Stuart Kwan

@Alex_A_Simons @tuna_gezer Hi @tuna_gezer, the fix for the $count issue was fully deployed on July 18th, are you still able to repro? And we are looking into the delta query issue, thanks for reporting it

@tuna_gezer Let's ask @StuartKwan to provide the details. There was a bug here that just got fixed.

@Alex_A_Simons Is this a bug in the implementation of the directoryRoles API. The API call with $count was randomly failing and since yesterday it constantly fails. Per doc this should work, any help or recommendation would be appreciated #optional-query-parameters" target="_blank" rel="nofollow noopener">learn.microsoft.com/en-us/graph/ap…

@pschiess @mundrus Not yet, but it is something that we are looking into.

🎉 Microsoft Entra Permissions Management is now generally available! Remediate permission risks and ensure the security of your multicloud environment. Learn more: msft.it/6016bIZ1w #MicrosoftEntra

Today's news: Now you can use Azure AD cloud based groups to manage access in your on-premises Windows Server AD! techcommunity.microsoft.com/t5/microsoft-e…

@DerekLiu44 Hi Derek, this is not possible today, but it's something we are tracking in our backlog (FYI to @DougKirschner)

@StuartKwan Hi Stuart, do you know if there is a plan to scope the set of possible group members for the group administrator role? As far as I know, this isn't possible with AUs, which only allows groups to be included without the ability to scope the members of those groups.

Dynamic membership for #AzureAd Admin Units now in preview! techcommunity.microsoft.com/t5/azure-activ…

Azure identity geeks: You can now view in the Azure portal the set of resources that are associated with a user-assigned managed identity, like which VMs are using the identity: docs.microsoft.com/en-us/azure/ac…

I’m over the moon to help launch Microsoft Entra, our new family of Identity and Access solutions that includes Azure AD, Entra Permissions Management (previously CloudKnox), Entra Verified ID and a new simplified admin portal experience microsoft.com/security/blog/…

Happy World Password Day!

@BitFisk Thanks for that feedback, @abhijeetksinha_ take note please

@StuartKwan Sadly it doesnt include elligible assignments only the active ones atm :-(

You can now download all #AzureAD RBAC assignments using a button in the portal, instead of having to script this with PowerShell #download-role-assignments" target="_blank" rel="nofollow noopener">docs.microsoft.com/en-us/azure/ac…

Today's news: Azure AD now supports custom RBAC roles for devices scoped to Admin Units. Awesome new way to assure least privileges for devices! techcommunity.microsoft.com/t5/azure-activ…

Kim was a transcendent figure in Identity. He literally changed the rules. I learned so much from him about technology and business, but also about humanity. I find myself learning from him to this day even without his being present. It is a shock to hear about his passing.

@FrederikLeed @wiele They are meant to be general purpose. You should review the physical limits in the documentation though, to make sure they support the scale you need.

@StuartKwan @wiele Than you @StuartKwan forynge updates. Is there like a “this is the supported intention of Security Attributes” or some kind of boundry or limitations? I see all kinds of possible usecases but do not want to go Down a path that wont work in the Long run

@FrederikLeed @wiele Let's say there's a "project" attribute and users with "project = Skagit" can read details of that project through ABAC. We've built this feature so that User Admins can't set this attribute on a user. Only the Attribute Assignment Admins for the project attribute can do that.

@FrederikLeed @wiele For example, User Admins cannot update the security attributes on a user. If they could, they could potentially give someone access they shouldn't have.

New preview today of custom security attributes in #AzureAD! Use them in Attribute Based Access Control to simplify access to #AzureBlob, for example "grant read access if user.project == blob.project". More scenarios coming soon! techcommunity.microsoft.com/t5/azure-activ…

@Alex_A_Simons @NickolajA @inthecloud_247 Hi Kevin, we just last week added granular permissions for group management, so there's a specific custom role permission available now for setting the dynamic membership rule on a group. Check it out and let me know if it does what you need.

@NickolajA @inthecloud_247 Let’s ask @StuartKwan who owns our RBAC system if he know the answer. Stuart?

@azuread Why don't we have the option option to use microsoft.directory/bitlockerKeys/… in a custom role? Or support Application permissions on GET /informationProtection/bitlocker/recoveryKeys/'{bitlockeryRecoveryKeyId}' I don't want to assign the Helpdesk role to allow certain users to