Update user info and roles from Service Account - Missing permissions

Hey,

We are currently creating and maintaining all of our user accounts and access roles from Entra, which is working perfectly fine for normal users, however the Service Account on the schedule is unable to update the information for any of our Create users.

As far as I can see, this is because in the permissions we have to give the Service Account access to individual “Update user in role”, and the built-in roles are not included in this list. I assume this is because the users are global and potentially shared between multiple solutions, but it would still be nice if users that exist in a given Azure tenant could be updated automatically if any information is changed.

The only solution as far as I can see, is to give the Service Account “owner” permissions as the owner is the only one with “Update any user”, however this is not ideal from a least privilege perspective:

Would it be possible to enable the permission “Update any user” for custom roles as well?

In addition to this, we are also syncing custom roles connected to apps from Entra, meaning that the same Service Account also needs to be able to add and remove users to custom roles. Would it also be possible to do the same with “add user to any role”, or add a new permission like “add user to any custom role” or similar?

So to summarize: For organizations using Entra for user and role management, it would be great if the permissions allowed for “updating info on all users” and “add and remove users from all custom roles”.

Hello Theo,
Thank you for your valuable feedback regarding our permission setup! I’ve submitted your request to our system for platform development. Our Platform and Product teams will evaluate the feature’s implementation, particularly considering security implications and the principle of least privilege that you highlighted :slight_smile: