Modifying role assignments

To modify role assignments, users must have the following permissions:

Select this target object	To apply these permissions
Authorization	Click the Properties tab, then select Allow for the following properties: Write msDS-AzApplicationData
msDS-AzRoleObjectContainer This object is listed under a globally unique identifier (GUID) for the Authorization object.	On the Object tab, select Allow to apply the following permissions to this object: Create msDS-AzRole objects
msDS-AzRoleObjectContainer/CN=CRA_guid This object is listed under a globally unique identifier (GUID) for the Authorization object and a unique identifier for the role assignment.	Click the Properties tab, then select Allow for the following properties to allow changes to the assigned user or groups: Read Name Read name Allow Delete Click the Properties tab, then select Allow for the following properties to allow changes to the available time for a role assignment: Read Name Read name Read msDS-AzApplicationData Write msDS-AzApplicationData

Select this target object

To apply these permissions

Authorization

Click the Properties tab, then select Allow for the following properties:

msDS-AzRoleObjectContainer

This object is listed under a globally unique identifier (GUID) for the Authorization object.

On the Object tab, select Allow to apply the following permissions to this object:

msDS-AzRoleObjectContainer/CN=CRA_guid

This object is listed under a globally unique identifier (GUID) for the Authorization object and a unique identifier for the role assignment.

Click the Properties tab, then select Allow for the following properties to allow changes to the assigned user or groups:

Click the Properties tab, then select Allow for the following properties to allow changes to the available time for a role assignment: