TODO: Change apps, scripts, alerts and policies to cover the new role names in the Microsoft Graph API

Reading Time: 2 minutes

Microsoft Graph API

Starting today, Microsoft is making changes to resolve the inconsistent naming of built-in role names between the Microsoft 365 admins center, the Azure AD portal and the Microsoft Graph API.

In total, 10 role names will be changed, and this impacts any application, script, alerts and/or policies that may refer to any of these role names.

Microsoft announced this change on June 11th, 2020, on the Microsoft 365 Message center.

 

What’s being changed?

The below table provides an overview of the changes that are being made to the names:

Changes to Built-in Roles (click for original sized picture)

The changes are highlighted in blue for your convenience.

 

When is this changed?

Azure Active Directory is used by millions of organizations. Implementing these changes takes time. Microsoft start converting Azure Active Directory tenants on July 30th, 2020, and expects to finish the roll-out on August 14th, 2020.

 

An approach to change

Here is an approach to deal with the changes Microsoft will be making in Azure AD tenants the coming two weeks:

  1. Evaluate the state of apps, scripts, alerts and policies in your Azure AD tenant(s).
  2. Avoid the use of role names in apps, scripts, alerts and policies. Instead use the corresponding role IDs, where possible.
  3. Monitor the functionality of scripts, alerts and policies in your Azure AD tenant, to detect failing functionality in a relatively short period of time.
  4. Change apps, scripts, alerts and policies in your Azure AD tenant that continue to rely on role names for their functionality after Microsoft makes the changes to your Azure AD tenant(s). Make changes in test, development and/or acceptance environment before implementing in production.

 

Concluding

While consistency is key in large deployments, fixing inconsistencies after having functioned in production for a long time is hard.

These changes impact previous blog posts here. For instance, the blog post last week on configuring an alert to notify when an additional person is assigned the Azure AD Global Administrator role references one of the changed role names, and will be updated.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.