported for Activity Logs, Adapters Fetch History, and Asset Investigation modules.
- See Actions supported for Vulnerabilities.
- See Actions supported for Software.
- Action name (required) - The name of the Main action. A default value is added by Axonius. You can change the name according to your needs.
- Configure Dynamic Values - Toggle on to enter a Dynamic Value statement. See Creating Enforcement Action Dynamic Value Statements to learn more about Dynamic Value statement syntax.
- Use Adapter Credentials - Select this option to use the first connected Entra ID adapter credentials.
Note:
To use this option, you must successfully configure an Entra ID adapter connection.
Required Fields
These fields must be configured to run the Enforcement Set.
Directory Role ID - ID for the role you want to add or remove.
To get the Directory Role ID for the role
1. In your Microsoft 365 account, navigate to Roles > Role Assignments.
2. Open the Role assignment you want.
3. Copy the Directory Role ID from the URL in your address bar (see screenshot below).
4. Back in Axonius, paste the copied ID in this Directory Role ID field.
Entity Action - Select if you want to Add to Role or Remove From Role.
Compute Node - The Axonius node to use when connecting to the specified host. For more details, see Connecting Additional Axonius Nodes.
Additional Fields
Note:
If Use stored credentials from the Entra ID Adapter is not enabled, these fields are required.
- Azure Client ID
- Azure Client Secret
- Azure Tenant ID
- Verify SSL
- Account Sub Domain
- User Name
- Password
- 2FA Secret Key
- SSO Provider
- Cloud Environment
- Azure OAuth - Authorization Code
- Azure OAuth - Redirect URI / Reply URL
- Is Azure AD B2C
- Account Tag
- Device groups blocklist
- HTTPS Proxy
- HTTPS Proxy User Name
- HTTPS Proxy Password
- Is Role ID is for Role Template - Select if the value you enter in the Directory Role ID field is actually the Role Template ID.
Gateway Name - Select the gateway through which to connect to perform the action.
Use the scheduling options to execute Enforcement Actions on specific dates and times. You can also configure repeat schedules.
For more details, see Scheduling Enforcement Set Runs.
APIs
Axonius uses the Add directory role member and the Remove directory role member APIs.
Required Permissions
This action requires the following additional Delegated (for work or school accounts)or Application permission to add or remove a role:
'RoleManagement.ReadWrite.Directory'
For more details about other Enforcement Actions available, see Action Library.
Was this article helpful?