Hi, I have the customer's Azure AD configured to allow admin access to the Netskope console via group membership, but all users who login have the tenant admin role by default. I know I can go in and change their individual roles manually but is there a way to create a new enterprise application that assigns the Security Admin role (or any other) by default instead? If so, can you please advise on the required config?
Thanks.
Best answer by jonbartlett
View original
+4
Yes, have you seen this?
Netskope SSO with Azure AD Step 12 (under the first section - Configuring SSO in Azure Active Directory and Netskope)
Addendum to Step 6 (under the second section - Configure SSO Parameters between Netskope and Azure AD)
After selecting App registration, select App roles (you can also go directly to App Registration on the left, select All Applications --> Netskope Administrator Console --> App Roles)
SKIP STEP 7 - IT IS OUT OF ORDER AND SHOULD BE AFTER STEP 8
When you create a new app role in Step 8, the Value field is the SAML attribute admin-role (only seen with a browser SAML Tracer) which you created in Step 6 above in the Netskope Admin console.
In Step 9, you assign the role to the group that you created in Step7. I like to keep the names the same. Please see snapshots from my configuration.
Netskope Admin console - custom roles
Entra admin center - App roles for Netskope Administrator Console Enterprise Applicationā
Does this help?
Additional tidbit: Why do you have to create custom Admin roles in the Netskope Admin console? The Predefined Netskope roles have spaces in the names. Microsoft Entra ID does not support spaces in the app role value ~ https://learn.microsoft.com/en-us/entra/external-id/customers/how-to-use-app-roles-customers
Thanks @jonbartlett. I did find that after I added my post but thanks for the additional information.
+16
One additional bit to beware of with custom roles. They are not treated the same as predefined roles, even if copied directly from them, when the RBAC schema updates. New pages can (and often do) get added with a Deny permission.
If you haven't already registered, now is a good time to do so. After you register, you can post to the community, receive email notifications, and lots more. It's quick and it's free! Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.
