custom role assignment azure

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Azure custom roles

• 8 contributors

If the Azure built-in roles don't meet the specific needs of your organization, you can create your own custom roles. Just like built-in roles, you can assign custom roles to users, groups, and service principals at management group, subscription, and resource group scopes.

Custom roles can be shared between subscriptions that trust the same Microsoft Entra tenant. There is a limit of 5,000 custom roles per tenant. (For Microsoft Azure operated by 21Vianet, the limit is 2,000 custom roles.) Custom roles can be created using the Azure portal, Azure PowerShell, Azure CLI, or the REST API.

Steps to create a custom role

Here are the basic steps to create a custom role.

Determine the permissions you need.

When you create a custom role, you need to know the actions that are available to define your permissions. Typically, you start with an existing built-in role and then modify it for your needs. You will add the actions to the Actions or NotActions properties of the role definition . If you have data actions, you will add those to the DataActions or NotDataActions properties.

For more information, see the next section How to determine the permissions you need .

Decide how you want to create the custom role.

You can create custom roles using Azure portal , Azure PowerShell , Azure CLI , or the REST API .

Create the custom role.

The easiest way is to use the Azure portal. For steps on how to create a custom role using the Azure portal, see Create or update Azure custom roles using the Azure portal .

Test the custom role.

Once you have your custom role, you have to test it to verify that it works as you expect. If you need to make adjustments later, you can update the custom role.

How to determine the permissions you need

Azure has thousands of permissions that you can potentially include in your custom role. Here are some methods that can help you determine the permissions you will want to add to your custom role:

Look at existing built-in roles .

You might want to modify an existing role or combine permissions used in multiple roles.

List the Azure services you want to grant access to.

Determine the resource providers that map to the Azure services .

Azure services expose their functionality and permissions through resource providers . For example, the Microsoft.Compute resource provider supplies virtual machine resources and the Microsoft.Billing resource provider supplies subscription and billing resources. Knowing the resource providers can help you narrow down and determine the permissions you need for your custom role.

When you create a custom role using the Azure portal, you can also determine the resource providers by searching for keywords. This search functionality is described in Create or update Azure custom roles using the Azure portal .

Search the available permissions to find permissions you want to include.

When you create a custom role using the Azure portal, you can search for permissions by keyword. For example, you can search for virtual machine or billing permissions. You can also download all of the permissions as a CSV file and then search this file. This search functionality is described in Create or update Azure custom roles using the Azure portal .

Custom role example

The following shows what a custom role looks like as displayed using Azure PowerShell in JSON format. This custom role can be used for monitoring and restarting virtual machines.

The following shows the same custom role as displayed using Azure CLI.

Custom role properties

The following table describes what the custom role properties mean.

Permission strings are case-insensitive. When you create your custom roles, the convention is to match the case that you see for permissions in Azure resource provider operations .

Wildcard permissions

Actions , NotActions , DataActions , and NotDataActions support wildcards ( * ) to define permissions. A wildcard ( * ) extends a permission to everything that matches the action string you provide. For example, suppose that you wanted to add all the permissions related to Azure Cost Management and exports. You could add all of these action strings:

Instead of adding all of these strings, you could just add a wildcard string. For example, the following wildcard string is equivalent to the previous five strings. This would also include any future export permissions that might be added.

It's recommended that you specify Actions and DataActions explicitly instead of using the wildcard ( * ) character. The additional access and permissions granted through future Actions or DataActions may be unwanted behavior using the wildcard.

Who can create, delete, update, or view a custom role

Just like built-in roles, the AssignableScopes property specifies the scopes that the role is available for assignment. The AssignableScopes property for a custom role also controls who can create, delete, update, or view the custom role.

Find role assignments to delete a custom role

Before you can delete a custom role, you must remove any role assignments that use the custom role. If you try to delete a custom role with role assignments, you get the message: There are existing role assignments referencing role (code: RoleDefinitionHasAssignments) .

Here are steps to help find the role assignments before deleting a custom role:

• List the custom role definition .
• In the AssignableScopes section, get the management groups, subscriptions, and resource groups.
• Iterate over the AssignableScopes and list the role assignments .
• Remove the role assignments that use the custom role.
• If you are using Microsoft Entra Privileged Identity Management , remove eligible custom role assignments.
• Delete the custom role .

For information about how to find unused custom roles, see Symptom - No more role definitions can be created .

Custom role limits

The following list describes the limits for custom roles.

• Each tenant can have up to 5000 custom roles.
• Microsoft Azure operated by 21Vianet can have up to 2000 custom roles for each tenant.
• You cannot set AssignableScopes to the root scope ( "/" ).
• You cannot use wildcards ( * ) in AssignableScopes . This wildcard restriction helps ensure a user can't potentially obtain access to a scope by updating the role definition.
• You can have only one wildcard in an action string.
• You can define only one management group in AssignableScopes of a custom role.
• Azure Resource Manager doesn't validate the management group's existence in the role definition's AssignableScopes .
• Custom roles with DataActions can't be assigned at the management group scope.
• You can create a custom role with DataActions and one management group in AssignableScopes . You can't assign the custom role at the management group scope itself; however, you can assign the custom role at the scope of the subscriptions within the management group. This can be helpful if you need to create a single custom role with DataActions that needs to be assigned in multiple subscriptions, instead of creating a separate custom role for each subscription.

For more information about custom roles and management groups, see What are Azure management groups? .

Input and output formats

To create a custom role using the command line, you typically use JSON to specify the properties you want for the custom role. Depending on the tools you use, the input and output formats will look slightly different. This section lists the input and output formats depending on the tool.

Azure PowerShell

To create a custom role using Azure PowerShell, you must provide following input.

To update a custom role using Azure PowerShell, you must provide the following input. Note that the Id property has been added.

The following shows an example of the output when you list a custom role using Azure PowerShell and the ConvertTo-Json command.

To create or update a custom role using Azure CLI, you must provide following input. This format is the same format when you create a custom role using Azure PowerShell.

The following shows an example of the output when you list a custom role using Azure CLI.

To create or update a custom role using the REST API, you must provide following input. This format is the same format that gets generated when you create a custom role using the Azure portal.

The following shows an example of the output when you list a custom role using the REST API.

• Tutorial: Create an Azure custom role using Azure PowerShell
• Tutorial: Create an Azure custom role using Azure CLI
• Understand Azure role definitions
• Troubleshoot Azure RBAC

Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback .

Submit and view feedback for

Additional resources

Cloud Training Program

Learn Cloud With Us

Create Azure Custom Roles Using Azure Portal

December 6, 2023 by Utkarsh Agarwal Agarwal Leave a Comment

Microsoft has officially announced the public preview of custom role management in the Azure portal, making it easier for you to customize the permissions you grant your users or applications to access Azure resources.

I’m excited to share some details on a new experience to the Azure portal, which allows you to manage custom roles that can be used to grant permissions to Azure resources. This is an evolution of the current experience only available in the command-line, Azure PowerShell and Azure Resource Manager API.

What Are Custom Roles?

If the  Azure built-in roles  don’t meet the specific needs of your organization, you can create your own Azure custom roles. Just like built-in roles, you can assign custom roles to users, groups, and service principals at subscription and resource group scopes.

They are stored in an Azure Active Directory (Azure AD) directory and can be shared across subscriptions. Each directory can have up to 5000 custom roles.

Prerequisites

To create custom roles, you need:

• Permissions to create custom roles, such as Owner  or  User Access Administrator

How To Create Azure Custom Roles?

Step 1:  choose how to start.

There are three ways that you can start to create a custom role. You can clone an existing role, start from scratch, or start with a JSON file. The easiest way is to find an existing role that has most of the permissions you need and then clone and modify it for your scenario.

Start from scratch

If you prefer, you can follow these steps to start a custom role from scratch.

• In the Azure portal, open a subscription or resource group where you want the custom role to be assignable and then open  Access control (IAM) .
• Click  Add  and then click  Add custom role.

This opens the custom roles editor with the  Start from scratch  option selected.

Also Check: Azure ExpressRoute vs VPN : know their major differences!

Step 2: Create Custom Roles (Basics)

On the  Basics  tab, you specify the name, description, and baseline permissions for your custom role.

• In the  Custom role name  box, specify a name for the custom role. The name must be unique for the Azure AD directory. The name can include letters, numbers, spaces, and special characters.
• In the  Description  box, specify an optional description for the custom role. This will become the tooltip for the custom role.

The  Baseline permissions  option should already be set based on the previous step, but you can change.

Step 3: Permissions

On the  Permissions  tab, you specify the permissions for your custom role.

Also Read:  Our previous blog post on Azure Virtual Machine . Click here

Step 4: Assignable scopes

On the  Assignable scopes  tab, you specify where your custom role is available for assignment, such as subscription or resource group. Depending on how you chose to start, this tab might list the scope where you opened the Access control (IAM) page. Setting assignable scope to root scope (“/”) is not supported. Currently, you cannot add a management group as an assignable scope

• Click Add assignable scopes  to open the Add assignable scopes pane

2. Click one or more scopes that you want to use, typically your subscription.

3. Click the Add  button to add your assignable scope.

Also Check: What is Azure Kubernetes Service and how it works with CI/CD?

Step 5: JSON

On the  JSON  tab, you see your custom role formatted in JSON. If you want, you can directly edit the JSON.

• To edit the JSON, click Edit

2. Make changes to the JSON.

If the JSON is not formatted correctly, you will see a red jagged line and an indicator in the vertical gutter.

Check Out:  How to Create Azure Blob Storage . Click here

3. When finished editing, click Save

Also Read:  Our previous blog post on azure vnet . Click here

Step 6: Review + create

On the  Review + create  tab, you can review your custom role settings.

• Review your custom role settings.

Also Read:  Our blog post on az 104 . Click here

2. Click  Create  to create your custom role.

After a few moments, a message box appears indicating your custom role was successfully created.

3. View your new custom role in the Roles  list. If you don’t see your custom role, click  Refresh .

It can take a few minutes for your custom role to appear everywhere.

Once you have your custom role, you have to test it to verify that it works as you expect. If you need to make adjustments later, you can update the custom role

So, that’s how you can create your own custom roles according to your requirement and assign it to the users, groups, and service principals at the management group, subscription, and resource.

Related/Reference

• Azure Custom Roles using PowerShell
• Azure Custom Roles using CLI
• Azure Role-Based Access Control

Next Task For You

Begin your journey toward  Mastering Azure Cloud and landing high-paying job s. Just click on the register now button on the below image to register for a Free Class on Mastering Azure Cloud : How to Build In-Demand Skills and Land High-Paying Jobs. This class will help you understand better, so you can choose the right career path and get a higher paying job.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

"Learn Cloud From Experts"

• Partner with Us
• Terms and Conditions
• Privacy Policy
• Docker and Kubernetes Job Oriented Program
• AWS Job Oriented Program
• Azure Job Oriented Program
• Azure Data Job Oriented Program
• DevOps Job Oriented Program
• Oracle Cloud Job Oriented Program
• Terraform Job Oriented

Get in touch with us

8 Magnolia Pl, Harrow HA2 6DS, United Kingdom

Email : [email protected]

We're glad you're here! Help us customize your site experience by enabling cookies so we can understand your interests and recommend related information. Should you choose not to enable them, you may still use our website; however we can't tailor your experience to your interests or location.

I understand and agree to the 

Managing Custom Roles in Azure

Introduction

Roles permit users to act on Azure resources.

Azure has many out of the box Azure roles that you may apply to varying scopes. The most common scope being a resource group. If you look at any resource group’s Access control (IAM) Role assignments, you will see Owner and Reader roles assigned. To see all the roles do the following:

• Create or select a resource group in the Azure portal
• On the left of the portal click on "Access control (IAM)", then click on "+ Add” and select "Add role assignment". This will bring up the Add Role assignment dialog on the right of the portal
• Click the down-arrow on Role to see the list of roles that can be assigned and scroll through them. It’s quite extensive

As extensive as the built-in roles are, you may want to constrain even further. There is a security principle of Least privilege , which isn’t always facilitated with the out of the box roles. For example Azure released a new capability called Dedicated Hosts in January 2020 without any new out of the box roles that allows you to manage this specifically. This new Azure resource uses the following provider operation " Microsoft.Compute/HostGroups ." This means, anyone that can manage compute resources can now create and manage this expensive 64 core Azure resource. In order to restrict this permission, you will need to create a custom role.

In creating custom roles, you will need to understand the roles that your company supports and their scope of access to Azure resources. Custom roles are accessed via subscription but stored in Active Directory across all subscriptions which presents some unique concepts and challenges.

This article is intended to help you be successful in your use of Azure Custom Roles.

This article uses PowerShell to exemplify how to manage Azure Roles and assumes you have rudimentary PowerShell skills should you wish to try some of the commands. We have another blog on how to create PowerShell modules that you may find of interest as well. Role Object Azure has a lot of great documentation, however there is nothing like loading an object in memory and analyzing what you have in order to know what you can use, as well as its structure. Let’s look at the Role object using Visual Studio Code . You can execute this PowerShell code in Visual Studio Code to follow along. Note: These commands use the PowerShell module Az vs the original AzureRM. Az is the cross-platform version of PowerShell Azure commandlets and the recommended module going forward.

It will returned an ID not in the assignablescope: c32345465-890a-bcde-f012-34567890abce .

Get-AzRoleDefinition -Name 'Cosmos DB' would return nothing or $null object.

In order to fix this, you would need to ensure your Azure context is set to one of the two subscriptions in order to Get, Set or Remove the role. You would need to connect or set your context accordingly. Connect-AzAccount -SubscriptionId a1234567-890a-bcde-f012-34567890abcd Set-AzContext -SubscriptionId a1234567-890a-bcde-f012-34567890abcd

Then Get-AzRoleDefinition -Name 'Cosmos DB' would work.   Updating the Role One of tricks about managing roles is that you must have the rights to manage roles. If you don't have rights to any of the existing availablescopes or the ones you want to set, then you will get a "Linked scope" error. Not a very descriptive error, but in effect it means that you may have access and the right to the role but one of its "scoped" items you don't, so you can't change the object. The best way to edit the role is to load the object, output the property you want to change to a file, then update the actions list or assignable scope from the edited file. Assuming you have edited the text file, here is what you do to update the role: # Get the current role definition and overwrite the actions and scope $roledef = Get-AzRoleDefinition -Name 'Cosmos DB'; $roledef.Actions = Get-Content -Path “$env:userprofile\documents\Cosmos DB.Actions.txt”; $roledef.AssignableScopes = Get-Content ` -Path “$env:userprofile\documents\Cosmos DB.AssignableScope.txt”; $roledef = Set-AzRoleDefinition -Role 'Cosmos DB'; Full list of Actions Role actions are also referred to as actions, permissions and also as resource provider operations. The command that gets you a full list is: Get-AzProviderOperation You may want to use Start-Transcript and Stop-Transcript to capture the output to a file so you can search.

Actions follow the format: {Company}.{ProviderName}/{resourceType}/{action} . ManageRoles module in PSGallery To make it easier to manage Roles, we have created a module called ManageRoles and published it in the PSGallery. To install it, run PowerShell in administrator mode and execute this command:

Install-Module -Name ManageRoles

If you choose to load it, use the function Get-RoleHelp to start down the path of using its functions. Get-Role - Writes a role's actions and scope to separate files Get-RoleActions - Writes a role's actions to an action file named actions-<role>.txt Get-RoleScope - Writes a role's scope to a scope file named scope-<role>.txt Set-Role - Overwrites a role based on an actions file and a scope file Set-RoleActions - Overwrites a role’s actions from an action file Set-RoleScope - Overwrites a role’s scope from a scope file New-Role - Creates a new role based on an actions file and a scope file Remove-Role - Removes a role from active directory from all subscriptions (scope)

We hope this blog has helped you to understand how Roles are managed in Azure and how you can create your own custom roles to make operating in Azure more secure. Please keep an eye on the Valorem blog for more helpful tips!

Happy PowerShelling!

Cloud Architect, IT Modernization

Related articles, qubites 2.1- quantum computing & iot.

By Rene Schulte

Immersive Workspaces, Microsoft Mesh and More

Ignite 2021 recap- microsoft mesh, azure percept & viva.

By Valorem Reply

Digitally Transforming the Frontline with 3D Guided Procedures

By Chris Galvanin

IoT, Robotics, Mixed Reality and MSIgnite 2021

Request a custom cybersecurity assessment, uncover gaps putting your organization at risk and make a plan to secure your environment., get more articles like this sent directly to your inbox, you might also enjoy.

Currently Reading

GET OUR LATEST UPDATES DELIVERED DIRECTLY TO YOUR INBOX

Thanks for subscribing, please verify your email address by clicking the confirmation link that we just sent your way..

• Consultancy and Migration
• Contract Staffing
• Data Analytics
• DevOps and DevSecOps
• Managed Services
• Media Services
• Generative AI with AWS
• AI, ML & IOT
• Cloud Native
• Containerization
• Well Architected Review
• Well Architected Infrastructure
• AWS Know Your Architecture
• Migration Services
• DevOps Services
• AWS Microsoft Workloads
• AWS Machine Learning
• AWS Storage
• Amazon QuickSight
• Amazon API Gateway
• Amazon DynamoDB
• Amazon Redshift
• Observability With AWS
• GenAI STACQ
• Smart Document Search with GenAI
• Intelligent Document Processing
• Real-time Customer Call Analysis
• SmartMail Solution
• Corporate Training
• Training for Myself
• Azure Mastey Pass
• AWS Mastery Pass
• DevOps Mastery Pass
• Microsoft Dynamics Mastery Pass
• Microsoft Security Mastery Pass
• Power Platform Mastery Pass
• Job Guarantee Program
• Training Calendar
• Hire From Us

About CloudThat

• Join Our Team
• News and Event

Azure, Cloud Computing

Create and Assign Custom Roles to Users using Azure Role-Based Access Control

• By Kishan Singh

In this article, we will see how to create and assign custom roles to users and the importance of role-based access control in Azure. Also, we will get to know when to use RBAC and how to implement RBAC in any organization. We will use JSON files to create a custom role in Azure.

What is RBAC?

BAC stands for Role-Based access control. We can assign or provide exact roles and permission to any external user or employees using this. We can use the in-built Azure role to provide RBAC or create custom roles using JSON policies. Azure Active Directory (Azure AD) and Role-Based Access Control (RBAC) help organizations to manage and assign roles and permission to the user. In a nutshell, RBAC is an authorization system on Azure that helps provide users with fine-grained access to complete their job.

• Cloud Migration

Why We Need RBAC?

The diagram shows how Azure AD admin and RBAC roles are highly related.

In any organization, we have many roles to complete any job, and to complete the job, employees need access and exact permissions. To provide exact permission to external users or employees within the organization, we need a strong authorization system to give the users fine-grained access.

Azure came with RBAC, which will help organizations to assign exact roles to users, groups, and applications at a certain scope. The scope can be a subscription, a resource group, or a single resource. Role assignment at the parent scope will be applied to the child scope within that parent scope.

How to use RBAC in any Organization?

Azure provides many in-built roles which can be used to assign exact roles required to complete any task. For instance, we can assign a Virtual machine contributor if anyone wants access to manage a virtual machine in the Azure portal . The same goes for other resources present in the Azure portal. Otherwise, we can create a custom role using JSON policy, or Azure create a custom role feature on the Azure portal.

We can assign roles to groups, users, and applications. If we want to provide the same access to multiple users, we can create a group of that users and assign the role to the group. Similarly, we can use a management group as a scope for multiple subscriptions and assign the role to the management group.

In-built roles in Azure

Azure provides many in-built roles which can be used to provide direct access to users without any difficulty in creating any roles.

Some of the popular roles in Azure are:

Owner : This role provides owner access to the user, and users have full access to manage resources and assign roles to users.

Contributor: This role will grant access to manage resources but not give permission to assign roles to users.

Reader: This role will give access to view all resources but cannot create or update resources.

User Access Administrator: This role will let you manage user access to Azure resources.

Assign roles through JSON

Azure provides a feature to create a custom role using json policy. Json policy contains many fields where we define Actions and DataActions.

Actions – NotActions = Effective management permissions

DataActions – NotDataActions = Effective data permissions

Assignable Scope – /Subscription/management Group/resource Group

Here this JSON policy has contributor access to the scope:

This article taught us about Azure RBAC and when to use RBAC. Role-Based Access Control (RBAC) allows us to assign the exact permission required to perform any certain task. Azure has many in-built roles which will give required access. If we want custom roles, Azure also allows us to create your role and assign it to desired users. RBAC provides roles for each resource so that no extra permission is granted to users who do not need it. We cannot assign roles to subscriptions; we can only give roles to users, groups, resource groups, and resources. Parents scope role will be inherited to the child’s scope also.

Get your new hires billable within 1-60 days. Experience our Capability Development Framework today.

• Cloud Training
• Customized Training
• Experiential Learning

CloudThat  is also the official AWS (Amazon Web Services) Advanced Consulting Partner and Training partner and Microsoft gold partner, helping people develop knowledge of the cloud and help their businesses aim for higher goals using best in industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.

Drop a query if you have any questions regarding Azure RBAC and I will get back to you quickly.

To get started, go through our   Consultancy   page and  Managed Services Package  that is   CloudThat ’s offerings.

1. Can we assign roles to a subscription?

ANS: – No, we can create a role in the subscription scope.

2. Can we add more than one role to a user?

ANS: – Yes, we can add multiple roles to users.

• Azure subscription
• Cloud Computing
• Custom Role

WRITTEN BY Kishan Singh

Kishan Singh works as Research Associate (Infra, Migration, and Security) at CloudThat. He is Azure Administrator and Azure Developer certified. He is highly organized and an excellent communicator with good experience in Cyber Security and Cloud technologies. He works with a positive attitude and has a good problem-solving approach.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Save my name, email, and website in this browser for the next time I comment.

Related Resources

Discover our most popular courses for self learning

Achieving a 78% Efficiency Boost by Automating Data Management

By Sohail Yaragatti

Apr 1, 2024

Streamlined Data Management for Ultraviolette Reduces Costs by 70%

RedoQ Optimizes Data Management and Achieves 50% Performance Improvement

How to Integrate Code Whisperer with VS Code IDE

By Siddiq Pasha

Microsoft Azure

Will Microsoft Fabric replace Azure Synapse Analytics?

By Kanchan Kale

Exploring Azure's Readiness for IPv6 in its Public Cloud

By Siddhartha Rajbhatt

Microsoft 365, Microsoft Azure, Microsoft CoPilot

Unveiling Microsoft Applied Skills: Precision Skill Validation for Practical

By Mariyam Thomas

AI, AI/ML, DevOps

DevOps Jobs' Sure Fire and Astonishing Impact from Generative

By Madhuri Abhijeet Joshi

Cloud Computing, Cloud Native Application Development

Making the Leap: Lessons Learned from Moving On-Premise to

By Rohit Tiwari

Mar 28, 2024

AI, AI/ML, Microsoft Security

How Microsoft Copilot Strengthens Your Security Team?

By Sonia Vyas

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!

©COPYRIGHT 2024 CLOUDTHAT TECHNOLOGIES PRIVATE LIMITED · ALL RIGHTS RESERVED · PRIVACY POLICY · TERMS OF USE · DISCLAIMER · CANCELLATION AND REFUND

Using Azure policies to audit and automate RBAC role assignments

Usually different RBAC role assignments in Azure might be inherited from subscription / management group level but there may come a time when that's just way too broad spectrum to give permissions to an AD user group.

While it’s tempting to assign permissions on a larger scope, sometimes you might rather prefer to have only some of the subscription’s resource groups granted with a RBAC role with minimal permissions to accomplish the task at hand. In those scenarios you’ll usually end up with one of the following options to handle the role assignments:

• Include the role assignments in your ARM templates / Terraform codes / Bicep templates
• Manually add the role to proper resource groups

If neither these appeal to you, there’s a third option: define an Azure policy which identifies correct resource groups and then deploys RBAC role assignments automatically if conditions are met. This blog will go over with step-by-step instructions how to:

• Create a custom Azure policy definition for assigning Contributor RBAC role for an Azure AD group
• Create a custom RBAC role for policy deployments and add it to your policy definition
• Create an assignment for the custom policy

The example scenario is very specific and the policy definition is created to match this particular scenario. You can use the solution provided in this post as a basis to create something that fits exactly to your needs.

Azure policies in brief

Azure policies are a handy way to add automation and audit functionality to your cloud subscriptions. The policies can be applied to make sure resources are created following the company’s cloud governance guidelines for resource tagging or picking the right SKUs for VMs as an example. Microsoft provides a lot of different type built-in policies that are pretty much ready for assignment. However, for specific needs you’ll usually end up creating a custom policy that better suits your needs.

Using Azure policies is divided into two main steps:

• You need to define a policy which means creating a ruleset (policy rule) and actions (effect) to apply if a resource matches the defined rules.
• Then you must assign the policy to desired scope (management group / subscription / resource group / resource level). Assignment scope defines the maximum level of scanning if resources match the policy criteria. Usually the preferable levels are management group / subscription.

Depending on how you prefer governing your environment, you can resolve to use individual policies or group multiple policies into initiatives . Initiatives help you simplify assignments by working with groups instead of individual assignments. It also helps with handling service principal permissions. If you create a policy for enforcing 5 different tags, you’ll end up with having five service principals with the same permissions if you don’t use an initiative that groups the policies into one.

Creating the policy definition for assignment of Contributor RBAC role

The RBAC role assignment can be done with policy that targets the wanted scope of resources through policy rules. So first we’ll start with defining some basic properties for our policy which tells the other users what this policy is meant for. Few mentions:

• Policy type = custom . Everything that’s not built-in is custom.
• Mode = all since we won’t be creating a policy that enforces tags or locations
• Category can be anything you like. We’ll use “Role assignment” as an example

Now we have our policy’s base information set. It’s time to form a policy rule. The policy rule consists of two blocks: policyRule and then . First one is the actual rule definition and the latter is the definition of what should be done when conditions are met. We’ll want to target only a few specific resource groups so the scope can be narrowed down with tag evaluations and resource group name conventions. To do this let’s slap an allOf operator (which is kind of like the logical operator ‘and’) to the policy rule and set up the rules

As can be seen from the JSON, the policy is applied to a resource (or actually a resource group) if

• It’s type of Microsoft.Resources/subscriptions/resourceGroups = the target resource is a resource group
• It has a tag named RbacAssignment set to true
• The resource group name starts with my-rg-prefix

In order for the policy to actually do something, an effect must be defined. Because we want the role assignment to be automated, the deployIfNotExists effect is perfect. Few mentions of how to set up an effect:

• The most important stuff is in the details block
• The type of the deployment and the scope of an existence check is Microsoft.Authorization/roleAssignments for RBAC role assignments
• An existence condition is kind of an another if block: the policy rule checks if a resource matches the conditions which makes it applicable for the policy. Existence check then confirms if the requirements of the details are met. If not, an ARM template will be deployed to the scoped resource

The existence condition of then block in the code example below checks the role assignment for a principal id through combination of Microsoft.Authorization/roleAssignments/roleDefinitionId and Microsoft.Authorization/roleAssignments/principalId . Since we want to assign the policy to a subscription, roleDefinitionId path must include the /subscriptions/<your_subscription_id>/.. in order for the policy to work properly.

The last thing to add is the actual ARM template that will be deployed if existence conditions are not met. The template itself is fairly simple since it’s only containing the definitions for a RBAC role assignment.

And that’s it! Now we have the policy definition set up for checking and remediating default RBAC role assignment for our subscription. If the automated deployment feels too daunting, the effect can be swapped to auditIfNotExist version. That way you won’t be deploying anything automatically but you can simply audit all the resource groups in the scope for default RBAC role assignments.

That should be enough, right? Well it isn’t. Since we’re using ARM template deployment with our policy, we must add a role with privileges to create remediation tasks which essentially means we must add a role that has privileges to create and validate resource deployments. Azure doesn’t provide such policy with minimal privileges out-of-the-box since the scope that has all the permissions we need is Owner. We naturally don’t want to give Owner permissions to anything if we reeeeeally don’t have to. The solution: create a custom RBAC role for Azure Policy remediation tasks.

Create custom RBAC role for policy remediation

Luckily creating a new RBAC role for our needs is a fairly straightforward task. You can create new roles in Azure portal or with Powershell or Azure CLI. Depending on your desire and permissions to go around in Azure, you’ll want to create the new role into a management group or a subscription to contain it to a level where it is needed. Of course there’s no harm done to spread that role to wider area of your Azure environment, but for the sake of keeping everything tidy, we’ll create the new role to one subscription since it’s not needed elsewhere for the moment.

Note that the custom role only allows anyone to validate and create deployments. That’s not enough to actually do anything. You’ll need to combine the deployment role with a role that has permissions to do the stuff set in deployment. For RBAC role assignments you’d need to add “User Access Administrator” role to the deployer as well.

Here’s how to do it in Azure portal:

• Go to your subscription listing in Azure, pick the subscription you want to add the role to and head on to Access control (IAM) tab.
• From the top toolbar, click on the “Add” menu and select “Add custom role”.
• Give your role a clear, descriptive name such as Least privilege deployer or something else that you think is more descriptive.
• Add a description.
• Add permissions Microsoft.Resources/deployments/validate/action and Microsoft.Resources/deployments/write to the role.
• Set the assignable scope to your subscription.
• Review everything and save.

After the role is created, check it’s properties and take note of the role id. Next we’ll need to update the policy definition made earlier in order to get the new RBAC role assigned to the service principal during policy initiative assignment.

So from the template, change this in effect block:

Assigning the created policy

Creating the policy definition is not enough for the policy to take effect. As mentioned before, the definition is merely a ruleset created for assigning the policy and does nothing without the policy assignment. Like definitions, assignments can be set to desired scope. Depending on your policy, you can set the policy for management group level or individual assignments to subscription level with property values that fit each individual subscription as needed.

Open Azure Policy and select “Assignment” from the left side menu. You can find “Assign policy” from the top toolbar. There’s a few considerations that you should go over when you’re assigning a policy:

• The scope: always think about your assignment scope before blindly assigning policies that modify your environment.
• Exclusion is a possibility, not a necessity. Should you re-evaluate the policy definition if you find yourself adding a lot of exclusions?
• You can fix all the non-compliant resources with a remediation task after initial compliance scan

Remediation

• If you have a policy that changes something either with modify of deployIfNotExists effect, you’ll be creating a service principal for implementing the changes when you assign the policy. Be sure to check the location (region) of the service principal that it matches your desired location.
• If you select to create a remediation tasks upon assignment, it will implement the changes in policy to existing resources . So if you have doubts if the policy works as you desire, do not create a remediation task during assignment. Review the compliance results first, then create the remediation task if everything’s ok.

Non-compliance message

• It’s usually a good idea to create a custom non-compliance message for your own custom definitions.

After you’ve set up all relevant stuff for the assignment and created it, it’s time to wait for the compliance checks to go through. When you’ve created an assignment, the first compliance check cycle is done usually within 30 minutes of the assignment creation. After the first cycle, compliance is evaluated once every 24 hours or whenever the assigned policy definitions are changed. If that’s not fast enough for you, you can always trigger an on-demand evaluation scan .

Create Custom Roles for Microsoft Azure

Microsoft Azure uses Role's to define who can access what - Role-Based Access Control ( RBAC) .

You may be familiar with some of the more common ones, such as:

• Contributor

Behind the scenes, each role is a separate grouping of permissions that determine what level of permissions someone or something has in Azure; these permissions are usually in the form of:

Each role can be assigned to a specific Resource, Subscription, Management Group or Resource Group through an 'Assignment' (you assign a role if you give someone Contributor rights to a Resource Group, for example) .

These permissions can be manipulated and custom roles created.

Why would you use custom roles you ask? As usual - it depends!

Custom Roles can give people or objects JUST the right amount of permissions to do what they need to do, nothing more and nothing less, an example of this is maybe you are onboarding a support partner, if they are will only be supporting your Logic Apps, WebApps and Backups, you may not want them to be able to log support cases for your Azure resources; instead of attempting to mash several roles together that may give more or fewer rights than you need, you can create a custom role that specifically gives them what they need, you can then increase or decrease the permissions as needed, however, if a built-in role already exists for what you want. There is no need to reinvent the wheel, so use it!

I will run through a few things to help arm you understand and build your own Custom Roles, primarily using PowerShell.

Install the Azure PowerShell Modules ​

As a pre-requisite for the following, you need to install the Azure (Az) PowerShell Module. You can skip this section if you already have the PowerShell modules installed.

Open Windows PowerShell

If you have issues installing the Azure PowerShell module - see the Microsoft documentation directly: Install the Azure Az PowerShell module .

Once you have the Azure PowerShell module installed, you can connect to your Azure subscription using the little snippet below:

Export Built-in Azure Roles ​

One of the best ways to learn about how an Azure Role is put together is to look at the currently existing roles.

The following PowerShell command will list all current Azure roles :

For a more human-readable view that lists the B uilt-in Azure roles and their descriptions, you can filter it by:

As you can see in the screenshot below, there are many various roles, from EventGrid Contributor to AgFood Platform Service and more! At the time of this article, there were 276 built-in roles.

Now that we have successfully been able to pull a list of the existing roles, we will now export them as JSON files to take a proper look at them.

The PowerShell script below will create a few folders on your computer as a base to work from (feel free to change the folders to suit your folder structure or access rights) .

• c:\Temp\AzureRoles
• C:\Temp\AzureRoles\BuiltinExports\
• C:\Temp\AzureRoles\CustomRoles

Once the folders have been created, it will Get the Azure Role definitions and export them into JSON into the BuiltinExports folder to be reviewed.

Once completed, you should now see the JSON files below:

Although you can use Notepad, I recommend using Visual Studio Code to read these files. This is because Visual Studio Code will help with the syntax as well.

Review Built-in Azure Roles ​

If you open one of the roles, I will open the Azure Digital Twins Data Owner role; however, it doesn't matter.

You should see the following fields:

• Description
• DataActions
• NotDataActions
• AssignableScopes

These fields make up your Role.

The Name field is pretty self-explanatory - this is the name of the Azure Role and what you see in the Azure Portal, under Access control (IAM).

The same is true for the: Description field .

These are essential fields as they should tell the users what resource or resources the role is for and what type of access is granted.

The IsCustom field is used to determine if the Azure Role is a custom made policy or not; any user-created Role will be set to True, while any In-Built role will be False.

The Actions field is used to determine what management operations can be performed. However, the Azure Digital Twins role doesn't have any (as it is mainly Data Action based) if we look at another Role such as the: Azure Kubernetes Service RBAC Admin role:

• ""Microsoft.Authorization/*/read",
• "Microsoft.Insights/alertRules/*",
• "Microsoft.Resources/deployments/write",

You can see that it has the rights to Read the permissions, create and delete any Alert rules and update resources.

The NotActions field is used to exclude anything from the Allowed actions

The DataActions field allows you to determine what data operations can be performed. Usually, these are sub-resource tasks, where management or higher-level operations are performed in the Actions field, more specific resource actions are performed in the DataActions field.

The NotDataActions field is used to exclude anything from the Allowed actions in the DataActions

To help get a feel of the differences with the Actions, here is a list of Actions and DataActions for the Azure Kubernetes Service RBAC Admin role:

• And finally, the AssignableScopes is used to specify where the role will be available for assignment, whether it can be assigned at a subscription or resource group or management group level. You will notice that most if not all built-in Azure Roles have an Assignable scope of "/" - this means that it can be assigned everywhere (Subscriptions, Resource Groups, Management Groups etc.).

Review Azure Provider Namespaces ​

You may have noticed that each Action has a provider. In the example of a Virtual Machine, the provider is Microsoft.Compute.

To get a list of all current Providers, run the following command:

At the time of writing, there are 198 current Providers! So that's 198 providers or overall buckets of resources that has permissions over.

We can drill into a provider a bit further to check out current Operations:

This displays a list of all providers within the Microsoft.Compute namespace, such as (but definitely not limited to):

• Virtual machines
• Virtual Machine Scale Sets
• Cloud Services

If we wanted to drill into the Virtual Machines providers a bit more, we could filter it like:

Here we can finally see the available actions, and for example, the following Action will allow you to Read the VM sizes available to a Virtual Machine:

• Operation: Microsoft.Compute/virtualMachines/vmSizes/read
• operation name: Lists Available Virtual Machine Sizes
• ProviderNamespace: Microsoft Compute
• ResourceName: Virtual Machine Size
• Description: Lists available sizes the virtual machine can be updated to
• IsDataAction : False

You can use the PowerShell script below to export all the Providers and their Operations to a CSV for review:

Using the namespace, providers and actions, you should now be able to see the power behind Role-based access control and how granular you can get.

Add a Custom Role using PowerShell ​

Now that we understand how to navigate the Namespaces and Built-In Roles available in Microsoft Azure using PowerShell, now we will create one.

I have created a base template to help you start.

This base template has the following fields that the majority of most custom roles will use:

• AssignableScopes (make sure you put in the of your Azure subscription, you are assigning the role to.)
• Edit these fields (apart from IsCustom, which you should leave as True) as you need.

This Custom Role - Template allows you to read the name of all Resource Groups in a subscription and open a Microsoft Support case.

In my example, I am going to add a new role called:

• LukeGeek-WebApp Deployment-RW

This role will allow users to Deploy and modify Azure WebApps, among other things!

To add the Custom Role to Azure, I will run the following PowerShell command:

Your new Custom Role has now been uploaded to Azure and can be selected for an assignment.

Add a Custom Role using the Azure Portal ​

Now that we have been through and investigated the Azure roles and their providers and actions, instead of using PowerShell to look through and create manually, you can use the Azure Portal!

Gasp! Why didn't you tell me earlier about this, Luke? Well, fellow Azure administrator, I found it easier to look at PowerShell and JSON to explain how the Custom Roles were made, vs staring at the Azure Portal and to be honest, really just because! Like most things in IT there are multiple ways something can be done!

• Log in to the Azure Portal
• Navigate to your Subscription
• Click on Access Control (IAM) on the left-hand side blade
• Click on Add
• Click on Add Custom Role
• Type in the Role Name , for example, WebAdmin-RO
• Type in a clear description so that you can remember what this role is used for in a year!
• For Baseline permissions, select: Start from Scratch
• Click Add Permissions

• As you should see , all the Namespace providers are listed with the Actions/Permissions that you can do.
• In my example, I am going to search for Microsoft Web Apps
• Select all ' Read ' operations (remember to look at Data Actions as well, there may be resource level actions you might want to allow or exclude)

• Review the permissions and click Next
• Select your assignable scope (where the Role will be allowed so that you can assign it)
• You can review and download the JSON for backup later (this is handy if you are going to Automate the creation of roles in the future and want a base to start from)
• Click Create to create your Custom Role!

Assign a Custom Role using the Azure Portal ​

Now that you have created your Custom Role - it is time to assign it! So it is actually in use.

• Navigate to your Subscription or Resource Group you want to delegate this role to
• Click on Access Control (IAM)
• Click on Role Assignment
• Under the 'Role' dropdown, select your Custom Role.

• Now you can select the Azure AD Group/User or Service Principal you want to assign the role to and click Save.
• Congratulations, you have now assigned your Custom role!

Assign a Custom Role using PowerShell ​

You can assign Custom Role's using PowerShell. To do this, you need a few things such as the Object ID, Assignable Scope IDs etc., instead of rehashing it, this Microsoft article does an excellent job of running through the process.

• Assign Azure roles using Azure PowerShell
• Install the Azure PowerShell Modules
• Export Built-in Azure Roles
• Review Built-in Azure Roles
• Review Azure Provider Namespaces
• Add a Custom Role using PowerShell
• Add a Custom Role using the Azure Portal
• Assign a Custom Role using the Azure Portal
• Assign a Custom Role using PowerShell

Manage Azure Role Assignments Like a Pro with PowerShell

Today’s blog post is a little bit different. I have a couple of examples of how you can use PowerShell snippets and simple commandlets to get or set role assignmnets in your Azure Subscriptions.

PowerShell examples for managing Azure Role assignments

List all role assignments in a subscription, get all role assignments for a specific resource group, get all role assignments for a specific user, add a role assignment to a user, remove a role assignment for a user, remove all role assignments for a specific user, list all built-in roles, list all custom roles, create a custom role, update a custom role, delete a custom role, list all users or groups assigned to a specific role, list all permissions granted by a specific role, list all resource groups that a user has access to, create a role assignment for a service principal, powershell script to manage azure role assignments.

And now there is a script that combines some of these examples into one usable function:

I hope this was useful. Let me know if you liked the format of this blog and if you want me to include more of these examples.

Vukasin Terzic

Recent Update

• Writing your first Azure Terraform Configuration
• Transition from ARM Templates to Terraform with AI
• Getting started with Terraform for Azure
• Terraform Configuration Essentials: File Types, State Management, and Provider Selection
• Dynamically Managing Azure NSG Rules with PowerShell

Trending Tags

Retrieve azure resource group cost with powershell api.

The Future Of Azure Governance: Trends and Predictions

Further Reading

In my previous blog posts, I wrote about how simple PowerShell scripts can help speed up daily tasks for Azure administrators, and how you can convert them to your own API. One of these tasks is...

Azure Cost Optimization: 30 Ways to Save Money and Increase Efficiency

As organizations continue to migrate their applications and workloads to the cloud, managing and controlling cloud costs has become an increasingly critical issue. While Azure provides a robust s...

Custom PowerShell API for Azure Naming Policy

To continue our PowerShell API series, we have another example of a highly useful API that you can integrate into your environment. Choosing names for Azure resources can be a challenging task. ...

• Active Directory Reporting
• Office 365 Reporting
• Azure AD Monitoring
• Azure AD Custom Roles: Create & Manage Custom Roles for Azure AD

• May 27, 2023

Azure AD Custom Roles: How to Create and Manage Custom Roles for Your Azure AD Environment. Do you need to create and manage Custom Roles in your Azure AD environment? This article guides you through the process.

To ensure your Azure AD subscription meets the prerequisites for creating custom roles, we start by discussing the licensing requirements. Additionally, we cover the required permissions for the admin creating the role .

Next, the article explains the reasons for creating custom roles. Then, we move on to the main purpose of this article.

This section explains creating custom roles in the Azure Active Directory portal. It also covers assigning permissions to custom roles and assigning users and groups to those roles.

Also Read  The Importance of Role-Based Access Control in Azure AD

Prerequisites to Create & Manage Custom Roles in Azure Active Directory

An organization must have an Azure AD Premium P1 or P2 license to create custom roles. Furthermore, the individual responsible for role creation must hold either the “Privileged Role Admin” or “Global Admin” roles.

In addition, if you use PowerShell to create and manage custom Azure Active Directory roles, it is necessary to install the AzureADPreview module.

Microsoft 365 E3 includes an Azure AD P1 license, while Microsoft 365 E5 includes Azure AD Premium P2. View Azure AD licensing options for more information.

Also Read  Top 10 Best IAM Tools – Identity Access Management (Pros Cons)

Why You Need Custom Roles in Azure AD?

Companies and organizations using Azure AD often create custom roles to avoid granting unwanted permissions to specific users or groups . It is due to permissions beyond their specific tasks.

However, you must examine all the built in roles before creating custom ones. Regarding built in roles, Azure Active Directory currently offers a wide selection of over 120 roles as of May 2023.

Each role comes with pre assigned permissions that are allocated to users or groups.

To better understand the built in roles and their permissions, navigate to the Azure Active Directory portal and access the “Roles and administrators” menu. For further assistance, please refer to the screenshot provided below.

Furthermore, to learn more about a specific built in role, click on Description tab, that displays comprehensive information about the role’s permissions.

The “Role permissions” section provides a comprehensive list of permissions granted to users or group members assigned to the role. 

After completing the role review exercise and finding that none of the existing roles meet your requirements, move on to the following steps. They assist you in creating and managing custom roles in Azure Active Directory .

Also Read  Using Azure AD Identity Protection to Monitor User Activity

How to Create Custom Roles for Your Azure Active Directory Environment

1. On the Azure Active Portal, click “Roles and administrators.” 

2. Next, on the “All roles” page, click “+ New custom role.”

3. After that, Azure AD displays the “New custom role.” Enter Name and Description (optional) on the 1 page of the workflow.

Additionally, select either “Start from scratch” (default) or “Clone from a custom role.” The “Clone from a custom role” option allows you to create a custom role by copying an existing one.

However, please note that the drop down is empty, if you do not have any custom roles.

Once you have entered the necessary details, click Next.

4. In the Permissions section of the workflow, you need to grant permissions to the new custom role. Then, click Next .

Finally review your selections and click Create to create the new custom role successfully.

Try our Active Directory & Office 365 Reporting & Auditing Tools

Try us out for Free .  100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.

Also Read  Check out Active Directory Group Reports

Grant Permissions to Users and Groups By Assigning Them Custom Roles

After creating custom Azure AD roles, use them to assign permissions to Microsoft 365 resources. Assign the role to users and groups.

Follow the steps below:

1. Click on “Roles and administrators” in the Azure Active Portal.

2. To modify the assignment for a custom role, first, click on the role you want to modify.

3. Next, click “+ Add assignments.” 

4. Click on the security objects ( users or groups ) in the “Add assignments” to assign roles to them. In order to locate specific objects, make use of the search field.

After you have included the desired users and groups, click on “Add”.

When you reload the “Assignments” page, it displays the objects that have been assigned to the custom Azure AD role.

Also Read  Deploy Active Directory User Reports

Managing Custom Roles in Azure Active Directory

Once a custom role is created, admins are required to perform routine tasks. For example, modify the permissions and scope of existing custom roles.

Similarly, that includes revoking permissions granted to them. Additionally, they may need to add or remove users and groups from the custom role.

Furthermore, Azure AD admins might also need to delete custom roles that are no longer necessary or conduct auditing of those roles.

In this section, we explore managing Azure custom roles and discuss the steps involved in carrying out these tasks.

Also Read   New-MgGroupMemberByRef – Add Users to Azure AD Group using Powershell

Modify Permissions or Delete Custom Roles

1. In the Azure Active Directory portal, click on “Roles and administrators.”

2. Then, open the custom role. 

3. Go to the Description tab and click on the Edit button.

If you are editing the custom role, proceed to step 4.

Alternatively, if you want to delete the role, click the Delete button. The Azure AD portal prompts you to confirm the delete request.

4. On the ‘Basic’ tab of the role edit page, change the name of the description. However, to modify the permissions, click the Permissions tab.

5. Finally, add or remove permissions as required, click ‘Next’ and complete the process.

Also Read  Get-MgUser – Find Azure AD Users and Filter using PowerShell Script

Modify User Assignments for Custom Roles

In addition to modifying permissions, add or remove users assigned to a custom role in Azure Active Directory. To accomplish this, access the custom role and proceed with the following steps:

Firstly, open the custom role in Azure Active Directory. Next, navigate to the “Assignments” tab and identify the user or group you wish to remove.

Click “Remove assignments” and confirm your request.

Another common custom role admin task is adding new users or groups.

To perform this task, click “+ Add assignments.” after opening the custom role. Select the users or groups you want to add and click “Add”. 

Also Read  Deploy Azure AD Monitoring Tool

Azure AD Custom Roles: Create & Manage Custom Roles for Azure AD Conclusion

In order to meet business needs, the creation of custom roles in Azure AD is necessary despite the presence of built in roles . The primary reason for creating these custom roles, as identified in this article, is to prevent users from being granted excessive permissions .

Moreover, we discussed the steps involved in creating custom roles and assigning permissions to them. Additionally, we explored how to grant permission to groups and users by assigning them to a custom role.

Finally, the article concluded by examining the steps for editing or deleting a custom role, as well as modifying user assignments.

Try InfraSOS for FREE

Invite your team and explore InfraSOS features for free

• Free 15-Days Trial
• SaaS Reporting & Auditing Solution
• Full Access to All Features

Related posts:

• Office 365 Identity & Access: Manage Users & Permissions
• How to Implement Role-Based Access Control in Office 365
• The Importance of Role-Based Access Control in Azure AD
• Using Group Policy to Enhance Active Directory Security
• How to Enable Password Writeback on Azure AD Connect

• Victor Ashiedu
• No Comments

Leave a comment Cancel reply

Your email address will not be published. Required fields are marked *

Save my name, email, and website in this browser for the next time I comment.

Analytics , Announcements , Microsoft Purview

Introducing modern data governance for the era of AI 

By Karthik Ravindran General Manager, Data Governance for Microsoft Purview

Posted on March 26, 2024 6 min read

• Tag: Azure Marketplace
• Tag: Microsoft Fabric

The era of generative AI has arrived, offering new possibilities for every person, business, and industry. At the same time, the speed, scale, and sophistication of cyberattacks, increasing regulations, an ever-expanding data estate, and business demand for data insights are all converging. This convergence pressurizes business leaders to adopt a modern data governance and security strategy to confidently ensure AI readiness.    

A modern data governance and security solution unifies data protection and governance capabilities, simplifies actions through business-friendly profiles and terminology with AI-powered business efficiency, and enables federated governance across a disparate multi-cloud data estate.  

Microsoft Purview

Realize comprehensive data governance solutions for your business

Microsoft Purview is a comprehensive set of solutions that can help your organization govern, protect, and manage data, wherever it lives. Microsoft Purview provides integrated coverage and helps address the fragmentation of data across organizations, the lack of visibility that hampers data protection and governance, and the blurring of traditional IT management roles. 

Today, we are excited to announce a reimagined data governance experience within Microsoft Purview, available in preview April 8, 2024. This new software-as-a-service (SaaS) experience offers sophisticated yet simple business-friendly interaction, integration across data sources, AI-enabled business efficiency, and actions and insights to help you put the ‘practice’ into your data governance practice.   

“We are thrilled to leverage Microsoft Purview’s new innovative approach to activate the practice of federated data governance. These new capabilities enable us to responsibly scale our data strategy to drive business value, while enhancing our sophisticated data governance practice that meets the demands of our business and puts data insights at the core of our decision making.”  Tony Bishop, Group Head of Data & Analytics, Aspen

Modern data governance with Microsoft Purview 

I led Microsoft through our own modern data governance journey the past several years and this experience exposed the realities, challenges, and key ingredients of the modern data governance journey.  

Our new Microsoft Purview data governance solution is grounded in years of applied learning and proven practices from navigating this data transformation journey along with the transformation journeys of our enterprise customers. To that end, our vision for a modern data governance solution is based on the following design principles: 

Anchored on durable business concepts  

The practice of data governance should enable an organization to accelerate the creation of responsible value from their data. By anchoring data governance investments to measurable business objectives and key results (OKRs), organizations can align their data governance practice to business priorities and demonstrate business value outcomes.  

A unified, integrated, and extensible experience 

A modern data governance solution should offer a single-pane-of-glass experience that integrates across multi-cloud data estate sources for data curation, management, health controls, discovery, and understanding, backed with compliant, self-serve data access. The unified experience reduces the need for laborious and costly custom-built or multiple-point solutions. This enables a focus on accelerating data governance practices, activating federated data governance across business units, and ensuring leaders have real-time insights into governance health. 

Scale success with AI-enabled experiences  

An ever-growing and changing data estate demands simplicity in how it is governed and to ensure business adoption and implementation efficiencies. Natural language interactions and machine learning (ML)-based recommendations across governance capabilities are critical to this simplification and accelerating data governance adoption.  

A culture of data governance and protection  

Data governance solutions must be built for the practice of federated data governance, unique to each organization. Just as adopting cloud solutions requires one to become a cloud company, adopting data governance requires one to become a data governance company. Modern data governance success requires C-Suite alignment and support, and must be simple, efficient, customizable, and flexible to activate your unique practice. 

Introducing data governance for the business, by the business 

We are thrilled to introduce the new Microsoft Purview data governance experience. Our new data governance capabilities will help any organization of any size to accelerate business value creation in the era of AI.  

A business-friendly approach to govern multi-cloud data estates  

Designed with the business in mind, the new governance experience supports different functions across the business with clear role definitions for governance administrators, business domain creators, data health owners, and data health readers.  

Within Data Management, customers can easily define and assign business-friendly terminology (such as Finance and Claims). Business-friendly language follows the data governance experience through Data Products (a collection of data assets used for a business function), Business Domains (ownership of Data Products), Data Quality (assessment of quality), Data Access, Actions, and Data Estate Health (reports and insights). 

This new data governance experience allows you to scan and search data across your data estate assets .

Built-in data quality capabilities and rules which follow the data  

The new data quality model enables your organization to set rules top down with business domains, data products, and the data assets themselves. Policies can be set on a term or rule which flows through and helps save data stewards hours to days of manual work depending on the scale of your estate. Once rules and policies are applied, the data quality model will generate data quality scores at the asset, data product, or business domain level giving you snapshot insights into your data quality relative to your business rules. 

Within the data quality model, there are two metadata analysis capabilities: 1) profiling—quick sample set insights 2) data quality scans—in-depth scans of full data sets. These profiling capabilities use your defined rules or built-in templates to reason over your metadata and give you data quality insights and recommendations . 

Apply industry standard controls in data estate health management

In partnership with EDM Council, new data health controls include a set of 14 standards for cloud data management controls. These standards govern how data is to be managed while controls create fidelity of how data assets are used/accessed . Examples are metadata completeness, cataloging, classification, access entitlement, and data quality. A data office can configure rules which determine the score and define what constitutes a red/yellow/green indicator score , ensuring your rules and indicators reflect the unique standards of your organization. 

Summarized insights help activate and sustain your practice  

Data governance is a practice which is nurtured over time. Aggregated insights help you put the “practice” into your data governance practice by showcasing the overall health of your governed data estate . Built-in reports surface deep insight across a variety of dimensions: assets, catalog adoption, classifications, data governance, data stewardship, glossary, and sensitivity labels.  

The image below is the Data Governance report which can be filtered by business domain, data product, and status for deeper insights.  

Stay on top of data governance health with aggregated actions   

The new Actions center aggregates and summarizes governance-related actions by role, data product, or business domain . Actions stem from usage or implementation being out of alignment from defined controls. This interactive summary makes it easy for teams to manage and track actions—simply click on the action to make the change required. Cleaning up outstanding actions helps improve the overall posture of your data governance practice—key to making governance a team sport. 

Announcing technology partnerships for even greater customer value  

We are excited to announce a solution initiative with Ernst & Young LLP (EY US), who will bring their extensive experience in data solutions within financial services, to collaborate with Microsoft on producing data governance reports and playbooks purpose-built for US-oriented financial services customers. These reports and playbooks aim to accelerate the customer time to value for activating a governance practice that adheres to the unique regulation needs of the financial sector. These assets will be made available in Azure Marketplace over the course of preview and the learnings from this will also help inform future product roadmap.

Additionally, a modern data governance solution integrates and extends across your technology estate. With this new data governance experience, we are also excited to announce technology partnerships that will help seamlessly extend the value of Microsoft Purview to customers through pre-built integration. Integrations will light up over the course of preview and be available in Azure Marketplace.  

Master Data Management   

• CluedIn brings native Master Data Management and Data Quality functionality to Microsoft Fabric, Microsoft Purview, and the Azure stack. Learn more about CluedIn . 
• Profisee Master Data Management is a complimentary and necessary piece of your data governance strategy. Learn more about Profisee . 
• Semarchy combines master data management, data intelligence, and data integration into a singular application in any environment. Learn more about Semarchy .  

Data Lineage   

• Solidatus empowers data-rich enterprises to visualize, understand, and govern data like never before. Learn more about Solidatus .  

Try the new experience

Available starting April 8, 2024, please log on to the Microsoft Purview portal and give the reimagined data governance experience within the “Data Catalog” tile a try. We’d love to hear your feedback!  

Let us know what you think of Azure and what you would like to see in the future.

Provide feedback

Build your cloud computing and Azure skills with free courses by Microsoft Learn.

Explore Azure learning

Related posts

AI + Machine Learning , Analyst Reports , Azure AI , Azure Machine Learning , Azure Service Fabric , Microsoft Purview , Partners

Microsoft is a leader in the 2023 IDC MarketScape for AI Governance Platforms   chevron_right

AI + Machine Learning , Analytics , Azure AI , Azure Machine Learning , Azure OpenAI Service , Best practices , Management and Governance , Microsoft Purview , Thought leadership

Building for the future: The enterprise generative AI application lifecycle with Azure AI   chevron_right

AI + Machine Learning , Azure Cognitive Search , Azure Cosmos DB , Azure Machine Learning , Azure OpenAI Service , Events , Microsoft Purview , Text Analytics

What’s new in Azure Data & AI: Helping organizations manage the data deluge   chevron_right

AI + Machine Learning , Automation , Azure OpenAI Service , Events , Management and Governance , Microsoft Purview

How Microsoft Azure helps drive agility and optimization for your business   chevron_right

Introducing Native Authentication for Microsoft Entra External ID

Kaushik Kislay

March 28th, 2024 5 3

Today, we’re excited to announce the public preview of Native Authentication for Microsoft Entra External ID. Native authentication empowers you to take complete control over the design of the sign-in experience of your mobile applications. It allows you to craft stunning, pixel-perfect authentication screens that are seamlessly integrated into your apps, rather than relying on browser-based solutions.

To learn more about native authentication, explore our docs .

Get Started with Code Samples

Authentication on Mobile: Native authentication vs Browser-delegated

When it comes to implementing authentication for mobile apps on External ID, you have two options:

• Fully custom SDK based native authentication.
• Microsoft-hosted browser-delegated authentication.

In the browser-delegated mobile app sign-in process, users often experience a disruptive jump during authentication. They’re taken to a browser for authentication and then redirected back to the app when the sign-in is complete. This leads to a diluted experience and branding can be compromised. While browser-delegated methods can reduce attack vectors and support single sign-on (SSO), they suffer from limited UI customization and poor user experience.

Native authentication gives you full control over the user interface and experience.

When to use native authentication

The approach you choose will depend on your app’s specific requirements. While each app has unique authentication needs, there are some common considerations to keep in mind. Whether you choose native authentication or browser-delegated authentication, Microsoft Entra Extneral ID supports both.

The following table compares the two authentication approaches to help you decide which one is right for your app.

How to use native authentication 

You can build apps that use native authentication by using our native authentication API or the Microsoft Authentication Library (MSAL) SDK for Android and iOS . Whenever possible, we recommend you use MSAL to add native authentication to your apps. If you are planning to create a mobile app on a framework currently not supported by MSAL, you can use our authentication API .

The MSAL SDK abstracts the underlying protocol and provides you with simple, intuitive scenario-based interfaces. For example, to sign a user in using the  email one-time passcode  flow, it captures the user’s email and sends them an email containing a one-time passcode to verify their email. When the user enters the valid one-time passcode, the app signs them in.

In the example below where we sign a user in, we use the library’s  signIn(username)  method, the function will return a result that you can assign to the  actionResult  field. The  actionResult  represents the result of the previously performed action and can take multiple states (forms).

To implement this, add a button to your application that calls the following code snippet when selected:

Error scenarios such as ‘user not found’ can be handled as shown in the code snippet below.

Ready to get started?

Stay connected and informed

To learn more or test out features in the Microsoft Entra suite of products, visit our  developer center . Make sure you subscribe to the  Identity blog  for more insights and to keep up with the latest on all things Identity. And, follow us on YouTube for video overviews, tutorials, and deep dives.

Leave a comment Cancel reply

Log in to join the discussion or edit/delete existing comments.

No mention of support for their own product Maui.NET, typical microsoft

Shouldn’t we be treating passwords like plutonium in 2024? Aren’t there any plans for integration with Passkeys?

Passwords will always be subject to phishing attacks, whereas with Passkeys, the key is not known by the end user, and will only be released to the original issuing site after confirmation by the user via biometrics or device PIN.

Passkeys are great because it brings in the right balance of user experience and security. We do see Passkeys playing a key role in the auth spectrum and it has been a big part of our focus. While the adoption of Passkeys is picking up in CIAM space, unfortunately it is still has limited familiarity among consumers who still find one-time pass-codes and passwords more familiar and is being used extensively by customers. With Native Authentication we aim to bring to our developers a wide range of auth methods so that they can choose what best suits their needs.

That’s great that Passkeys are on the radar.

Consumers may be more familiar with passwords, but at the same time, they’re really tired of them. We need to push for things like Passkeys for the sake of everyone. The average consumer shouldn’t really even have to know they’re using Passkeys – as far as they’re concerned it should just be a biometric interaction.

For initial sign ups, one time passwords sent by email do have the advantage of confirming the user’s email address. If Passkeys could be combined with filling out pre-verified details such as a default email address, that would be a bonus.

With Google, Apple and Microsoft all behind Passkeys as an open industry standard, it’s really up to you guys to push it as THE way forward, and remove any blockers that prevent developers and end users from adopting it.

I had problems while trying to use the Expo platform when I needed to make an authentication. Despite extensive searching on the internet, I couldn’t find much support from Google or Apple to resolve these issues. It’s amazing to see Microsoft working on a project like this, and I’m sure it will be helpful. Great job!

Insert/edit link

Enter the destination URL

Or link to existing content

Atlassian Cloud Support

Documentation.

• View account
• View requests

Jira Software

Project and issue tracking

Jira Service Management

Service management and customer support

Jira Work Management

Manage any business project

Document collaboration

Git code management

Usage and admin help

Answers, support, and inspiration

Suggestions and bugs

Feature suggestions and bug reports

Marketplace

Product apps

Billing and licensing

Frequently asked questions

• Log in to account
• Contact support
• Training & Certification
• Cloud Migration Center
• GDPR guides
• Enterprise services
• Atlassian partners
• User groups
• Automation for Jira
• Atlassian.com
• Manage Viewport
• Space Directory
• People Directory

Atlassian Cloud changes Mar 25 to Apr 1, 2024

These changes have recently been rolled out to Atlassian Cloud sites.

Changes labeled ROLLING OUT are being gradually rolled out and may not be on your site just yet.

Atlassian Administration

Jira platform, jira product discovery, atlassian analytics.

Atlassian Administration is where you manage your Atlassian organization, including user access to products, security settings, and billing preferences.

Filter the user list with added roles

We’ve updated the users list in the Atlassian Administration Directory . You can now filter the user list by new roles that have been split into multiple dropdown menus instead of one.

The roles we’re introducing include:

• Compass basic
• Jira Service Management stakeholder and customer
• Jira Product Discovery contributor

To filter the user list by roles:

• Go to admin.atlassian.com . Select your organization if you have more than one.
• Select Directory > Users .
• From the Role field, select the role you’d like to filter by.

This change only applies to user list filters for centralized user management. Learn more about the centralized user management

Make it easy and secure for customers to log in to your help center with single sign-on

When you connect an identity provider to your Jira Service Management site, you can authenticate your customers with SAML single sign-on (SSO).

Before you begin You must subscribe to Atlassian Access from your organization before you set up SAML single sign-on. Learn more about how to start with Atlassian Access

To set up SAML SSO for portal-only customers:

• Go to Settings > Products.
• Under Jira Service Management, select Authentication.
• Select Add identity provider.
• Follow the prompts to complete the setup.

Learn more about SAML single sign-on for portal-only customers

Connect Microsoft Azure AD to Atlassian with an option that works for you

When you connect your Microsoft Azure AD identity provider to an Atlassian organization, you now have two options.

Option 1: Manually set up user provisioning

Recommended when you need:

• flexibility in setting up your Microsoft Azure Active Directory identity provider with SCIM and SAML
• to sync groups and users with no flattening of nested group structure
• to sync when you add users to your Azure AD

Learn how to add an identity provider for this option

Option 2: Automatically set up user provisioning

• easy set up by allowing access to groups and users in your Microsoft Azure Active Directory
• to flatten your nested group structure and keep group memberships
• to sync automatically (every 4 hours)

Learn more about Azure AD for nested groups

To connect your identity provider: 1. Go to admin.atlassian.com . Select your organization if you have more than one. 2. Select Security > Identity providers .

Learn more about identity providers

Control whether members use API tokens to authenticate

You can now control whether members can make API calls with a User API token into your organization’s products.

With this new API token setting, you can allow or block members from:

• Creating a new User API token to authenticate
• Using an existing User API token to authenticate

To try out the API token setting:

• Log in to admin.atlassian.com .
• Select an organization if you have more than one.
• Select Security from the global navigation.
• Select Authentication policies from the sidebar.
• Select Settings.
• Select User API tokens.

Keep track of activities for data security policies in the audit log

We’re now tracking activities for data security policies in the audit log.

Use the audit log to see key activities, like when a data security policy is created, activated, deactivated, and deleted. You can also see when rules have been added and removed from a data security policy.

We’ll be introducing new activities in the future to give you even more visibility over your data security policies.

Learn more about tracking activities from the audit log

To see audit log activities for all data security policies:

• Select Security > Data security policies .
• Select the More actions icon ( ••• ).
• Select View audit log .

The audit log will show all tracked activities for every data security policy in your organization.

To see audit log activities for a particular data security policy:

• Select the policy.

The audit log will show all tracked activities for your selected data security policy.

Find Atlassian Administration settings faster

You can now avoid searching every page of the Atlassian administration looking for what you need. We’ve added a new search field. From this field, you can enter a top or left navigation page title and select the page you want from the results.

To use the Administration search field:

• Select the search field in the top right.
• Enter the page title.
• Select the page you want.

Retiring the possibility to manage the atlassian-addons-project-access role

Following up on our previous announcement , we’re planning to remove the possibility to manage the atlassian-addons-project-access role in two to six months. The exact date depends on the feedback we receive after this announcement.

By default, the role is assigned to all project permissions in permission schemes and all issue security levels in issue security schemes. As a result of this change, the possibility to manage that role’s permissions and issue security levels, both via the UI and the REST API, will be restricted.

If you have any concerns about the planned changes, please leave them under this public ticket .

Control third-party keyboards on mobile devices

You can now block third-party software keyboards on iOS devices. This prevents potential data leakage or unauthorized access to your organization’s Atlassian product data.

You can select block third-party keyboard on iOS from your mobile app policy.

To block third party keyboard on iOS:

• Log in to admin.atlassian.com > Security
• Select > Create Mobile app policy .
• Select edit Mobile app policy .
• Select block third-party keyboard on iOS.

Create custom domains for your Jira products

We removed keyword restrictions when you create custom domains. You will no longer have a fixed list to select keywords for subdomains. Instead, you have the ability to manually enter your own subdomains.

Jira family products have also been given added support. You can now select Jira products from the dropdown menu when you create a custom domain.

To create a custom domain:

• Select Products > Product URLs .
• Select Add custom domain . This is only visible if you have an eligible product.
• Review the Before you add a custom domain page, and select Next .
• Select which product you want to access from your custom domain.
• Follow the prompts to specify your domain. You’ll need to enter two subdomains and a domain.
• Enter a Redirect URL . This is optional.
• Review changes and select Create domain .

Get fresh insights about your organization

You can now manually refresh your organization’s insight charts. Additionally, we’ve added timestamps under each chart.

If you don’t refresh your charts, they’ll automatically refresh every 24 hours. Tell me more about organizational insights

To manually refresh a chart:

• Go to admin.atlassian.com . Select your organization if you have one.
• Select Security > Insights .
• From a chart, select the refresh button at the bottom left.

Gain security insight with more charts

Get more insight into your users with four new charts. These charts allow you to see managed accounts and external users that have access to your organization, your products, and their security practices.

The new charts include domains with access to your products, users with access to your products, two-step verification for external users, and external user policy.

To access new charts:

Data residency is now supported in six new regions

We're launching data residency in United Kingdom, Japan, India, Brazil, South Korea, and Switzerland to allow you to control where your data is stored.

There are a few limitations with these new locations. Find out more about any limitations

We're adding these locations to the list of supported locations in phases, so expect to see updates in the coming weeks.

To schedule a data residency move for the United Kingdom, Japan, India, Brazil, Switzerland, and South Korea:

• Select Security > Data residency .
• In the data residency table, select Move product.
• Go to Select location , and select the desired country as the location.

Discover more about data residency

Data residency for Marketplace apps

When evaluating data residency for your apps, you might see some apps listed as "No action available."

This means that some app partners declare that their apps don't need to be pinned or migrated because their apps exclusively store data within the Atlassian product. Another reason is that the apps may not store any data in the scope of the Marketplace partner's data residency policies.

To request a data residency move for your apps, you will have first to move your product. Learn more about how to move your product from one location to another

Once your product has been pinned to your selected location, you can move your eligible apps to the same location. Learn more about data residency for Marketplace apps

Export accounts from domains faster

You can now directly export a list of all members in your domain to a CSV file from the Actions column. Previously you could only export accounts through Claim accounts .

When you download your CSV file, you’ll also be able to view if another organization has claimed the accounts or not. How to export accounts from domains

To export accounts:

• Select Settings > Domains .
• Select Export accounts from the Actions column.
• Select Export from the confirmation screen to get the CSV emailed to you.

Copy Confluence data: Move users related to spaces you want to copy

When you move data from one instance of your Confluence cloud to another, you can move spaces, and only users who contribute to the spaces. This means that when you add or reorganize teams, you can move spaces and only the related users you want, instead of all users. This will help you copy data:

• in small chunks
• in multiple phases
• quicker and reduce your overall downtime.

To access this feature:

• Select Settings > Copy product data .
• Select Create copy plan .
• On the How it works page, select Next .
• Select your source and destination.
• Select the spaces you want to copy.
• On the Copy users and groups page, select Copy users and groups related to the selected spaces from the Users and groups section.

Changes in this section usually apply to all Jira products. We'll tell you in the change description if something is only for a specific Jira product.

JWM Clickup Importer

Moving your work from ClickUp to Jira Work Management just got easier. Using the ClickUp importer, you can directly import projects into Jira Work Management.

Save the effort of manually moving data and ensure the project information is relevant and accurate.

To directly import your data using the ClickUp importer:

• From the navigation bar , select Projects > Create project .
• From the sidebar, go to More > select Import data .
• Select Import to a new business project .
• In the import from an app section, select ClickUp .

See all of your virtual agent conversations in one place

Access a log of all virtual agent conversations using the new Conversations page!

To check it out, go to Virtual agent and then select Conversations from the navigation on the left. Use filters to narrow down conversations by things like customer satisfaction (CSAT) score, whether or not an intent was matched, whether or not a conversation was resolved or escalated – and more.

Open a conversation in Slack to get more insight into the virtual agent's performance, and jump straight to matched intents from the Conversations page to make improvements on the fly.

Read more about how you can use conversation data to improve your virtual agent's performance .

Hide unused fields when creating issues

There can be a lot of fields to scroll through when you’re creating issues, and we know there are many fields that are simply unused.

We’re introducing a feature that only surfaces the fields you actually use. We’ll create a personalised Create issue form for each issue type and project.

All the fields you don’t use will be hidden in a More fields section, so you'll always be able to interact with them. The feature is continuously learning. If we notice you using a previously unused field, we’ll pull it out of the More fields section for the next time.

We’ll automatically turn on the feature to hide unused fields when creating issues, but you can manage it by heading to Personal settings and scrolling down to the Jira labs section. From there, you can use the toggle to opt in and out of the feature.

Filter results dashboard gadget improvements

The gadget now displays issues in the same way as they appear in the issue navigator. When you configure the gadget, changing the displayed columns and their ordering also works the same as in the issue navigator.

Take a look at the improvements by adding a new Filter results gadget to one of your Jira dashboards.

Searching for issues just got faster in Jira Cloud

We’ve modernized, optimized, and redesigned the way you search for issues. With features like smart syntax highlighting and enhanced autocomplete, the new JQL editor lets you build powerful queries for accurate search results. Configure and reorder columns to see what’s most important to you. Explore the new issue search in Jira Cloud

Add status while creating an issue

You can now select the status of an issue while you're creating it. For example, you could make an issue with the "in progress" status.

When selecting the status of an issue while creating it, you'll only be able to select statuses that don't have screens, actions, rules, validations or conditions in your workflow.

The new global issue create experience is enabled for all instances

We’ve modernized and optimized the experience to create issues to make it fast and scalable. Note that you won’t be able to switch back to the old experience.

Use the GitHub for Jira app to connect GitHub Enterprise, instead of DVCS

Jira admins making a new GitHub connection for a new organisation now need to install the  GitHub for Jira app . The app functions just like the DVCS Connector, but with better security features and improved performance.

This only applies to new GitHub connections in new organisations. Existing connections using DVCS are not affected.

Learn more about the GitHub for Jira app.

Control what you see in your products

Product recommendations now have controls, so now you can dismiss them or learn more about why you’re seeing them. These controls are being added to the recommendations in the app switcher menu which means you'll have more control and receive better product recommendations.

You can select the three dots next to the recommendation to learn why we have recommended it or to dismiss it entirely.

The recommendation controls will first be released to both Free and Standard teams of up to 50 users. Note: Only admins will be able to add a new product by clicking on the recommendation.

Update to the create issue mini window

We've updated the look and feel of the create issue mini window.

Next time you're creating an issue, you can use the icons on the top right of your issue to exit full screen and use the re-designed mini window. You can also click the background outside the issue you're creating to exit the full screen view.

With the mini window, you'll be able to create work in context and navigate your project without losing progress on your new issue.

Developers can now quickly determine what to work on next with automated suggestions

When you're in the middle of a sprint and you finish a task, it can be hard to know exactly what to do next. Automated suggestions from connected tools are specifically chosen for you based on work on your board. This will help you decide which tasks to do next and keep momentum. This is an alpha release available in team-managed projects.

• Go to your Jira board and select your avatar .
• What to work on panel will slide open with your customized suggestions. Hover over any of the suggestions to see tooltips with more information.
• Select the call to action if you want to work on the suggestion.

Get better results by refining your search with more criteria

We’ve added support to fields like description, environment, epic name, Atlas goal, Atlas project, time in status CHART , and custom fields of the type paragraph , short text , and read-only . Additionally, we’ve added support to configure all fields as columns in the List view .

To get started with this change:

• Go to your project's sidebar.
• Select Issues.
• Select More+ to use these fields.

Customize priorities for your projects

As a Jira admin, you can configure priorities that work best for projects so that your team can select the right priority for their issues. Learn more about priority schemes .

Custom navigation colors are now compatible with dark theme

If you've set a bright custom color for your navigation bar, we'll automatically modify it for anyone in your site using dark theme.

Work more securely with your collaborators in Jira Cloud

Keeping privacy and security in mind, the Browse projects permission lets users in a project see a list of recommended users for fields like mentions, reporter, watchers, custom user field, custom multi-user field, custom people fields, and approvers. Learn more about restricting global permissions to users and groups

Issues and comments created from an unknown email will now use Default Reporter

Our Jira Incoming Emails component has had an update. When an email is received from an unknown email address, and the sender isn’t a Jira user, a new user will no longer be created. The person you selected in your settings as the Default Reporter will be used instead when creating an issue or comment from an email.

Use filters to search and display Jira issues

Now you can use filters to search for Jira issues and display them in a list, without leaving the Confluence page.

This improvement follows the release that allows you to search for issues using keywords or JQL , and flexibility to add, remove, and reorder fields.

How to display Jira issues in a list

Start using filters to search for Jira issues:

• Edit a Jira description or comment.
• Type /jira and select Jira issues.
• With Basic selected, use the filters to search by Project , Type , Status , or Assignee .
• Select Insert issues .

This will display your selected issues in a list format you can interact with.

To edit your list of Jira issues:

• Select anywhere on the list.
• Select the Edit button (left-most icon) from the menu that appears at the bottom of the table.
• Edit your search query using Basic or JQL .

Create a Confluence page while viewing a Jira issue

You can now create a new Confluence page while viewing a Jira issue.

People licensed on both Jira and Confluence have two ways to create a page. Access the Create menu dropdown either below the issue's title or in the Confluence content section.

The page you create will be linked to your issue, making it easier to work together.

Anyone with Confluence and Jira will see the new Create options on every issue. Add Confluence and connect it to Jira to activate this feature.

It’s easier to access Jira Product Discovery projects

People who do not have Jira Product Discovery but use Jira Software, Jira Work Management, and Jira Service Management will now see a recommendation for Jira Product Discovery in their ‘Projects’ menu.

They can access it when they click on ‘Projects’ in their menu. If they select the Jira Product Discovery recommendation they will proceed to sign up for a Free or Standard plan and create a new Jira Product Discovery project.

Only people with permission to create a project will see it, on any plan type (Free, Standard, Premium or Enterprise) and it can be dismissed or removed at any time. You can completely disable these types of recommendations at any time from admin.atlassian.com .

View and add apps to roles within Assets

A new column in the roles table within Assets now gives you the ability to view, add, or remove apps.

Apps have similar permissions as those granted to Users. Assets data-import apps will be added automatically to the object schema manager role when a new import is created for that app and schema. You can also add or remove it manually after you install the app.

We've also added some extra descriptors to the page to help explain how roles work within Assets in Jira Service Management, and separated each role into its own table for ease of visibility and use.

Editing your issues in issue navigator just got easier

Directly edit summary, labels, and due date fields in the issue navigator without the hassle of going into each issue.

To edit these fields:

• Select Issues on the project sidebar.
• In list view , select a summary , due date , or labels field and make changes.

Finish setting up your tools from the issue view

Jira site admins can now finish setting up code , deployment , and security tools by following a link from the issue view. If a site admin has installed a tool on your site, we'll show a link on the development panel so you can finish setting it up.

To get started:

• Go to your Jira project and open an issue.
• Set up code tools
• Set up deployment tools
• Set up security tools
• From the dropdown menu, select the tool you want to set up.
• Follow the steps to finish setting up your integration.

New ways to manage email notifications from Jira

We've moved notification preferences out of your Personal settings page into its own Notifications space where we can continually develop ways for you to take control of your Jira notifications.

We've also replaced the old notification configurations with 10 notification preference options, so you have even more control of what notifications you actually want to receive.

To see the change: Select your profile and settings icon, then select Notifications .

New and improved reports

We've made your reports look better. They also have better performance and versatility in visualization of data.

Use Atlassian Intelligent to define words in the issue description

You can now use Atlassian Intelligence to define one or more words in the issue description. The definitions will be based on information found in connected Confluence spaces.

To use Atlassian Intelligence to define words:

• Make sure the description is in view mode, not edit mode
• Highlight words you need defined
• Select Define

Definitions are only available in the description in view mode.

Maximum cardinality limit on multi-value attributes in Assets

Assets in Jira Service Management is a database and so requires a combination of good data modeling and a great deal of processing power to handle large amounts of data. Here are recommendations for how to structure your data for Assets schemas .

See also: How to build an effective ITAM schema structure.

For this reason, we're introducing a maximum cardinality limit of 20,000 per object type attribute for Assets. Read more about recommended data structures for Assets.

Exceeding these limits can cause performance and reliability issues, therefore each site cannot create further items once they reach the limit. You can find out how many objects your site currently contains using the feature usage screen. Read more about how to track your usage.

Access designs from the release page in Jira

Designs linked to Jira issues within a version can now be found on the release page, giving your team live updates and greater visibility of their design work. Read more about linking designs to Jira issues

Filter issues by work category

We've added a new field to the issue navigator so you can filter issues by work category.

To use this new filter, from the issue navigator, select More , then Work category in the dropdown.

New "Entitlements" field

We've added a new custom field to go with the new Products and entitlements feature in Jira Service Management. The field allows agents to view customers' entitlements in their project to get additional context when working on issues.

The team field in Jira issues now shows the team icon

Previously, selecting the team field in an issue would prompt a search displaying the singular "Person" icon. The correct "Team" icon now shows to indicate what should be selected for the field.

Updates to how you insert canned responses

We’ve now made it easier to insert canned responses. You can select Enter or double-click to easily insert the chosen response into the comment box.

Read more about inserting a canned response

Object schema limits for Assets in Jira Service Management

As part of ongoing work to improve performance and reliability, we have introduced a maximum limit of 100 object schemas for each individual Assets in Jira Service Management site. Read more about how much data you can store in Assets.

Receive notifications when you make changes to issues in Jira

We're bringing back the functionality that allows people to be notified about their own changes to issues in Jira.

From your profile avatar, select Notifications . Use the the toggle that allows you to Receive emails when you make changes to issues. Toggle it on to allow this type of email notification, or toggle it off to prevent this type of email notification.

Plans in Jira - Introducing the Calendar view!

View work in your plan on a calendar instead of a timeline.

As of right now, the calendar view is read-only, but you can add filters to show the work items you want to see.

Move data between sites with cloud-to-cloud migration

We're introducing cloud-to-cloud migration to make it easier for you to move users and projects from one cloud site to another. Cloud-to-cloud migration can help you combine data between two or more cloud sites, split a cloud site into multiple cloud sites, duplicate a cloud site, or move specific projects from one cloud site to another.

Org and site admins can access this feature by logging in to the cloud site you want to move your users and projects from, then going to Settings > System > Migrate cloud site .

New Parent field in company-managed projects

We're improving the way you associate epics with your bugs, stories and tasks in Jira by replacing the existing  Epic link  and  Parent link  fields in company-managed projects with the  Parent  field, consistent with team-managed projects. Read more about these changes on the Community

With this release, we've introducing the following changes: • the Parent field is now available when creating new schemes and layouts • the existing  Epic link  and  Parent link  fields have been replaced with the  Parent  field in the issue view, and when creating new issues and workflow transitions • the  Add parent  feature seen in team-managed projects has now been added to the company-managed issue view • the parent  JQL function now includes the functionality of the  epic link ,  parent link  and  parentEpic  functions

Advanced Roadmaps - New navigation

Advanced Roadmaps has a new look that makes it look and feel more like the rest of Jira Software.

To state it simply, the nav now lives on the left-hand side. This new layout opens Advanced Roadmaps up to a whole new world of designs and new features (whoops, not sure if I was supposed to say that 🤭).

Even though this is rollout to all users, we'd still love to hear your thoughts about how it effects your work, or your ideas for improvements. Use the Give feedback button which is still located in the upper right of your screen.

If you opted in the Early Access Program from last month, you won't notice a change. However, this layout is now the new default view for Advanced Roadmaps and can no longer be disabled.

Read more about these changes in our community post .

Connect your tools while creating a new project

We’ve updated the way you connect code and documentation tools when starting a new scrum or kanban project in Jira Software.

Depending on which tools are already connected to your site, you can quickly connect your team’s code repositories, security containers, and Confluence spaces.

• From the top menu, go to Projects > Create project .
• Choose a project template, a project type, and enter a name and key for your new project.
• From the the Connect your tools screen, connect your code repositories, security containers, and Confluence spaces.

You’ll see this screen and be able to connect your work if you have one of these tools connected to your site:

Connect Google Drive in Project Pages

Project pages previously only connected to Confluence. Users can now connect and view Google Drive files from within Jira

Any updates made to Google Drive files within Jira are automatically synced, ensuring that all team members are working with the most up-to-date information.

The integration provides an option to search for and link existing Google Drive files to Jira issues, making it simple to associate relevant files with specific tasks.

To get started with connecting Google Drive to Jira Software:

If you’ve never used project pages before:

• Select Connect Google Drive
• Select sign in with Google
• Log into your Google and grant access to your shared drives in your account. Close this tab and return back to Jira.
• Select the shared drive you want to connect from the dropdown. Your shared drive will be visible to anyone in your Jira project
• Select connect shared drive

If you have Confluence connected to project pages:

• Select the Add Google Drive tab
• Select the shared drive you want to connect from the dropdown. Your shared drive will be visible to anyone in your Jira project.
• Select connect shared drive.

That’s it! Once you’ve connected a shared Google Drive to Jira, it will be synced to your Jira project.

Organize and track work against Compass software components

You can now link issues to Compass components from any company-managed Jira Software project.

This helps your team organize and track work in Jira against elements of your software architecture cataloged in Compass – so you can understand the impact of that work; prioritize work more effectively; and find the information you need to get that work done faster.

Learn more about Compass components

Switch to Compass components (project admins)

• In your project sidebar, select Components .
• Jira components won't be deleted, and they'll still be visible on issues they were previously linked to. You can switch back to Jira components at any time.

Read the full documentation

Link issues to Compass components

If you don't have Compass yet:

• Only site admins can do this; if you're not a site admin, you can send a request to your site admin to get Compass.

If you have Compass, but don't have any software components:

• On the Components page, select Create component . Compass will open in a new tab.
• Fill out the information for the new component, including the name, type, owner team, and related source code repository link. Read more about creating Compass components
• Open any issue in your project.
• Select the Components field, and choose the Compass component you want to link to the issue.
• The component and its linked issue will appear on your project's Components page; and you can search for the component in the backlog, boards, and issue navigator.

If you have Compass, and have software components:

Connect pending Bitbucket workspaces on the Code page or the development dialog

If someone in your team has begun the process to connect Bitbucket with your Jira site, you can now complete the connection process on the Code page or in the development dialog. You must be a Jira admin to do this.

To connect pending Bitbucket workspaces on the Code page:

• Go to Code in your project menu.
• Select Connect workspace in the blue banner to connect a workspace.

To connect pending Bitbucket workspaces using the development dialog:

• Navigate to an issue in your project.
• Open the development dialog by selecting either a branch, commit, pull request, build, or deployment from the development panel.

Read more about integrating Bitbucket with Jira

Move a mighty amount of issues from a completed sprint

Didn't get through all the issues you'd planned to in a sprint (we're talking more than a thousand or so)?

Take a moment to pause while they're dropped into a new sprint, a sprint that you've already created, or your backlog.

Track and triage incidents affecting your services in Jira

We’re excited to roll out the new incidents feature in Jira Software Cloud.

This feature pulls in data from connected incident management, monitoring, and observability tools, so your development team can have a holistic view of incidents impacting services they are responsible for.

Our first supported product is Jira Service Management , and we plan to add support for more incident management and observability tools soon.

By turning unexpected incidents into manageable, visible work, you can improve your team’s focus on quick resolution and internal review while building proactive work practices to prevent incidents from happening again.

To get started with the incidents feature:

For some customers who use Jira Service Management, the feature will be available and automatically appear under Operations in the list of features.

To turn it on manually:

• Go to Project settings > Features .
• Toggle Incidents on.

We're gradually rolling out the incidents feature over the next few weeks to specific customers. If you don't see it yet, check back again soon.

Finish setting up your development tools from the issue view

Jira site admins can now finish setting up code and deployment tools by following a link from the issue view. If any site admin has installed a tool on your site, we'll show a link on the development panel so you can finish setting it up.

If a code tool has been installed but not configured, we'll show a link to Set up code tools.

If a deployment tool has been installed but not configured, we'll show a link to Set up deployment tools.

• In the development panel, select Set up code tools (or Set up deployment tools ).
• In the dropdown, select the tool you want to set up.

Move plans to trash instead of deleting them

When you delete a plan, it's now held in the trash for 60 days before being permanently deleted.

This differs from before when planners would select Delete , confirm their decision, and the plan would disappear like Andy Dufresne from Shawshank Prison.

Find out how to delete a plan using this new, less destructive manner

Link issues to connect work across teams and projects in Jira

We’ve introduced the ability to link issues directly on the board. You can now surface dependencies and related work to get a clearer picture of how work is progressing. Issues can be linked across different projects in Jira, which means that it’s easier than ever to keep software teams connected to the business, and vice versa.

To link issues directly on the board:

• Right-click on an issue or hover to select more actions (…).
• Select Link issue .
• Select a link type, then select the issues you want to link. If you want to link an issue that hasn’t been created yet, select Create linked issue .
• Select Link .

To show linked issues on the board:

• Select View settings in the top right of the board.
• Select the toggle to switch on Linked issues .

Parenting a team managed epic with a company-managed initiative is now possible in Plans

To help you better integrate work across project types, you can now assign a company-managed initiative as a parent to a team-managed epic. Configuring a hierarchy level above epic is only possible in Premium or Enterprise editions.

Create child issues for hierarchy level above Epic (+1)

Jira Premium users can create hierarchy levels above epic to track individual pieces of work to larger initiatives. Read more about hierarchy levels in our documentation .

With this change, Premium customers can now create child issues for issues in these additional hierarchy levels. For example, suppose your site includes a hierarchy level called Initiative that sits above Epic. You can now create an Epic while viewing an Initiative issue using the Create a child issue button. That new Epic will then be automatically associated with the Initiative via the Parent field.

Company-managed projects: Create, edit, and delete columns directly on the board

If you want to quickly add or update a column on your board, you don’t need to go far. You can now create, rename, move, set constraints for, and delete columns without leaving the board. You’ll still have the ability to do all of the above in your board’s settings page, but if you’ve only got time for a quick fix, we’ve now got you covered!

If you’re a project or board admin for the board you want to update, you can try the following changes:

• To create a column, select the + icon to the right of all columns.
• To rename a column, select its name to edit directly.
• To move a column, select its top, then drag the column to its new position.
• To set column constraints, right-click its name or hover to select more actions (•••) > Set column limit .
• To delete a column, right-click its name or hover to select more actions (•••) > Delete .

View high-level work across multiple teams with a new template

Use the new cross-team planning template to get a high-level view of work across multiple teams.

Plans in Jira - Autoscheduler disabled by default in new plans

Newly created plans will no longer have the Auto-scheduler enabled by default. Plan owners can still enable it in the Plan settings if they want.

Jira Service Desk is now Jira Service Management! We’re in the process of rolling out some exciting new features for all users. Learn more about these new features .

Object schema counter and limit info for Assets

Ever wondered exactly how many object schemas you have in Assets? Wonder no more!

We've added a schema counter to the Assets overview page (left of the Objects counter) so you can keep track. If you ever reach the maximum limit for object schemas, we've also added a tooltip and replaced the 'Create schema' button with a label (so you don't go ahead through all the effort of creating a new schema only to find out that you can't!).

Quickly create incidents from your Slack channels

It's now possible for you to create an incident directly from your Slack channels. Use the /jsmops create incident command in any Slack channel and you'll be able to fill out the incident details. When you create the incident, You can choose to link the incident to a new Slack channel or to an existing channel.

Once the incident is created, all the incident details, updates, and actions will be available and the affected services' responders will be automatically added to the channel.

Read how to connect Slack with Jira Service Management

Products and entitlements

We’ve added a new feature that allows you to add products and customer entitlements in your project.

An entitlement represents a customer's access to a product or service, and creating entitlements allows you to add and view important details related to that access. These details could include things like: support level, product tier, number of licenses, expiry date or any other information about their entitlement.

To get started, go to Project settings , then Features and enable Products and entitlements . This will add a new page to your project navigation called Products .

New project details page for company-managed service projects

We've redesigned the project details page for company-managed projects to match the clean, sleek look of our team-managed project details page. As part of this update, you can also enjoy more formatting options for the project description.

Introducing a new workflow editor in company-managed projects

We're building a new workflow editor for your company-managed projects!

If you're familiar with team-managed projects, you might be familiar with the new workflow editor - it's a faster, cleaner, more intuitive experience for creating and editing your workflows.

In our first release, we're making the new editor available for Jira Service Management projects so you can start using it right away, but we still have more work to do to bring across all the features from the old workflow editor.

While we continue building the new editor, you can switch between editors as needed using the Open in old editor or Open in new editor options. You can also select a default editor so that your workflows always open in the editor of your choice. Just select Change default editor and follow the steps to make your choice.

If you have feedback on your experience with the new editor, we'd love to hear it. Make use of the feedback options in the editor to let us know your thoughts.

Learn more about the new workflow editor .

Reports now available for Assets

Get a a comprehensive overview of your Assets performance, simplify your analysis process and gather valuable insights at a glance with the new reports dashboard for Assets in Jira Service Management.

Things to note:

• This functionality will disabled for customers who have signed HIPAA and have tagged Jira Service Management. We are working to enable it but this will take a few more days.
• Customers who have moved their Jira Service Management instance to the Switzerland Data Residency region will not have any data available in reports.

To get started with the reports for Assets dashboard:

• Go to Assets
• Select Reports (to the left of Configuration)

Improved search results in your help center

Your help center's search results will now also include links to external resources that you've added to your service projects. This means customers can find links to useful self-service articles and more from tools outside Jira Service Management in your help center, making their search experience more comprehensive and efficient.

Find out more about adding external resources to your service project.

Create new request types with ease in team-managed projects using request type templates

Recently made available in company-managed projects, we’re now bringing the time-saving benefits of the new request type templates to team-managed projects (TMPs).

Instead of creating a new request type from scratch, you’ll have the option to browse a library of templates designed for a range of different teams and use cases, and select one to quickly create a new request type that you can edit later.

These request type templates act as a starting point for Jira admins who are new to Jira Service Management, as well as those Jira admins who are looking to create consistency across multiple projects, or further customize their project to meet changing needs.

To create a new request type using a template:

• From the navigation on the left, select Project settings , then Request types.
• At the bottom of your list of request types, select Add request type , then select Create from template .
• Browse, search, and Preview the different templates.
• Select the template you want to use to create your new request type.
• Review and update the request type’s name, description, and icon, then select Save .

Chat in Slack: Emoji shortcuts are now powered by Jira automation

Emoji shortcuts, based off Halp’s legacy recipes, now use Jira automation’s powerful no-code engine. With this change, admins can manage all automation rules in one place and emoji reactions can be used to edit issues created by Assist in Slack — all allowing for a simpler configuration experience.

If your projects have custom emoji rules, you have until June 4, 2024, to set up similar ones in automation. After that date, the emoji shortcut feature in chat settings will no longer function.

Find out more in our Community blog

Before you start setting up your new automation rules, keep in mind:

• The ticket emoji shortcut used to create issues isn’t affected by this change, so you don’t need to set this up in automation.
• You need to set up the eyes emoji shortcut, which assigns agents to issues. Tip: Use the template from the Emoji shortcuts tab in chat settings to quickly set up this automation.

To set up emoji rules in automation:

• From your project settings, select Automation .
• Select Create rule .
• Select Emoji reaction to Slack message as your trigger*.*
• Select Turn on rule , name your rule, and then Turn on rule again to save.

To help test your new emoji rules, you can now turn off emoji shortcuts in chat without deleting them:

• Set up your emoji rule in automation.
• From the Emoji shortcuts tab in chat settings, find the rule to turn off.
• Use the toggle to turn off the rule.
• Test to your satisfaction.

Create request types using Atlassian Intelligence

We’ve bundled all your options under Create request type , so you can choose to either create from blank, from a template, or now using Atlassian Intelligence (AI) in the one place.

Select Create using AI to spend less time figuring out what kind of request types to create for your project, and instead get suggestions using Atlassian Intelligence.

Simply describe what type of work your team typically manages, and Atlassian Intelligence will provide you with a number of suggestions you can choose to create based on your prompt. Select a suggestion if you wish to create it, or choose to enter another prompt for more suggestions.

It’s faster and easier for users to try new products

When a user wants to try a new product from an Atlassian product (they are using Jira Software and see a prompt to try Confluence, for example), they typically have to send a request to their admin first. Previously this meant adding a personalized note to the request, before hitting ‘send'. Now, the user can hit ‘send’ on a request for Jira Service Management, Confluence or Jira Product Discovery without a personalized note, removing one step entirely.

When the admin receives the request (via notification or email), it has updated information about the requested product, and no personalized note.

This makes it faster and easier for users to request products, and admins to understand what the products do.

Updated read-only version of Workflows

We've updated the read-only version of the Workflows page in Project settings for project admins. The new page looks more modern, has a faster load time, and will allow us to make more changes in the future. Note that we've also removed the text preview functionality.

Use your existing Slack channel to collaborate on incidents

Previously, Jira Service Management helped your incident responders immediately create a new Slack channel to collaborate on an incident.

Now, you can even add an existing Slack channel to an incident, allowing you to link multiple incidents to the same Slack channel. This way, your team can easily manage multiple incidents and be notified of the latest activity through the same Slack channel.

How to add an existing channel to your incident

Go to your incident and select Add channel in the Slack field in Details . In the Create new or select existing channel option, select Select existing channel. Finally*,* select your Slack workspace and channel and select Add.

Read how to use chat and video tools to resolve incidents as a team

Data limits for object schemas in Assets

For this reason, we have introduced limitations on how many objects, attributes, and attribute characters can be stored inside schemas within each individual Assets in Jira Service Management site. Read more about how much data you can store in Assets.

Navigation group label change

We've updated the "Channels & people" group label in the project navigation to "Directory" to better accommodate optional features that appear in the navigation when enabled.

Colourful categories

Project admins can now assign colours to categories from the list view in Jira Work Management.

Manage custom fields for your project in context of the list view

You can now create and manage custom fields in context of the list view. Certain types of work may require specific information for your team to get the job done. Jira Work Management now allows you to create and manage these additional fields in context of the list view to save you from navigating away from your work. This will help your team with viewing the right, relevant information upfront when completing tasks.

To get started with the change, select the plus symbol at the top right of your list view to show or hide more fields, and manage your custom fields.

Template bundles in the project create page

Effortlessly create between 2 to 6 projects at once, with bundles. We're helping streamline your project creation process and minimizing the need for repetitive manual tasks. Whether you're working in Jira Work Management, Jira Software, or Jira Service Management, bundles guarantee a smooth project creation experience.

Choose from two pre-set bundles: the Marketing or the IT team bundle. And if they don't fit your requirements, you have the flexibility to customize and create your own bundle.

There are a few ways you can create a bundle, one way is to:

• Select the plus icon + in the project sidebar
• Choose More templates from the dropdown
• Select Bundles

Another way to create a bundle is to:

• Select Projects > Create project in the top navigation bar

Keep your board's background when you import from Trello

Trello backgrounds are now imported into a project. Preserve your board's identity even when you're moving it over to Jira.

You can import Trello boards when you sign up, or when you create a new project from templates.

Adding whimsy to onboarding tutorial

Enjoy whimsical animations while learning Jira best practices.

Celebrate accomplishments

We added fun animations to celebrate finished tasks.

A confetti animation will appear when you change the status of a task to done

Use AI to generate new content or improve existing content

Generate new content in your ideas descriptions and comments – brainstorm new content, summarize or shorten the content you already have, find action items, and improve your spelling and grammar.

Learn more about Atlassian intelligence.

Calculate delivery progress based on story points

With enhanced calculation options, the delivery progress can now better reflect the size of your linked delivery tickets in Jira Product Discovery. You can easily configure the field to display progress based either on the number of issues per status or on the number of issue story points per status.

Creators can configure the delivery progress field:

• Click the Delivery progress field to open the Delivery tab, or select a specific idea and go to the Delivery tab.
• On the Delivery tab, click the delivery progress bar, and then select  Configure delivery progress .
• Default or Simple for the estimation type
• Issue count or Story points for the estimation values

Learn more details about the estimation rules and configuration options.

Use Confluence automation to create incident tickets in Jira Service Management

You can now create an incident ticket in Jira Service Management using a Confluence automation rule.

Full-screen image previews in edit mode

Get a closer look at your images while editing with the new full-screen preview feature. Simply select an image and select the new Preview button in the floating toolbar. The image will be displayed full-screen, allowing you to make informed editing decisions.

Confluence Premium: Even better content management

The space content manager now allows you to do even more. In this release, we’ve added a new filter option to view pages with deactivated owners, as well as some UI improvements to the existing experience. This allows space admins with Confluence Premium or Enterprise to view and update pages owned by deactivated users, with bulk action support for changing up to 100 pages at a time.

Visit a space and select the Content manager option from the sidebar

To filter pages, select the Filters button at the top of the table. From there, you can select to view Inactive pages , which can be further filtered by date, or the new Pages without active owners option, which can be filtered by deactivated account name.

Create and edit with greater context and control

The sidebar and top navigation are now available while editing a page. Now, you can orient wherever you are and navigate wherever you need to, whenever you need to, even while creating and/or updating content.

As usual, the sidebar can be collapsed and expanded as needed anytime.

Be more expressive with panels

In addition to the five preset panel options, you can customize panels by choosing one of the 20 background colors available.

Panels can have emojis, or you can remove the emoji to meet the needs of your content. The emojis available to you are the same set that you already use in Confluence; this includes custom emojis you and your teammates added.

1. Add a panel to a page by typing /custom panel or by selecting Custom panel from the insert menu.

2. Use the floating toolbar to choose a background color and pick an emoji if you want one.

Automatically get a personal space

A personal space in Confluence is a place of your own to jot down new ideas, introduce yourself to your team, keep track of tasks, store important items or files, polish content before sharing with others, and more.

You can choose to leave the space open for others to visit and collaborate, or you can restrict the pages so that no one else can see them.

If you don't already have a personal space, one will be created for you after you've logged in and viewed a page. There are three ways to get to your personal space:

• Select Spaces in the global navigation bar. Your personal space is automatically starred for easy access.
• Select your profile icon at the top right of the global navigation bar and select Personal Space .
• Select Home in the global navigation bar. All starred spaces are shown on the right.

Learn more about personal spaces

Transfer of page ownership between users

When a page is created, the person who creates is now known as the owner of that page. We've made it possible for page owners to transfer ownership of their page to another person at any time. Space and site admins can also transfer page ownership from one user to another.

This way, if a current page owner leaves a project, team, or company, ownership of the page can then be granted to whomever is most appropriate, and maintenance and validity of the page remains fresh.

A page owner is the ‘point person’ for a given page and their name appears in the byline, under the page title.

Learn more about page ownership and how it can be transferred

Template suggestions in the page editor

When creating a new page, you start off with popular templates featured first.

Once you begin adding a title to the page, these featured templates will be replaced by suggested templates: templates that may be a better match for your needs based on the title you entered.

• Create a new page.
• Start typing a page title.
• Recommendations of popular templates will be replaced by suggested templates, based on the title you've entered.

Confluence Premium: 20 new automation components

Confluence automation is adding 12 new trigger and 8 new action components.

Space, product, and site administrators can use components to build rules that automatically organize content and manage team workflows. Automation is available in Confluence Premium and Confluence Enterprise .

Learn more about creating automation rules

Follow-up questions for Smart Answers in Confluence Search

Smart Answers in Confluence Search now provides suggested follow-up questions along with the corresponding answers.

Table editing just got smoother with drag-and-drop

We're introducing the long-awaited drag-and-drop functionality for tables within Confluence Cloud. Now, you can quickly and intuitively reorganize rows and columns in your tables by simply dragging them to the desired location.

With the rollout of this feature, you’ll also get easy access to row and column actions in the new drag handle menus. Add, move, sort, and distribute widths straight from these menus.

This update, highly requested by users, will significantly improve your table editing experience, saving you time and effort.

Here's what's new:

• Effortless reordering: Drag and drop rows and columns anywhere within the table.
• Visual guidance: New drag handles and drop zones make it clear where you can place elements.
• Smooth navigation: Wide or long tables automatically scroll as you drag for ultimate control.
• Enhanced interface: Enjoy new menus, icons, and buttons for managing rows and columns.

Restore and reattach inline comments, even after deleting highlighted text

Inline comments anchored to highlighted text can get resolved when that text is changed or deleted during an editing session. It is now possible to restore those comments by reattaching them to selected text in the editor.

Resolved comments can be accessed from the More actions menu on the toolbar. Find the resolved inline comment you want to restore, and select Restore comment .

In the editor, highlight text you'd like to add the comment to, and select Add comment .

Default data classification levels get migrated

When organization administrators migrate a space or Confluence instance, default data classification levels migrate as well.

This preserves related rules around creating, storing, managing, moving, or deleting page and blog data in each space — without space administrators needing to reset a default.

Learn more about data classification

Data classification is currently only available through the Atlassian Information Security Beta program. If you’re not part of the program, subscribe to our Cloud roadmap to be informed when this feature becomes generally available.

Product administration updates

Confluence administration has long contained more than settings. We made updates to reflect that and make everything easier to find.

When product admins select the gear icon in the top-right of Confluence navigation, they’ll see new hierarchy in the side navigation, distinguishing monitoring capability from premium admin tools from settings . The settings themselves are now collapsed into more manageable, expandable, buckets — and are searchable by keyword.

Confluence admins should continue to select the Confluence administration gear (formerly Settings) in the top-right of Confluence navigation.

Guests can receive and manage email notifications

With email notifications, guests can now get closer to the work happening in Confluence, stay in the know, and respond more quickly to matters that need their attention.

They can also fine-tune their email preferences to make sure they're only getting notified about what most matters to them.

Insert tables of any size with the new table size selector

No more one-size-fits-all tables! We've added a new Table size option to the editor toolbar. Just select the dropdown arrow next to the Table button to reveal the Table size selector. A grid will appear, letting you choose a table size, up to 10 rows by 10 columns.

Configure and display labeled content with clarity and ease

You can now find and customize the Filter by label macro (formerly known as "Content by Label") more easily than ever, thanks to the following changes:

• New and improved name and icon for instant discovery.
• A simpler filtering experience with a more clearly organized dropdown menu.
• An overall clearer and better organized set of options in the configuration modal, for faster and easier customization.

Collaborate and turn ideas into action with Confluence whiteboards

Confluence whiteboards will be generally available to everyone over the coming weeks. Use whiteboards to collaborate and turn ideas into action, faster than ever before.

Whiteboards are great for collaborative activities, such as brainstorming ideas, running retrospectives, planning out and breaking down work for your team, prioritizing what’s coming next, creating diagrams and flowcharts, and more.

Take advantage of integrations with products like Jira. You’ll be able to turn sticky notes into Jira issues and create relationships between issues.

Compare plans and explore what’s possible with whiteboards .

Team calendars: settings refresh

The configuration settings for team calendars in Confluence have a new streamlined and modern look.

Confluence administrators should:

• Select the wheel icon in the top-right corner to open Confluence administration.
• Find Settings in the left-hand navigation.
• Select Data management > Team calendars.

Catch up quickly with page comments summary

Now, Atlassian Intelligence can summarize page comments for you, making it easier and faster to catch up on important feedback. Just navigate to the bottom of the page, above the first page comment, and select Summarize comments .

New comments since you last checked? Select the refresh icon to generate a summary that includes all the latest feedback.

Admins can now create automation rules for public links

We're adding the ability to create automation rules directly from the public links setting on a page.

When an admin on a Confluence space with automation turns a page's public link on or off, they will see a prompt to create a new automation rule to manage public links.

Bring all your work into Confluence

Streamline your workflow and enhance productivity by adding a Smart Link in the content tree. All you need is a URL to bring over a thousand supported products directly into a Confluence space. What can you do with a Smart Link in the content tree?

• Select Create in the main navigation or + in the Content section of the space sidebar.
• Select Smart Link .
• Enter the URL of the link you want to add to Confluence.
• Select Add Smart Link to finish.

Confluence Premium: Content manager in sidebar navigation

Space administrators with Confluence Premium or Enterprise will now find it a little easier to manage their content.

The content manager (formerly bulk archive) is now available as a link in the top section of the sidebar, alongside other key features like automation and analytics. Use it to filter for inactive pages and assess the state of content before applying actions like archive or delete to hundreds of selections at at time.

Learn more about the content manager

Sidebar links can be turned on or off by visiting Space Settings > Manage space > Edit sidebar.

Automatically build automation rules for public links

Admins can now create automation rules to manage public links on their Confluence site.

When you use the public links settings, we'll show you a prompt to automatically build a rule for public links in new spaces.

Automatically build automation rules to assign guest users to a space

Admins can now create automation rules to manage space assignments for guest users.

We'll show you a prompt to automatically build a rule to assign spaces to new guest users when you assign spaces in three ways:

• Using the dropdown menu next to the guest user's name
• Using the bulk assign screen
• Setting a default space for guest users in Global Permissions

Introducing CODEOWNERS

Code owners is a feature that helps teams automatically assign best-suited reviewers to Bitbucket pull requests and do so in a fast way, based on which files are in the PR changeset. The CODEOWNERS file resides in the code repository and describes which file patterns are owned by which teams. By doing this mapping of code paths to well-suited code owners, teams can have reviewers automatically assigned to PRs. This removes the mental load from the PR author in deciding whom to add to their PR, as well as reducing the time the author would have to spend doing that. Learn more about setting up and using code owners.

Cache key support for self-hosted runners

Since releasing cache key support for builds on the Atlassian infrastructure earlier this year, we have been actively working to add cache key support for our customers who are using runners. That being said, we are happy to announce that we now support runners using cache key to generate caches. Additional documentation on smart caches with cache keys can be found in the following section of our Caches help documentation: Caching with file-based cache keys .

Introducing 100MB file size limit

Starting on May 6, we will begin rolling out a 100MB file size limit for Git pushes to Bitbucket Cloud repositories. Learn more about the new file size limit and join in on the conversation via our community post .

Restrict who can add 3rd-party data sources to a workspace

To tighten security, organization and Analytics admins can now restrict the ability to add third-party data sources to only admins.

To change this setting:

• Select Admin settings > Settings from the global navigation.
• For Who can add third-party data sources , select either Anyone in the workspace or Organization and Analytics admins only .
• Select Save .